Prep for ransomware attacks or be ready to pay the price

Prep for ransomware attacks or be ready to pay the price
Ransomware attacks in the U.S. increased 300% in 2020 and cost victims $350 million. Advisers make easy targets because they publicly release AUM and hold some of the most sensitive client data that directly connects to their finances.
JUN 30, 2021

The recent string of ransomware attacks on multiple companies, including the attack by DarkSide on the Colonial Pipeline, highlights how crippling these types of cyberattacks can be on a business. 

Wealth managers, for one, make easy targets because they publicly release company assets under management, and hackers see that as an ability to pay a ransom, says John O’Connell, president and founder of The Oasis Group. Wealth managers also hold some of the most sensitive client data that directly connects to their finances -- a potential gold mine for a cybercriminal. 

Work from home orders have played a role in the increase in ransomware attacks, O’Connell said, as employees work off free WiFi from their local coffee shop or at home with a network that is not entirely secure. 

Ransomware attacks -- a type of cyberattack that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid -- are on the rise. Attacks in the U.S. quadrupled in 2020, with three-quarters of the victims being small businesses who paid more than $350 million to pay ransoms, according to the Department of Homeland Security

On June 2, the White House sent out a memo urging corporate executives and business leaders to take immediate steps to prepare for ransomware attacks. 

Without the proper precautions and technology added to an adviser’s tech stack, ransomware attacks can be costly.  But the price for not paying the ransom in many cases can be much higher.

Take the city of Baltimore for example. During a ransomware attack in May 2019, the city had its servers largely compromised by a variant of ransomware. Baltimore did not pay what was a hundred thousand dollars in ransom. Instead, it lost $18 million fixing the issues created by the attacks, according to reports.  

RISKS FOR ADVISERS

The first step to understanding where an adviser falls into these potential risks is finding out where the liability lies if an attack happens, said Dan Bernstein, chief regulatory counsel at MarketCounsel

For example, if a ransomware attack were to hit a major custodian such as Charles Schwab Corp. or Fidelity Investments, the liability is spread across everyone from the financial institution, to the custodian, to the adviser. 

“Investment advisers cannot just say, ‘I use Schwab, they're a really big institution so we thought it was cool,’” Bernstein said. “No, they need to do a little digging and get answers from Schwab on what the protections are. If they see problems, then they need to act on that.”

The protections different types of advisers need to have in place are fairly flexible depending on size of the firm, Bernstein said. The SEC allows flexibility and it does not expect that a small team is going to have the same protections in place as Merrill Lynch, because they're very different institutions with very different risks, he said. 

“If you did due diligence, if you got reports, if you were able to see what they're doing with regards to protection and they got hacked in some way or ransomware, the adviser is probably going to be OK and not responsible,” he said. 

While the SEC has not come up with a data protection rule that has any specifics, the regulator has been giving out guidance on cybersecurity across the board for years.

The problem with issuing a formal rule is the capabilities of evildoers may far surpass whatever rule the SEC puts in place within a matter of months. The expectation for advisers is the need to know what those bullet points protections are that the SEC wants to see put in place, said Bernstein.

Reputational risk is another factor that can cost an adviser their business and fines from regulators like the SEC and the Financial Industry Regulatory Authority for not following cybersecurity guidelines, O’Connell said. 

“Ransomware has evolved, too,” he said. “It's not just the ransom that they're trying to get to, but they're saying, for example, if you don't pay the ransom, they'll sell your information out on the internet to the highest bidder on the dark web, or they'll sell the fact that you are targeted so that short sellers can short sell your stock, which would put you in an even deeper hole.” 

WHEN AN ATTACK HITS

If an advisory firm is hit with a ransomware attack, the first step is to assess the damage with a focus on identifying the risk that will impact your clients, Bernstein said. 

“In the end, a regulator cares about the protection and ongoing support for your clients,” he said. “So, as a matter of course, you can't just say to the SEC that you don't deal with ransomware. You'll have to do that assessment and make a determination of whether or not it's in your client's best interest for you to find a way to unlock that data.”

However, the most effective tip for any adviser is to be proactive rather than reactive to ransomware attacks. “Once you have been hit with ransomware, now you're scrambling and you have none of the power,” Bernstein said.  

The key is staying up to date on all the risk alerts and guidelines the SEC puts out while educating and training employees to understand and dodge cyber attacks like phishing. 

If the SEC puts out a risk alert, it’s expected that RIAs are paying attention. When regulators come knocking on a firm's door, advisers can’t just say: “Well, I didn't know that!” Bernstein said. 

TECH STEPS IN

The first recommendation from O'Connell is to have a remote access policy in place that enables and educates staff on how to access systems from afar.

The second thing is to go through a training program with staff, get them to understand the risks of being on an unsecured WiFi network and teach them how phishing schemes work, O’Connell said. 

The larger RIAs out there, like the ones with billions of dollars in assets, may need to ramp up their tech stack beyond training and educational programs, said Mike Hallett, CEO of cybersecurity software CleverDome

Cybersecurity provider Cleverdome advertises some of the more robust protection out there. The Phoenix-based tech provider uses so-called military-grade tools to create disruptions in what would otherwise be just a packet of data that is transmitted through the internet. 

By turning the data into fractions or almost slicing it up into little puzzle pieces as it's transmitted through the internet, hackers have a much harder time capturing all the pieces to the data packet, said Hallett. If there’s a puzzle piece missing, the data is no longer useful to an attacker. The average demand for payment is around $8,700 for each incident, Hallett said. 

“The advisory firms need to have the same technology on the same level of sophistication that the custodians, large broker-dealers and the vendors like Salesforce may have,” Hallett said. 

For an adviser who doesn't take advantage of that, they're leaving themselves very exposed,” he said. 

Putting a price tag on ransomware attacks

Latest News

Finra board chair Noll takes the lead as CEO of digital wealth firm
Finra board chair Noll takes the lead as CEO of digital wealth firm

Industry veteran says digital transformation is firm's big opportunity.

Despite political polarization, most Americans are united on retirement concerns
Despite political polarization, most Americans are united on retirement concerns

Protecting Social Security and other key priorities revealed.

Raging Milton to mean substantial losses for cat bond investors
Raging Milton to mean substantial losses for cat bond investors

Hurricane is expected to cause severe disruption in Florida.

Citi insists industry is 'not the bad guys' in lawsuit pushback
Citi insists industry is 'not the bad guys' in lawsuit pushback

Electronic payment operations at risk from New York state claims.

Greenback bounceback as jumbo Fed cuts look less likely
Greenback bounceback as jumbo Fed cuts look less likely

US dollar headed for its best winning streak in more than two years.

SPONSORED Destiny Wealth Partners: RIA Team of the Year shares keys to success

Discover the award-winning strategies behind Destiny Wealth Partners' client-centric approach.

SPONSORED Explore four opportunities to elevate advisor-client relationships

Morningstar’s Joe Agostinelli highlights strategies for advisors to deepen client engagement and drive success