Know the cyberrisks to thwart them

(Excerpted from The Socially Savvy Advisor + Website: Compliant Social Media for the Financial Industry by Jennifer Openshaw, Wiley, 2014)

Cybersecurity has be-come a buzzword, and it’s serious business in financial services. “Levels of cyberrisk that might be fine if you’re selling dish soap can create enormous head-aches for the financial services sector,” says Ed McNicholas, partner at Sidley Austin and co-leader of the law firm’s privacy, data security and information law practice.

Cybercrime is the illegal collection or use of data for financial gain. Data provides access to bank, credit card and other financial account information that can be resold or used for identity-theft purposes. For other criminals, it might just be an attention-getting move to demonstrate one’s powerful hacking skills. These are called hacktivists, doing it either to disrupt a business or to audition for some greater crime in which they can participate.

“Originally they attacked through email and networks directly,” says Blane Warrene, a technology expert and co-founder of the social media archiving service Arkovi. “But now, with so many digital channels, being able to insert malware quietly offers them opportunities to create, in essence, a tunnel to ferret out this data.”

And it’s not just data at risk. How about your brand? That’s right. A wave of attacks can disrupt your business and tarnish your brand publicly.

PricewaterhouseCoopers found that the industry is spending 50% more in 2014 on cybersecurity. Likewise, Deloitte estimates that U.S. financial services firms lost on average $23.6 million from cybersecurity breaches in 2013 — the highest average loss across all industries the consulting firm tracks.

IMPLICATIONS FOR ADVISERS AND ORGANIZATIONS

Let’s look at it from a financial adviser’s perspective.

“Bad actors or hackers often look to individuals’ devices — from computers to smartphones and tablets — as a way into larger networks,” Mr. Warrene points out.

While a social media account can be hacked, of greater concern is the way the breach may potentially provide access to the device that is used by its owner to enter and use the social media account.

Access to the device can possibly lead to hacks into business networks, causing the leak of confidential data or, worse, infect many other systems on that network.

For an individual responding to an attack, it is essential not only to recover your account through the procedures available at the social network in question but to also have your device(s) analyzed to ensure there are not any remnants of an attack sitting dormant and waiting for later use.

From an organizational perspective, firms need to consider:

• How they will provide access to social networks.

• How they will manage the publishing workflow and handle en-gagement to those posts.

• Detailed procedures for securing networks and individual devices, including the heuristic approach to sniffing out possible unpublished malware and attacks.

• Recovery procedures for handling widespread compromise.

A CLOSER LOOK AT THE RISKS

“Professionals have a duty to use robust security against both insider and outsider threats,” Mr. McNicholas said.

As an example, when social media profiles reveal too much information, they can be used for social engineering or, worse, to compromise client data. And the reverse can happen: An employee venting on Facebook that he must cancel his weekend plans because the “big deal” in the office must close by Tuesday can be devastating when The Street gets wind of it.

The Federal Financial Institutions Examination Council places the potential risks into three general categories: compliance and legal risks, reputation risks and operational risks. Here’s what the agency says:

• Compliance and legal risks. Compliance and legal risks are the possibility of enforcement actions and/or civil lawsuits arising out of a financial institution’s use of social media. Most regulations, consumer financial protection rules and other laws do not provide exemptions where social media is used.

• Reputation risk. There’s also the reputational risk arising from negative public opinion in connection with the use of social media.

• Operational Risk. Operational risk is defined as risk of loss from inadequate or failed processes, people or systems, which can arise from a financial institution’s use of information technology, including social media. Social media use makes firms particularly vulnerable to malware and account takeover, and it needs to be included in the firm’s security incident response procedures.

WHAT FINRA AND THE SEC SAY

Both the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc. released cybersecurity guidance in 2014, setting the tone for examinations and how advisers and firms should set their priorities. At a higher level, the regulators are looking at:

• The security of devices (computers, phones and tablets) and networks

• How client data is handled and protected

• The validity of written supervisory procedures to include a focus on handling incidents

• How business continuity will provide a recovery path from a security incident

• Are firms acquiring cyber-specific insurance coverage

Finra, through its January 2014 Examination Letter, says it’s attempting to understand:

• The types of threats

• Where vulnerabilities may exist within firms

• Firms’ existing approaches to cybersecurity risks

• Ways to share observations and findings with firms

In April 2014, the SEC held a cybersecurity roundtable in which Chairwoman Mary Jo White underscored the “compelling need for stronger partnerships between the government and private sector” to maintain the integrity of the markets and protect customer data.

The SEC also announced it would be conducting examinations of 50 broker/dealers and RIAs to further understand, among other things: an entity’s cybersecurity governance, assessment of risks, and protection of networks and information

In short, regulators are trying to understand where the gaps are and how to address them going forward.

THREE HACKER THREATS

The growing sophistication of technology is accompanied by the danger that tech poses when it’s in the hands of sophisticated and unscrupulous people.

What are the kinds of cybersecurity risks advisers might face when operating in the social media world?

Mr. Warrene says attacks break down into three basic groupings, from obvious to subtle:

1. The malware link. You’ve probably gotten a direct message from a friend on Twitter. It says: “Check this out!” And you’re wondering: “What is this?” This is a malware link: a link that, if you follow it, is tied to something malicious such as a virus that can surreptitiously load onto your device. Often the goal is meant to remain undiscovered, instead of destroying something on your device. Other times it’s more sinister. Innocent people have these bots running in the background of their computers, either to collect information or access other computers.

2. The alluring follower. Let’s say you discover a follower who appears to have huge influence through the follower’s own sizable number of followers, millions. The follower offers a catchy message and link. You think, “Oh my gosh, I’ve arrived on Twitter!” Yet common sense dictates that only a fraction of people have that kind of following on Twitter. These followers’ links are efforts to infect your devices.

3. Direct hacks. An effort to di-rectly hack your system is usually done by what is called a brute force attack. This is where the hacker uses software to try many variations of logins to eventually guess the right way in. The attacks often employ stolen credentials of the victims.

Common sense will keep attackers at bay in the first two cases. In the third case, direct hacks of your social accounts can be defended against through two-factor authentication and using a unique password on each account. The two-factor authentication — available in the settings function of nearly all social media platforms — adds a step to logging in and hampers remote hacks. Generally, once you’ve entered your username and password, a text message is sent to a mobile device of your choice, and that code is required to finish the login.

WARD OFF RISKS

The bottom line is, if hackers find devices that are unprotected, they have a path to ultimately get to valuable information that can access client accounts.

So, how do you protect against it? Surprisingly, experts agree that even some of the most fundamental moves to protect you, your firm or your clients are not in place at the firm or individual level. Here are some steps that Mr. Warrene suggests firms take:

• Lock and encrypt computers. Both the SEC and Finra are examining cybersecurity techniques. On a Mac, you can turn on FileVault so that it encrypts data. On a PC, you can use PGP Encryption from Symantec, among others. For smaller advisers, BitLocker is included in Windows 8 for free. With all of these tools, you’re protected when your computer is off and at rest. So, if you’re at Starbucks grabbing a cup of coffee and someone walks off with your computer, chances are they’ll close the computer and put it under their arm, triggering the encryption. They’ll get the computer but not your data.

• Enable anti-virus software. Use anti-virus software enabled for automatic updating and automatic scanning as well as automatic quarantine.

• Use a password manager. A password manager, such as Password, LastPass or RoboForm, should be a requirement. These provide centralized management of usernames and passwords and allow individuals to securely sync passwords across devices. Avoid keeping password notebooks or Excel files.

• Mix passwords. As noted above, use unique passwords on each of the social media sites. While this might be painful, the peace of mind may be worth it. Also consider changing your passwords twice a year.

• Create a customer feedback loop. It’s surprising the number of financial firms that do not have an easy way for customers to communicate online about some issue or breach. Consider a message in statements or online directing consumers to alert leaders to possible cybersecurity threats.

• Protect smartphones and tab-lets. These devices also need clear protection, including passwords, required use of a VPN service to encrypt your WiFi connection, and activation of the “FindMe” capability, which allows you to locate that lost or stolen phone and possibly destroy the data.

THE FUTURE

With the increased use of social media and the focus on cybersecurity by regulators, what’s next? Among the biggest shifts — and debated issues — is the move to the cloud.

While many in the financial industry view data and website hosting in the cloud as risky, others say the old-fashioned methods pose more risk.

At some point, Mr. Warrene said, “even large institutions won’t have full control of all aspects of what they are responsible for, and security risks will be tiered — from individual devices to corporate networks and ultimately to the cloud — which means Apple, Amazon, Google, Microsoft, as well as players like Oracle.”

As biometrics emerge, rules and regulations will evolve. For example, passwords are considered protected speech while fingerprints are not.

As we shift from computers to tablets to potentially wearable and interactive computing for business, what risks and liabilities will emerge? If we authenticate through, say, a retinal scan, and a criminal compromises that method, will they have deeper access than ever before?