untrained employees , vendors , etc .— can easily misuse access to the company to steal information and assets .
Clients are target vectors because they have poor personal cybersecurity . When their personal email and texts are compromised , their accounts can be used to generate messages to infect their wealth manager ’ s systems or initiate fraudulent transactions . If they don ’ t protect their social media accounts , these can be used to create voice and image clones so that the scammers can pose as clients . And breached client home networks are regularly used to compromise devices and online accounts .
The easiest way for cybercriminals to breach a remote employee ’ s device is through smart technology connected to a home network . Breaching a single device can effectively compromise everything — including work devices — connected to the system .
The default settings for most devices , as well as certain web browsers and search engines , automatically record users ’ IDs and passwords for every account they access . So if a cybercriminal breaches a device that is not properly protected , they can access the credentials for hundreds of accounts .
Foundational Cybersecurity Defenses
Wealth management firms trying to build their cybersecurity defenses should start with three layers of foundational defenses , made up of several sublayers .
EXHIBIT 1
Foundational Cybersecurity Defenses
Direct Attack Defenses
Indirect Attack Defenses
Damage Reduction Defenses
Information Systems
These would be the same for firms of any size or business model . ( See exhibit 1 .) Layer I — Direct Attack Defenses The first line of defense against a direct attack is a correctly constructed and maintained IT system .
• This system requires firms to use multi-factor authentication .
• It limits access to company systems .
• It requires conducting cyber-diligence on all vendors .
• It means filtering emails .
• It requires regularly and systematically updating software patches .
• It requires firms to follow protocols for working remotely .
• It means using active directory / service accounts and properly maintaining web domains . And it means having integrated incident response and disaster recovery backup plans .
If a CEO discovers that these measures are not already in place , they should seriously consider the competency and adequacy of their IT staff or the third-party technology provider they use . Layer II — Indirect Attack Defenses There are four sublayers of indirect attack defenses . ( See exhibit 2 .)
Sublayer 1 — Client Cybersecurity : Wealth managers wanting to defend themselves against indirect attacks must persuade their clients to be more responsible when they ’ re online . This can be difficult if the demands are onerous or if the clients are asked to invest large amounts of time or money ( it ’ s
EXHIBIT 2
Indirect Attack Defenses
Client Cybersecurity Risked-Based Interaction Employee Cybersecurity
Insider Threat Management
Information Systems easier to get employees to comply ). Given the possible resistance from clients , the personal cybersecurity programs you choose must have the following characteristics :
• They must have a quick and painless setup process .
• The programs must not greatly complicate a user ’ s ability to function online .
• They must be reasonably priced .
• They should neither track what users do online nor allow outsiders to access any of their passwords .
Sublayer 2 — The Risks Of Client Interaction : Wealth managers must assess the personal cybersecurity of each of their clients and then use different protocols for interacting with them based on that assessment .
For those clients with poor personal cybersecurity , firms must separately contact them using alternative channels and personal questions to confirm their identity before even opening emails or text messages . Advisors must also take extraordinary steps to confirm their clients ’ identities before initiating a transfer of assets to new accounts or financial institutions .
Sublayer 3 — Employee Cybersecurity : Your employees ’ cybersecurity will require training and education and will apply to the precautions they take at work as well as the personal precautions they take at home .
Sublayer 4 — Insider Threats : There are three aspects to insider threat management :
• Advisors must limit the access to clients ’ non-public personal information , letting only those who need to know it have access and allowing only those who need to use it to download it .
• Advisors must also monitor their new employees ’ online behavior and limit the access of departing employees .
• And finally , advisors should keep all devices with sensitive client information in a secure room with limited access . Layer III — Damage Reduction As we noted before , every firm at some point will be breached . That means it ’ s essential for advisors to take steps to reduce any potential damage . There are two
34 | FINANCIAL ADVISOR MAGAZINE | OCTOBER 2024 WWW . FA-MAG . COM