Cybercriminals' Threat To Global Wealth Management - The Risks

Mark Shapland Reporter 24 December 2014

Cybercriminals' Threat To Global Wealth Management - The Risks

Cybercrime has gone far beyond the world of science fiction to hard reality as firms, including wealth management organisations, have been targeted. This article explores the risks.

(Editor's note: This publication is re-issuing a number of the best features for 2014, and this particular item stands out for focusing on why the growing menace of hacker attacks on electronic systems must be taken seriously by wealth managers. Only a few days ago, the world was rocked by claims - and furious denials - that the Communist regime of North Korea was behind a massive attack on Sony, leading to the pulling of a satirical movie about North Korea.)

Every reader should know about keeping passwords secure and being careful about whom they let near their private information. In the world of private banking, however, even some of the more robust institutions have fallen victim to cybercriminals.

The stakes are large: a single successful hacking attack can destroy reputations built up over hundreds of years within seconds.

Spending on fighting the menace is increasing year on year and with more and more business transactions taking place online the problem is likely to get worse, industry figures say.

Cybercrime costs the global economy $445 billion every year, according to a study by the Center for Strategic and International Studies, a US organisation, and Coutts, the private bank, estimates security could end up representing about 30 per cent of private banks' technology budgets.

“It is an issue we take very seriously,” said Adam Wethered, co-founder at wealth manager Lord North Street (now mergered with multi-family office Sand Aire). “The answer is to have good internal and external IT services, which means having the right processes, standards and disciplines in place,” he said.

Yet wealth management firms who cannot combat this threat have lost clients instantly and figures show they do not return, experts have told this publication.

“Of course the primary hit from the crime is the loss of money but then its reputation and the disruption to the internal systems,” said Sarah Stephens, head of cyber & commercial at Aon Risk Solutions. “It is the soft costs that actually become the bigger problem.”

Spear phishing  

Unsurprisingly, wealth management companies based in the UK, US and Germany are the prime targets for hackers hunting monetary rewards. The hackers often work together in what are known as “cyber syndicates” – 100-man teams focused solely on breaking down corporate security systems. And evidence shows they are becoming increasingly more sophisticated, recently developing a practice commonly known as “spear phishing”.

In this instance the hacker will send what looks like an authentic email from a wealth manager to a client or individual asking for specific personal financial information or log on details. If the individual falls for the spear phisher's ploy, the attacker can masquerade as that person and gain further access to sensitive data or move money around.

According to Kroll, the risk consulting firm, other tactics include setting up bogus WiFi networks at airports and hotels, which travelling wealth managers inevitably use.

The fraudsters then send an email to a clearing bank asking for large sums of money held on behalf of clients of the wealth manager to be moved to other accounts.

These emails are usually flagged up as suspicious by security and as a result the clearing bank will email the wealth manager to ask for clarification. However staff at the latter will never see this email, as the fraudsters will have set up an email filter, and can confirm the transaction themselves.

“The hackers are highly technical and becoming increasingly skilled at targeting financial firms,” said Stephens. “It’s a critical issue for firms and the bad guys are just as sophisticated as the good guys. It requires constant vigilance.”

Held to ransom 

In July, even an institution as supposedly robust as the European Central Bank was hacked by cyber criminals demanding payment for the return of stolen data, including personal email addresses and other contact data of people registering for ECB events.

While the most public incident in the wealth management industry took place in April 2013 when Singapore-based fund administrator Portcullis Trustnet gained unwanted media attention when 260 gigabytes of data containing information on offshore clients was leaked to the International Consortium of Investigative Journalists. The ICIJ has also targeted Kleinwort Benson in the Channel Islands (see here) and that bank is investigating the matter. To date, details on how the ICIJ acquired such data have been absent. The consortium has stated that while people who have offshore accounts are not necessarily criminals, such accounts are unfair, which suggests its campaign to obtain such data is politically motivated.

David Chong, chairman at the company, told a Reuters Global Wealth Management Summit in Singapore last month that as a result of the leak his firm had spent heavily on security.

"I tell clients that if the NSA (US National Security Agency) cannot prevent theft from their systems, we don't have much of a chance," he said.

It is little wonder then that 52 per cent of UK bank bosses said they would increase spending on cyber-security in the year ahead - adding to the £700 million ($560 million) spent last year in the UK alone, says the department for Business, Innovation and Skills (BIS) and the Cabinet Office.

Big spending

Figures from the US show that overall company spending on cybercrime has risen steadily year on year, totalling $88.25 billion last year - significantly up from $39.37 billion in 2006. At the same time IT security as a percentage of all IT spending now stands at 6.9 per cent from 5.0 per cent in 2006, says the Ponemon Institute, a cybercrime research firm.

At the same time Global Fortune 2,000 companies recorded 8,400 serious cyber crime attacks last year -significantly up on 6,930 in 2012.

So far JP Morgan is one of the few major financial firms to disclose its cybercrime spending. This year it raised its budget to $250 million from $200 million in 2013 and plans to build three cyber security operation centres in regional headquarters.

“It is going to be a continual and likely never ending battle,” said Jamie Dimon, chief executive at JP Morgan in a letter to shareholders, adding that “not every battle will be won”.

Nevertheless there is cause for optimism that hackers are not having matters all their own way. Recent results in the UK suggest that spending has paid off as the number of security breaches experienced fell in 2013. The survey by BIS revealed that 81 per cent of corporate companies experienced a security breach, down from 86 per cent in 2012.

But Richard Horne, cyber security risk partner at PwC, urged against celebrating too early stating that the incidents that did get through were more destructive and costly than ever before.

In 2013 the average cost of a breach in a large organisation was £600,000 to £1.15 million - up from £450,000 to £850,000 a year before. While for small business it was £65,000 to £115,000 versus £35,000 to £65,000 a year prior.

“The number of incidents is going down but the worst incident is proving far more costly for organisations,” Horne said. “Certainly companies have got better at stopping the lower level attacks.”

However allocating huge budgets and throwing money at the problem is not always the best solution, said Stephens at Aon.

“There does come a point where spending more does not reduce risk further,” said Stephens. “It’s called the zero days’ issue whereby there is a hole in software that is unknown to the programmer until the day the hacker strikes.”

And instead of paying for the latest firewall or anti-virus and anti-malware software, firms should look more closely at blocking the channels through which hackers attack, said Larry Ponemon, founder at the Ponemon Institute.

This includes checking up on clients and business partners cyber crime defence systems to make sure they are reliable and impenetrable. Although this process can be awkward, particularly with clients, it is necessary, added Ponemon.


Hackers deliberately target smaller firms working for large corporates knowing that they potentially hold important client data in a less protected environment.

“Firms should be more rigorous in evaluating vendors and clients,” Ponemon said. “If they are not meeting the standards then it can put a business at serious risk. An insecure vendor puts the organisation at risk of being sued.”

Merill Lynch said last June it is auditing the cyber security practices of its outside law firms which show just how far the big banks are prepared to go in order to make sure client data is secure.

Law firms are now seen as the "soft underbelly" of clients, such as defence contractors, that are likely to be targeted by hackers. 

“Law and accounting firms are notoriously poor. They often hold supplementary material that is not protected,” said Ponemon. “They tend to be smaller firms and hackers look for companies with fewer controls in place.” 

And yet the reality is that for all the hacker’s genius many of the ways a firm can prevent attacks is through simply cutting out basic human errors.

These include stopping invalid people enter office premises because they might “look the part”, accidentally sending confidential information to the wrong email address or transferring important documents to a personal laptop in order that work can be done remotely.

Insider job

Security and data violations can also take place from within the firm itself, mostly via dishonest employees, sometimes seizing compact discs or paper documents. In 2012 worker Lutz Otte stole 2700 records of German clients from private bank Julius Baer internal systems. He received a partially suspended three-year prison sentence in August last year.

It was not the first time Julius Baer has been stung. In 2011 former employee Rudolf Elmer was arrested for handing over disks to WikiLeaks that contained data on private banks in Switzerland and their clients. He was tried in that same year but walked free in July despite his threats against the bank and its employees.

But firms outside the financial sector have also been victims. In June this year hackers demanded a ransom of £24,000 from Domino's Pizza after stealing personal data on more than 600,000 of its French and Belgian customers.

The hackers, a group calling themselves Rex Mundi, posted a sample of the stolen user data alongside the ransom threat. Domino’s said at the time it would not pay up.

The modern phenomenon for individuals to share mountains of personal detail on websites such as Facebook, Twitter and LinkedIn can also cause problems. While firms should be wary about how much information is moved to the cloud or storage websites such as Dropbox, Ponemon added.

“Dropbox isn’t for everything. Certainly not for trade secrets such as the design of a new aeroplane,” he continued. “However employers want employees to work with devices they feel familiar with and pick the tools they like. You can no longer tell everyone they must have a Blackberry. There is no fighting against increased productivity.”

Experts say pin codes and passwords should also be changed on a regular basis. A recent study found that 85 per cent of Singaporeans use the same pin for all their cards and phones.

"All it takes is an observant criminal to watch you unlocking your mobile device, and there's every chance he's got your bank number as well," said Mark Hall at financial services website "Then it's a case of a well-timed pickpocketing or purse snatch, and you're in real trouble." 

Early days

Yet cybercrime is still in its infancy and wealth management chief executives admit learning to combat the problem is a ongoing process with few definitive answers.

The most stark reminder of this took place this June in Canada where two 14-year-olds succeeded in hacking into a Bank of Montreal ATM cash machine during their school lunch break - simply by reading an operator's manual online and typing in the default administrator password.

Surprised by their success the boys - Caleb Turon and Matthew Hewlett - immediately went to the nearest branch of the Bank of Montreal to alert the bank to the security vulnerability. The bank did not believe them at first but then taught the bank’s head how it had been done.

"We thought it would be fun to try it, but we were not expecting it to work," Hewlett said.

The bank wrote the pair a lunch late note excusing them as they were "assisting BMO with security".
















Register for WealthBriefing today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes