The risk of cyberattacks in the financial services industry is on the rise in 2014, and wealth management companies, broker-dealers and registered investment advisers are not exempt.
The threat is moving from large banks to midtier institutions and smaller firms as increasingly sophisticated cybercriminals and “hacktivists” pinpoint individual targets and seek easy entry points to do their damage, according to online-security experts.
“Firms need to believe, first of all, that they are a probable target,” said William Stewart, a commercial cyberbusiness senior vice president at management and technology consultant Booz Allen Hamilton Inc. “For firms that say, 'We're too small, they won't bother with us,' it's not true. These sophisticated adversaries have multipronged attacks. They don't just launch malware against one target.”
For example, a cybercriminal might buy identity information on the dark web (websites and other networks intentionally hidden from search engine crawlers) or break into a firm “so they can find out that this financial wealth management institution has some prominent people they're working with,” including bank executives and government officials, Mr. Stewart said.
Then the criminal will send a plausible-looking e-mail to the targeted individual's business network to capture even more information when the recipient clicks on an infected document and allows the malware to get inside their network.
“That's why these midtier folks are a target,” Mr. Stewart said, pointing to wealth management firms, regional banks and hedge funds. “They have valuable information because they're managing assets.”
And when grouped together, these organizations are like a row of dominos that, when attacked, can create a cascade of systemic risks that could affect financial institutions of any size, he warned.
Threats in the past have come from distributed denial of service, or DDoS (making a website temporarily or indefinitely unavailable), and data-destroying attacks from groups such as the Mideastern Izz ad-Din al-Qassam Cyber Fighters hacking collective.
Now mobile platforms also are at risk, Mr. Stewart said.
In short, the level of threat is monumental. But cybersecurity experts say financial institutions' resistance to revealing the extent of the problem makes it difficult to quantify the rise of cyberattacks.
A security bulletin published in December by IT security vendor Kaspersky Lab reports that the number of attacks launched from web resources globally in all sectors increased to 1.7 billion in 2013, from 1.6 billion in 2012. Fully 45% of web attacks in 2013 were launched from malicious web resources in the U.S. and Russia.
While large institutions are spending tens of millions of dollars on security measures, midtier firms typically can't afford that degree of protection, which puts them at risk, Mr. Stewart said. He estimated that only 5% to 10% of an average firm's IT budget goes to cybersecurity.
Roel Schouwenberg, principal security researcher at Kaspersky Lab, said that in addition to cybercriminals' greater focus on midsize firms, another disturbing trend comes from politically motivated hacktivists whose activity is less obvious. Rather than steal from a company, for example, their aim may be to destroy someone's reputation.
Hacktivists in 2013 were more involved than ever in the shutdown of stock exchanges, Mr. Schouwenberg said.
“From my personal point of view, one of the most interesting developments this year will be more closures at stock exchanges attributed to cyberattacks, because 2013 showed the system isn't as robust as people thought it was,” he said.
“We'll see more movement in 2014 and 2015 toward getting more money to hacktivists in foreign nation-states to disrupt the economy,” Mr. Schouwenberg predicted. “Cyberactivists go after targets with the best return on investment because they just want to make money, but hacktivists want to wreak havoc and they're unpredictable. They may go after a target whether it makes business sense or not.”
Both the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc. have identified cybersecurity as a heightened risk in the examination priority letters they released this month.
While the SEC gives the issue a brief mention in its Jan. 9 letter, saying staff will focus on “information leakage and cybersecurity,” Finra, in its Jan. 2 letter, goes further in addressing the problem.
Finra wrote that cybersecurity will remain a priority this year because of the persistent issues reported across the financial services industry in this area. “The frequency and sophistication of these attacks appears to be increasing. In light of this ongoing threat, Finra continues to be concerned about the integrity of firms' infrastructure and the safety and security of sensitive customer data,” the Finra letter noted.
The Finra letter said evaluation of such controls may take the form of examinations and targeted investigations.
In addition, the Securities Industry and Financial Markets Association is on high alert about cybersecurity. SIFMA in October released findings from a July 18 cybersecurity exercise called Quantum Dawn 2, which simulated a systemic cyberattack on the U.S. financial system.
In the exercise, 500 participants from 50 different financial groups ran through their response to dealing with a crisis, including how they would share information within the sector and within government agencies.
Karl Schimmeck, SIFMA's managing director of financial services operations, said that what makes cybersecurity so difficult is that the need differs from one firm to the next.
“Your threat profile is typically unique to your firm,” Mr. Schimmeck said. “Financial services is a network of small, medium and large firms, and we need protection at all levels. Each one can be a gateway into the system.”
He highlighted one glimmer of hope: financial firms' willingness to share with one another because cybersecurity is viewed as a noncompetitive topic.
The Financial Services Information Sharing and Analysis Center, a nonprofit group founded in 1999, now serves as the primary group for information sharing between the federal government and the financial sector. FS-ISAC, which has about 4,000 members, shares data about physical and cybersecurity threats and vulnerabilities to help protect critical U.S. infrastructure.
Similarly, the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security works to minimize operational risks in financial services.
Mark Clancy, managing director for technology risk management and chief information security officer of Depository Trust & Clearing Corp., whose firm is a member of both groups, said he sees nothing on the horizon that will change the growth curve for cyberattacks, because the financial sector has been productive for criminals.
Looking ahead, Mr. Clancy said that while DDoS attacks so far have made up the bulk of cybercrime against financial firms, the bad guys are figuring out new ways to strike.
“Unfortunately, criminals will start to figure out the broker-dealers,” he said. “When criminals start to understand the industry better, broker-dealers can expect to see more attacks. The key to remember is that on the other side of these attacks is a human. Humans innovate.”