Cybersecurity is often discussed in the context of being a race to win, a game to dominate or a war to emerge from as the last man standing.
But John Cataldo says that firms fixated on coming out on top are missing the point.
Winning shouldn't be the objective. Because, frankly, outright victory isn't really an option.
Instead, the
So for wealth managers, the goals should be buy-in, commitment and an organization-wide understanding that it's not over 'til it's over.
"It's trench warfare. Parties are dug in. You don't want to let them across, but you're not probably going to be making much headway. So as long as you've got that stalemate where people can't get in, you're good," Cataldo told Financial Planning. "Educate your organization about why this is important. Help them get that greater appreciation for it. Help them understand the uniqueness of your organization and what your unique cyber threats are.
"But understanding that you are in it for the long haul is really, really important. And begin setting that stage internally so that people understand the dynamics."
As the way we work and live becomes more dependent on digital-first interactions, the risk of cybercriminals converting our ability to connect into opportunities to attack increases.
The cybersecurity burden weighs even heavier on wealth managers trusted to protect the sensitive personal information of end clients — information that could lead to ruin if passive policies leave gaps in a firm's defense.
READ MORE:
Raising the already high stakes is an environment of
The most recent tweaks from on high include
A major problem
If it feels like your organization or peers have been having more conversations about cyber attacks lately, it's for good reason. 2023 has thus far been a difficult year for those dedicated to digital defense, and the breaches once again prove that anyone is fair game.
College universities, government agencies, investment research firms and mobile phone carriers are among the entities that have ended up in the crosshairs over the past six months.
Brian Edelman, CEO of FCI,
He's referring to the
MOVEit is a piece of managed file transfer software developed by the Burlington, Massachusetts-based Progress Software that relies on encryption to facilitate the exchange of files and data between servers, systems and applications.
A criminal hacking gang known as Clop has claimed responsibility for the ongoing MOVEit cyber attacks and have threatened to publicly post internal data from targeted professional services firms like Pricewaterhousecoopers and Ernst & Young unless they pay a ransom fee.
Other companies and organizations that were impacted are the U.S. Department of Health and Human Services, Honeywell, the government of Nova Scotia, UCLA, the New York City Department of Education, the Louisiana Office of Motor Vehicles and Siemens Energy.
Brett Callow, a threat analyst at the cybersecurity firm Emsisoft,
But
"I think it's certainly making it very clear who has strong cyber controls and who doesn't. Those who have responded early — and those are a lot of the public companies — have demonstrated that they have strong cyber programs and responses," Edelman said. "Vulnerabilities are going to happen. They're missing a core function called mass vulnerability response. So that's an important thing to address and uncover. But what we're seeing is they were able to define that there was a breach, they were able to define how many people were affected by the breach, they were able to talk about the fact that it was under investigation. These are all signs that they have mature cyber programs."
MOVEit isn't the only notable breach reported in 2023. Other attacks include 37 million people caught up in a T-Mobile breach; 20 million people in a PeopleConnect breach; and a breach disclosed by
Cyber attacks have also been on the rise in recent years.
Of the complaints from 2021, 51,629 concerned identity theft and 51,829 personal data breaches. Those numbers increased by 193% and 68% from 2017, respectively.
At the heart of each breach is the industry's most valuable resource: data.
Like the spice in "Dune," attackers are willing to go great lengths to obtain it, and organizations must be equally committed to protecting it.
"This is a major problem as companies are more and more reliant on electronic communication and digital data storage," Cataldo said. "It becomes a more acute problem because you have more of this stuff. Clients and customers are more attuned to it. Regulators are obviously more attuned to it. And it intersects with so many different things — regulatory risk, reputational risk, legal liability. So the fact that it touches on so many different areas at once really supports why it's top of everyone's mind."
Where the industry ranks cybersecurity
As Edelman, Cataldo and others stress the importance of firms having a strong cyber plan, it's clear that the world of financial services gets it.
In the survey conducted this spring, nearly 90% of respondents said cybersecurity threats are a "moderate" or "significant" challenge to their institutions' digital banking strategies, ahead of integrating legacy systems with new digital technologies (86%) and retaining and attracting skilled talent (77%).
Bankers also named security-related functions as two of the top three technologies for enabling digital banking, with 55% saying enhanced security and fraud mitigation were vital to their goals and 50% saying digital identity verification is critical. That outpaced the importance rankings of many other digital services, including virtual assistants or chatbots (30%) and rapid application development (21%).
Arizent's research found that banks expect a large share of their spending in the coming year to go toward preventing data breaches, a continuation of previous spending trends.
Those results are similar to
When asked what kind of attacks pose the greatest risk to their businesses, the most popular responses among wealth managers were: viruses, malware or ransomware (60%); a data breach by a hacker or another criminal element (52%); phishing or spear-phishing (50%); and an unintended breach caused by a third-party vendor (41%).
There is also no single factor contributing to the growing cybersecurity risk profile of the companies surveyed by Arizent. Four factors affect 40% or more of the respondents' organizations: customers using mobile devices to access their data while "on the go"; employees working remotely; new digital tools being used to access customer data; and third parties being directed by customers to access their data.
Findings aside, F2 Strategy
That's because unless you can actively prove your efforts stopped a breach in its tracks, there are no opportunities to celebrate the fact that your approach is working.
It's a "no news is good news" situation and goes back to the idea of a stalemate being the best you can hope for.
"There's an argument to be made that it should be the top thing on everybody's mind all the time. So do I think that it has continued to improve? Yes. I get more questions about it as we engage with our clients on things like vendor selection and the controls around document sharing," Lamont said. "That's a sign that at least more of the executives and more of the senior IT leadership that we're engaging with are considering it to be a really critical component of what they do day to day. It impacts how they select new tools, how they support their advisors and their clients."
Asking the right questions, and adding the right family members
As firm's look to bulk up their digital defenses, Edelman said every valuable cybersecurity discussion should revolve around four important questions:
- Do you know the person in your organization responsible for your firm's cybersecurity program?
- Do you know if your firm has an active cybersecurity program?
- Do you have a vendor management program?
- Do you have an incident response plan?
But just as important as the questions are knowing how they should be answered, Edelman said. When asking these questions in your firm, he said the possible answers should be "Yes," "No," and "Yes, and I can provide evidence to support my answer."
He adds that the third option — yes with evidence — is the only right answer. Because if a breach takes place and regulators come searching for clarity, a yes without evidence is as good as a no.
"One of the major changes that the regulators did in order to create a profound impact in cyber within financial services, was we had a model before called attestation. It basically was you answer the question yes or no, and that was it," he said. "Now when you answer your question, you better think twice. If you're going to answer yes, know that the next question is always going to be about evidence. So you're almost better off saying no and then coming back and putting something in place as opposed to saying yes and not being able to prove exactly what they're requesting."
Vendor management is a major sticking point for Vikram Chugh, the chief operating officer of
Chugh, who oversees the wealth management platform at Robertson Stephens and is responsible for firm operations, said partnerships between wealth managers and fintechs are more common in today's environment as firms work to expand their services.
But once a new partnership or integration is announced, that vendor becomes part of the family. Meaning any gaps in their cybersecurity approach become gaps in your plans as well and the vendors must be vetted, with a cybersecurity due diligence plan in place.
"When we are onboarding a vendor, we want to make sure their cybersecurity policy is consistent with our needs and with what we have promised to deliver to our clients. So that's kind of the starting point," he said during a cybersecurity discussion during Financial Planning's 2023 INVEST conference. "The one drawback is that this does add time to onboard a vendor to our systems. But as a risk mitigation strategy, it's been well worth it."
During a separate INVEST 2023 session,
"If you haven't gone back and looked at them in the last year, two years, three years, five years, it's probably time. Can they still perform the functions that you need them to perform? Do you need them to perform more functions? Can they meet those requirements? What's changed in your business that you might need to think outside the box on and say, 'you know what, I need a new vendor for this,'" Magri said. "Additionally, I think it's so important to right size your vendor management program
"You're going to have to notify clients if you have a cybersecurity breach. So if you're working with vendors, and you haven't thought, 'who are they talking to? Where are they storing my data at?' Really think through some of those relationships as you're asking those questions and doing those vendor management risk reviews."
How AI changes the game
For a long time, cybersecurity has been a battle waged with tech but led by humans.
But how does the battlefield change as we witness the rise of the robots?
READ MORE:
We already have some indication of how emerging artificial intelligence capabilities may add a new wrinkle to the conversation.
In January, just months after ChatGPT made it into the hands of the public, researchers with cybersecurity company Cyberark
The researchers further developed their malicious code to include a component that periodically queries ChatGPT for new modules that perform malicious actions. Essentially, this means the original coders don't need to update their malware themselves in response to new security measures — the program is capable of modifying itself on the fly to meet novel challenges.
But if AI can make the attackers stronger, it can also fortify the defenders. In a May VentureBeat op-ed, Thomas Aneiro, a senior director at
He said it can also provide instructional aid for less-experienced security professionals.
Cataldo, meanwhile, said that AI has been around for generations. But the emerging AI that infiltrates people's lives is a different animal altogether.
"Where you have to be mindful of that is you have to ask yourself, how are these AI systems creating new entry points? Because people are accessing them more frequently, are they accessing them through the cloud? Are they accessing them some other way?" he said. "AI, with its ability to analyze and assess things faster or more fully, can also be exploited by cyber criminals to develop software that can infiltrate much faster. That increases that pace of technology. The arms race.
"That's where AI enhances the risks that we face today in the financial services world, or any world where you're dealing with cybersecurity."
