ADVISORS AND CYBER RISK:
PREVENTION AND RESPONSE
Are you doing all you can to protect your firm
and your clients’ data from today’s cyber risks?
On Nov. 1, 2018, an important new compliance obligation for Canada’s advisory industry will take effect.
That’s the day all domestic and foreign companies subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will be legally required to notify affected individuals about privacy breaches and report those breaches to the Privacy Commissioner of Canada.
The new obligation brings the issue of cybersecurity and privacy into sharp relief for a sector of the financial services industry that has become a target for bad actors using evermore sophisticated means of attack.
This past June, leaders from four advisory firms gathered with insurance and risk professionals at the Advisor’s Edge offices in Toronto for a roundtable about the changing nature of cyber risks in the advisor space and how to deal with them. The discussion was hosted by Aon Risk Solutions.
The participants were Tony Mahabir, CEO of CANFIN Financial Group; Dev Mukerji, Vice-president of Information Technology at Financial Horizons Group; Chris Page, President and CEO of Laurus Investment Counsel (not present at meeting); John Webster, President of Queensbury Securities Inc.; Jennifer Drake, Vice-president and Legal Consultant with Aon Risk Solutions; Kelly MacDonald, Senior Vice-president with Aon Risk Solutions; Sarah Gibson, Assistant Vice-president / ProFin, Global Specialty Lines at RSA Canada; and Suzanne Tavaszy, Regional Underwriting Manager with RSA Insurance.
“All of our data can be recovered within two hours of a breach. The biggest risks stem from loss of client confidence and brand reputation.”
— Chris Page, President and CEO of Laurus Investment Counsel
The Advisor Risk Landscape
In one sense, the new obligations imposed under PIPEDA are simply an extension of the growing compliance burden advisory firms face today. That burden is growing, in part, due to the interconnected trends of changing customer expectations and rapidly advancing technology, says Tony Mahabir.
“The old days of meeting with your advisor who shows up with a statement are gone,” he says. “Now clients want access from their smartphones, their tablets, or their desktops—anywhere at any time.” Meeting this need means the creation of more entry points into a firm’s network—as well as more methods of deception.
Other roundtable participants point out how some of the more traditional risks the industry faces may amplify their cyber risk vulnerabilities. Dev Mukerji highlights the aging workforce as an example.
“The average age of a lot of advisors is late 50s. They’re not, by their nature, very tech-savvy,” says Mukerji, adding that the life insurance sector in particular is still very paper-based. “For many, the pace of technological change is so rapid that they’re struggling with that change.” This creates a risk, as these older advisors struggle to meet the compliance demands that stem from rapid conversion from paper to digital and the appropriate management of those assets. “I talk to advisors about things like managing passwords and encryption on their laptops and they look at me like, ‘What?’”
John Webster agrees that managing cyber risk is inseparable from managing people. Nevertheless, he concedes that there are limits as to how much he can manage that risk based on the independent contractor business model on which the industry is based.
“Security now is no longer about how many doors and windows you have in your building. It’s about how many access points you have to the system that’s storing your information.”
— Jennifer Drake, Vice-president and Legal Consultant with Aon Risk Solutions
“Our business is based on our advisors, and, as such, it’s the reputation among the advisory community that you need to maintain,” says Webster. “Clients generally have strong relationships with their advisors and will follow them to whatever firm they go.”
The connection between cyber risk management and people management is critical. The insurance and risk professional roundtable participants note that the major vulnerability that’s driving cyber-related losses is the “human element.” Cybercriminals understand how the industry works and are concocting increasingly sophisticated social engineering schemes to steal data and money.
For example, a common scheme now is for a cybercriminal to impersonate a client, through either hacking a client’s legitimate email account or creating a fake one that looks like the client’s real email (perhaps because the advisor has received it on a device that doesn’t display the actual address). The imposter then issues instructions to send funds to a different bank account than the one the advisor has on file. The request may violate compliance procedures, but the advisor does it anyway to be accommodating and provide good service.
3 Cyber Scams Targeting Advisors
Cybercriminals targeting financial advisors often take advantage of the fact that so much business today is transacted digitally rather than over the phone or in person. How can you determine if a scammer has hacked one of your clients?
- Unusual changes in trading activity. Usually this means a sudden increase in the frequency of trades. It may also involve a sudden increase in the size of transactions.
- Requesting changes to banking information. A scammer may have hacked your client’s email or be impersonating them with an email that looks similar. Make sure the address matches what you have on file. Don’t hesitate to follow up with a phone call.
- “Verification” calls. When was the last time you spoke to your clients on the phone? Would you remember what all their voices sound like? Make sure you have multiple methods for getting a hold of your clients to verify suspicious transactions.
Impersonating a client can be equally effective for getting inside a firm’s network and infecting it with malware or ransomware, says Kelly MacDonald.
“Everyone has pressures and we go through things quickly,” she says. “We’re getting 50 to 100 emails a day and [one] looks like it’s a proper email, like that last one from your client, so you click on it and now your network is infected.”
Discussion participants agree that, for the average advisory firm in Canada, the consequences of a breach can be devastating, and even fatal to a firm’s existence.
“The larger firms can, to a certain extent, communicate their way through it, say it was an isolated incident,” says Mukerji. “When you’re a smaller business, I don’t think you have that same amount of leeway with your clients.”
“All of our data can be recovered within two hours of a breach,” adds Chris Page. “The biggest risks stem from loss of client confidence and brand reputation.”
Prevention and Mitigation
“The finance industry is a target and the industry is very interconnected,” says Jennifer Drake. The advisors around the table agree. That’s why they’ve had to be evermore vigilant to deal with an increase in the number and sophistication of cyber-attacks.
“The scope and the kind of targeting of the attacks have become pretty advanced pretty quickly,” says Mukerji. “In the last 18 months, we’ve seen quite a change in how advanced the attacks are with things like personalized emails going to the C-suite, trying to get information out of the organization.”
That observation is also reflected in Aon’s Global Risk Management Survey: 2017. Cybercrime has risen into the top five risks of concern for all businesses globally and into the top three for the insurance, finance, and investment sectors.
Planning and Testing
Advisory firms are bolstering their defences against cyber-attacks in a number of areas. Since 9/11, firms throughout the industry have had to develop business continuity plans and have them certified annually. Now it’s becoming more common for advisory firms to develop cyber incident response plans separate from their overall business continuity plans.
But is just having a plan enough? MacDonald suggests that a firm may not see the weaknesses in its incident response plan until it goes through the process of a tabletop exercise of dealing with a hypothetical cyber breach. To illustrate, she points to a tabletop session she ran with a client to test their response plan. The hypothetical scenario was a release of sensitive client information at 5 p.m. on a Friday before a long weekend. Almost immediately, the exercise came to a halt as the client discovered a flaw in their plan.
“They had set up a mailbox where if a breach was identified it would go into this mailbox. But they realized they didn’t have anybody checking that mailbox over the weekend. Under their plan, nobody would have responded to the release of the information for 48 hours or more,” she says. “This was a sophisticated group of individuals, but they discovered a very simple thing they hadn’t thought of. Absent a tabletop exercise, they never would have known that.”
Another defence mechanism advisory firms have embraced is Red Team testing: attack simulations and security assessments of vulnerabilities in network security, physical security, and staff (such as through simulated social engineering schemes). All the advisors at the table confirm that their companies have gone through some form of third-party security assessment within the last year.
“Not enough companies are doing it,” says Drake. She points to the rise of the Internet of Things (IoT) and bring-your-own-device (BYOD) policies as areas of weakness that many companies haven’t considered. “Security now is no longer about how many doors and windows you have in your building. It’s about how many access points do you have to the system that’s storing your information.
“We had a client where someone had brought a coffee maker into one of their kitchens that connected to the Internet. Now this coffee maker is connecting to their network. How hackable do you think it is? Very,” she explains.
As the conversation moves from technology back to people, one thing is clear. All the advisors around the table understand that managing cybersecurity and information privacy is not solely the province of the IT department. Developing a mindset of cyber resilience means everyone in the firm needs to understand how he or she contributes. This means understanding how hackers use “phishing” emails and “smishing” text messages to obtain information or access to a network and infect it with malware like ransomware. In addition to the mandated staff training that all advisory firms must deliver, Mahabir points to the power of storytelling.
Top 5 Cyber Risk Mitigation Tips for Advisors
- Know your perimeter. Red Team testing can help your firm understand where all the access points to your network are.
- Train staff. Managing cyber risk is the responsibility of every employee—not just the IT department.
- Secure communications. Advisors should avoid using open email platforms like Yahoo and Gmail. Use encrypted messaging services for texting with clients.
- Ensure strong contracts. Make sure that contracts with third-party technology providers have strong insurance and indemnity provisions and that their security is audited regularly.
- Plan and test. Don’t think it will never happen to you. Develop an incident response plan and test it regularly. Use tabletop exercises to uncover weaknesses in the plan.
“In our regular staff meetings, we explain incidents that could happen or that have happened in the industry, and we emphasize, in a positive way, that employee behaviour can have a big impact on information security,” he says.
A common technique across many industries today is to send out emails with a simulated cyber threat to gauge how many employees open the email or click on the bogus link.
“A really effective way of increasing the effectiveness of the training is if you click on the bad link, then you have to do the training right away,” says Suzanne Tavaszy. MacDonald adds that the training can also be gamified to provide positive reinforcement for those who complete the training and to incentivize vigilant behaviour.
Contracts and Insurance
Admittedly, not every aspect of mitigating cyber risk is within a firm’s control. Webster points to the risk posed by third-party technology vendors used by most advisory firms.
“Microsoft hosts our email. Am I going to go to them and say, ‘Show me your security testing’? It’s not going to happen. So, you do have to put some blind faith in some of these larger outside vendors. You can review the contract that you have with them, but good luck trying to change it.”
While there may be limits to what advisory firms can demand of vendors in terms of security testing and audits, MacDonald emphasizes the need for strong insurance and indemnity provisions in vendor contracts to ensure appropriate limits of liability.
“Oftentimes, vendors will limit their liability to the cost for services, and that may not be where the true risk is. If you’re paying vendors $10,000 a month but they have a data breach that costs you $2 million, you don’t just want your $10,000 a month back,” says MacDonald.
Advisors need to understand their own legal responsibilities regardless of what contractual agreements with vendors they may have in place, adds Tavaszy.
“If you’re collecting the data, you’re the custodian of it, you’re responsible—at least from a first-party cost standpoint—for some of those notification costs. You might also be involved if there is third-party litigation,” she explains.
So how much protection does the average advisory firm need? Opinions among the advisor participants vary when it comes to quantifying cyber risk. Their attitude is in line with responses from the Aon survey, which found that only 23 per cent of companies that have done cyber risk assessments have quantified the risk.
“A really effective way of increasing the effectiveness of the training is if you click on the bad link, then you have to do the training right away.”
— Suzanne Tavaszy, Regional Underwriting Manager with RSA Insurance
The insurance and risk professionals explain that there are methods that can get advisory firms to a suggested number for a limit on a cyber insurance policy. A good place to start, says Tavaszy, is simply to count the number of customer records a firm has and then multiply by the average cost per lost or stolen record ($255 per record in Canada, according to the Ponemon Institute’s widely cited benchmark study).
MacDonald also suggests that companies can borrow a method widely used in property insurance of insuring against the probable maximum foreseeable loss. Also take into consideration “what you realistically see as being a frequent and/or severe realistic scenario and look at that number, too,” adds Drake. “Because the probable maximum loss and the most likely scenario are going to be two very different numbers. At the end of the day, it’s a judgment call.”
Dealing With a Breach
Everyone will get hit eventually. That’s the mindset that’s slowly sinking in and replacing the It will never happen to us. Why would anyone want to attack us? denial that companies in many sectors still maintain.
The advisory firm participants get that and understand that the difference between survival and failure is less about whether or not they get hacked and more about how they respond to it when they do. Transparency with clients is key, notes Mahabir. “You have to have some candour.”
Tavaszy stresses the importance of having immediate access to a breach coach when an incident does occur. “It’s important to have somebody who can step in and do some coaching on how to present on the issue—whether it’s a cyber breach or a privacy breach,” she says. “Because that immediate response to the media or to clients from the senior people is so crucial.”
“I go back to when McCain Foods had its listeria outbreak,” says Mukerji. “What a great job they did with communication with the public, because that could have destroyed the company. They were upfront about it. They kept in touch with the public frequently.”
“That reputational piece is so critical in how you adjudicate that breach and how you notify and work with your customers,” adds MacDonald. In an industry that’s built on trust, careful management of your firm’s reputation in a crisis like a cyber breach can mean the business of surviving for the long term or shutting off the lights for good.
This article contains general information only. It is not intended to be a representation or warranty of results that may be achieved in any particular case nor is it intended to constitute advice. Readers are urged to obtain professional advice before acting on the basis of information contained in this article.