TECHNOLOGY & OPERATIONS sublayers of such defenses . ( See exhibit 3 .)
Sublayer 1 — Non-Public Personal Information : Wealth managers should make it too complicated to steal this information : They should delete any unnecessary client information . They should store all online client info in the cloud . And they should segment and compartmentalize that information .
Sublayer 2 — Asset Transfers : Cybercriminals are able to take over the phone numbers of their victims through what ’ s called “ SIM-swapping ,” in which all calls and text messages are diverted to them . This attack , alongside the widespread use of deep fakes , has made traditional means of verifying transactions obsolete . So wealth managers will have to take three steps for risk-controlling asset transfers .
First , they should only immediately transfer assets to pre-existing known client accounts and store the wiring instructions for those accounts offline . Second , all other assets transfers will require significant additional diligence . Lastly , clients must be educated on why it will take much more time to wire money to new recipients .
Cybersecurity Protocols For Wealth Managers
Besides these foundational cybersecurity defenses , we advocate that wealth managers turn to a series of other incremental measures . The specific steps appropriate for a particular firm are directly tied to how frequently it must access clients ’ non-public personal information and custodial accounts .
EXHIBIT 3
Damage Reduction Defenses
Direct Attack Defenses
Indirect Attack Defenses
Damage Reduction Defenses
Information Systems
Tier I — Cybersecurity Protocol
This protocol is most appropriate for industry participants who only infrequently access client personal information and accounts ( as is typical for most traditional wealth managers ). It requires another layer of defenses made up of four enhanced damage-reduction measures :
• Storing all non-public personal information offline ;
• Prohibiting the downloading of client information from third-party vendors ;
• Keeping any remaining online client information anonymous ; and
• Physically isolating ( or “ air-gapping ”) networks for the trading of client accounts . Tier II — Cybersecurity Protocol Wealth managers that require frequent access to client non-public personal information — and for whom storing it entirely offline would be impractical — should implement six measures to reduce the likelihood of a breach and further complicate
criminals ’ ability to steal client information and assets . These measures include :
• Storing rarely used client non-public personal information offline ;
• Further segmenting and compartmentalizing non-public personal information stored online ;
• Doing penetration tests of third parties ;
• Using intrusion protection systems ;
• Air-gapping the trading of client accounts ; and
• Using data transfer alerting software .
Tier III — Cybersecurity Protocol
For some firms , such as investment counselors and multifamily offices , it ’ s impractical to store and air-gap clients ’ nonpublic personal information . Such firms must rely on “ zero trust ” systems : These include foundational defenses , the first five incremental steps included in the Tier II protocol we discussed earlier and four other additional measures :
• They should use only company-owned or managed devices .
• They should use enhanced firewalls and intrusion-protection systems .
• They should expand their IT staff .
• They should hire a chief information security officer ( or CISO ).
Best Practices Over time , the SEC will develop its own views and policies for what constitutes industry “ best practices .” And while the agency may struggle to keep pace with
If a CEO discovers that these measures are not already in place , they should seriously consider the competency and adequacy of their IT staff or the third-party technology provider they use .
Complicating the Theft of Non-Public Personal Information
Risk-Controlling Asset Transfers
Information Systems rapidly evolving cybersecurity threats , wealth managers will nonetheless have to be responsive to change . Thus , our recommendations serve only as starting points for firms that will have to make their own independent assessments .
The good news is that an effective program for most firms is neither complicated nor expensive , though more than a few readers will likely be surprised by the scope and number of measures required to adequately address these threats . However , this is 2024 , not 1994 . The world is a very different place than it was 30 years ago . And cybersecurity changes every year .
MARK HURLEY is the CEO of Digital Privacy & Protection .
BRIAN HAMBURGER is the CEO of MarketCounsel Consulting .
CARMINE CICALESE is the President of Cyber CIC .
OCTOBER 2024 | FINANCIAL ADVISOR MAGAZINE | 35