Cybercrime has gone far beyond the world of science fiction to hard reality as firms, including wealth management organisations, have been targeted. This article explores the risks.
(Editor's note: This publication is re-issuing a number of the best features for 2014, and this particular item stands out for focusing on why the growing menace of hacker attacks on electronic systems must be taken seriously by wealth managers. Only a few days ago, the world was rocked by claims - and furious denials - that the Communist regime of North Korea was behind a massive attack on Sony, leading to the pulling of a satirical movie about North Korea.)
Every reader should know about keeping passwords secure and being careful about whom they let near their private information. In the world of private banking, however, even some of the more robust institutions have fallen victim to cybercriminals.
The stakes are large: a single successful hacking attack can destroy reputations built up over hundreds of years within seconds.
Spending on fighting the menace is increasing year on year and with more and more business transactions taking place online the problem is likely to get worse, industry figures say.
Cybercrime costs the global economy $445 billion every year, according to a study by the Center for Strategic and International Studies, a US organisation, and Coutts, the private bank, estimates security could end up representing about 30 per cent of private banks' technology budgets.
“It is an issue we take very seriously,” said Adam Wethered, co-founder at wealth manager Lord North Street (now mergered with multi-family office Sand Aire). “The answer is to have good internal and external IT services, which means having the right processes, standards and disciplines in place,” he said.
Yet wealth management firms who cannot combat this threat have lost clients instantly and figures show they do not return, experts have told this publication.
“Of course the primary hit from the crime is the loss of money but then its reputation and the disruption to the internal systems,” said Sarah Stephens, head of cyber & commercial at Aon Risk Solutions. “It is the soft costs that actually become the bigger problem.”
Unsurprisingly, wealth management companies based in the UK, US and Germany are the prime targets for hackers hunting monetary rewards. The hackers often work together in what are known as “cyber syndicates” – 100-man teams focused solely on breaking down corporate security systems. And evidence shows they are becoming increasingly more sophisticated, recently developing a practice commonly known as “spear phishing”.
In this instance the hacker will send what looks like an authentic email from a wealth manager to a client or individual asking for specific personal financial information or log on details. If the individual falls for the spear phisher's ploy, the attacker can masquerade as that person and gain further access to sensitive data or move money around.
According to Kroll, the risk consulting firm, other tactics include setting up bogus WiFi networks at airports and hotels, which travelling wealth managers inevitably use.
The fraudsters then send an email to a clearing bank asking for large sums of money held on behalf of clients of the wealth manager to be moved to other accounts.
These emails are usually flagged up as suspicious by security and as a result the clearing bank will email the wealth manager to ask for clarification. However staff at the latter will never see this email, as the fraudsters will have set up an email filter, and can confirm the transaction themselves.
“The hackers are highly technical and becoming increasingly skilled at targeting financial firms,” said Stephens. “It’s a critical issue for firms and the bad guys are just as sophisticated as the good guys. It requires constant vigilance.”
Held to ransom
In July, even an institution as supposedly robust as the European Central Bank was hacked by cyber criminals demanding payment for the return of stolen data, including personal email addresses and other contact data of people registering for ECB events.
While the most public incident in the wealth management industry took place in April 2013 when Singapore-based fund administrator Portcullis Trustnet gained unwanted media attention when 260 gigabytes of data containing information on offshore clients was leaked to the International Consortium of Investigative Journalists. The ICIJ has also targeted Kleinwort Benson in the Channel Islands (see here) and that bank is investigating the matter. To date, details on how the ICIJ acquired such data have been absent. The consortium has stated that while people who have offshore accounts are not necessarily criminals, such accounts are unfair, which suggests its campaign to obtain such data is politically motivated.
David Chong, chairman at the company, told a Reuters Global Wealth Management Summit in Singapore last month that as a result of the leak his firm had spent heavily on security.
"I tell clients that if the NSA (US National Security Agency) cannot prevent theft from their systems, we don't have much of a chance," he said.
It is little wonder then that 52 per cent of UK bank bosses said they would increase spending on cyber-security in the year ahead - adding to the £700 million ($560 million) spent last year in the UK alone, says the department for Business, Innovation and Skills (BIS) and the Cabinet Office.
Figures from the US show that overall company spending on cybercrime has risen steadily year on year, totalling $88.25 billion last year - significantly up from $39.37 billion in 2006. At the same time IT security as a percentage of all IT spending now stands at 6.9 per cent from 5.0 per cent in 2006, says the Ponemon Institute, a cybercrime research firm.
At the same time Global Fortune 2,000 companies recorded 8,400 serious cyber crime attacks last year -significantly up on 6,930 in 2012.
So far JP Morgan is one of the few major financial firms to disclose its cybercrime spending. This year it raised its budget to $250 million from $200 million in 2013 and plans to build three cyber security operation centres in regional headquarters.
“It is going to be a continual and likely never ending battle,” said Jamie Dimon, chief executive at JP Morgan in a letter to shareholders, adding that “not every battle will be won”.
Nevertheless there is cause for optimism that hackers are not having matters all their own way. Recent results in the UK suggest that spending has paid off as the number of security breaches experienced fell in 2013. The survey by BIS revealed that 81 per cent of corporate companies experienced a security breach, down from 86 per cent in 2012.
But Richard Horne, cyber security risk partner at PwC, urged against celebrating too early stating that the incidents that did get through were more destructive and costly than ever before.
In 2013 the average cost of a breach in a large organisation was £600,000 to £1.15 million - up from £450,000 to £850,000 a year before. While for small business it was £65,000 to £115,000 versus £35,000 to £65,000 a year prior.
“The number of incidents is going down but the worst incident is proving far more costly for organisations,” Horne said. “Certainly companies have got better at stopping the lower level attacks.”
However allocating huge budgets and throwing money at the problem is not always the best solution, said Stephens at Aon.
“There does come a point where spending more does not reduce risk further,” said Stephens. “It’s called the zero days’ issue whereby there is a hole in software that is unknown to the programmer until the day the hacker strikes.”
And instead of paying for the latest firewall or anti-virus and anti-malware software, firms should look more closely at blocking the channels through which hackers attack, said Larry Ponemon, founder at the Ponemon Institute.
This includes checking up on clients and business partners cyber crime defence systems to make sure they are reliable and impenetrable. Although this process can be awkward, particularly with clients, it is necessary, added Ponemon.