Prep for ransomware attacks or be ready to pay the price

The recent string of ransomware attacks on multiple companies, including the attack by DarkSide on the Colonial Pipeline, highlights how crippling these types of cyberattacks can be on a business. 

Wealth managers, for one, make easy targets because they publicly release company assets under management, and hackers see that as an ability to pay a ransom, says John O’Connell, president and founder of The Oasis Group. Wealth managers also hold some of the most sensitive client data that directly connects to their finances — a potential gold mine for a cybercriminal. 

Work from home orders have played a role in the increase in ransomware attacks, O’Connell said, as employees work off free WiFi from their local coffee shop or at home with a network that is not entirely secure. 

Ransomware attacks — a type of cyberattack that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid — are on the rise. Attacks in the U.S. quadrupled in 2020, with three-quarters of the victims being small businesses who paid more than $350 million to pay ransoms, according to the Department of Homeland Security. 

On June 2, the White House sent out a memo urging corporate executives and business leaders to take immediate steps to prepare for ransomware attacks. 

Without the proper precautions and technology added to an adviser’s tech stack, ransomware attacks can be costly.  But the price for not paying the ransom in many cases can be much higher.

Take the city of Baltimore for example. During a ransomware attack in May 2019, the city had its servers largely compromised by a variant of ransomware. Baltimore did not pay what was a hundred thousand dollars in ransom. Instead, it lost $18 million fixing the issues created by the attacks, according to reports.  

RISKS FOR ADVISERS

The first step to understanding where an adviser falls into these potential risks is finding out where the liability lies if an attack happens, said Dan Bernstein, chief regulatory counsel at MarketCounsel. 

For example, if a ransomware attack were to hit a major custodian such as Charles Schwab Corp. or Fidelity Investments, the liability is spread across everyone from the financial institution, to the custodian, to the adviser. 

“Investment advisers cannot just say, ‘I use Schwab, they’re a really big institution so we thought it was cool,’” Bernstein said. “No, they need to do a little digging and get answers from Schwab on what the protections are. If they see problems, then they need to act on that.”

The protections different types of advisers need to have in place are fairly flexible depending on size of the firm, Bernstein said. The SEC allows flexibility and it does not expect that a small team is going to have the same protections in place as Merrill Lynch, because they’re very different institutions with very different risks, he said. 

“If you did due diligence, if you got reports, if you were able to see what they’re doing with regards to protection and they got hacked in some way or ransomware, the adviser is probably going to be OK and not responsible,” he said. 

While the SEC has not come up with a data protection rule that has any specifics, the regulator has been giving out guidance on cybersecurity across the board for years.

The problem with issuing a formal rule is the capabilities of evildoers may far surpass whatever rule the SEC puts in place within a matter of months. The expectation for advisers is the need to know what those bullet points protections are that the SEC wants to see put in place, said Bernstein.

Reputational risk is another factor that can cost an adviser their business and fines from regulators like the SEC and the Financial Industry Regulatory Authority for not following cybersecurity guidelines, O’Connell said. 

“Ransomware has evolved, too,” he said. “It’s not just the ransom that they’re trying to get to, but they’re saying, for example, if you don’t pay the ransom, they’ll sell your information out on the internet to the highest bidder on the dark web, or they’ll sell the fact that you are targeted so that short sellers can short sell your stock, which would put you in an even deeper hole.” 

WHEN AN ATTACK HITS

If an advisory firm is hit with a ransomware attack, the first step is to assess the damage with a focus on identifying the risk that will impact your clients, Bernstein said. 

“In the end, a regulator cares about the protection and ongoing support for your clients,” he said. “So, as a matter of course, you can’t just say to the SEC that you don’t deal with ransomware. You’ll have to do that assessment and make a determination of whether or not it’s in your client’s best interest for you to find a way to unlock that data.”

However, the most effective tip for any adviser is to be proactive rather than reactive to ransomware attacks. “Once you have been hit with ransomware, now you’re scrambling and you have none of the power,” Bernstein said.  

The key is staying up to date on all the risk alerts and guidelines the SEC puts out while educating and training employees to understand and dodge cyber attacks like phishing. 

If the SEC puts out a risk alert, it’s expected that RIAs are paying attention. When regulators come knocking on a firm’s door, advisers can’t just say: “Well, I didn’t know that!” Bernstein said. 

TECH STEPS IN

The first recommendation from O’Connell is to have a remote access policy in place that enables and educates staff on how to access systems from afar.

The second thing is to go through a training program with staff, get them to understand the risks of being on an unsecured WiFi network and teach them how phishing schemes work, O’Connell said. 

The larger RIAs out there, like the ones with billions of dollars in assets, may need to ramp up their tech stack beyond training and educational programs, said Mike Hallett, CEO of cybersecurity software CleverDome. 

Cybersecurity provider Cleverdome advertises some of the more robust protection out there. The Phoenix-based tech provider uses so-called military-grade tools to create disruptions in what would otherwise be just a packet of data that is transmitted through the internet. 

By turning the data into fractions or almost slicing it up into little puzzle pieces as it’s transmitted through the internet, hackers have a much harder time capturing all the pieces to the data packet, said Hallett. If there’s a puzzle piece missing, the data is no longer useful to an attacker. The average demand for payment is around $8,700 for each incident, Hallett said. 

“The advisory firms need to have the same technology on the same level of sophistication that the custodians, large broker-dealers and the vendors like Salesforce may have,” Hallett said. 

For an adviser who doesn’t take advantage of that, they’re leaving themselves very exposed,” he said. 

Related Topics: Cyber Attacks, Cybersecurity