Wealth management firms are alarmingly weak on data security. Ironically, it is human vigilance that often keeps the digital crooks at bay.
Wealth management firms have embraced the efficiencies of technology like everyone else. Yet these firms should adhere to a much higher bar of security than others, given the personal financial information they have access to.
But a PricewaterhouseCoopers’ 2012 Global State of Information Security Survey found an alarming trend: Security incidents for financial service firms last year rose slightly for all respondents, and doubled for firms who had experienced 50 or more security breaches.
What’s more, the survey found that financial firms are deferring, or cutting back completely, budgets for data security.
“Privacy and confidentiality are the foundations of our business,” said Steve Prostano, chief executive of Silver Bridge Advisors, a Boston-based family office with approximately $2 billion in assets under management. “If you lose the trust of the client, you lose everything.”
Case Study: Imposters Target Family Office
The horror stories are becoming all too familiar. Last year, the Midwest-based money manager of a prominent northeastern family office got a call from a client who requested his family’s accounts be closed and the money wired to another institution. He had all eight account numbers, as well as passwords and personal identification numbers
Suspicious, the money manager stalled for time by claiming the firm’s computer system was down. The firm called Risk Control Strategies, a New York-based company specializing in security for high-net-worth family offices.
RCS found a “key logger,” malicious spyware that monitors keystrokes and sends the information to another computer, was secretly installed on both the family office’s computers as well as the family member’s personal laptop. The security team conducted a full vulnerability assessment of the family office, found other weaknesses, and put in place new patches and procedures before any harm was done.
Vigilance is key, both online and off. “It can start with the receptionist, who should know that someone coming in the office to deliver flowers could be a hacker who wants to get into the server room,” said RCS’ chief executive officer Paul Michael Vollis Sr.
The client’s own computers or devices can become a vulnerability. Firms like Silver Bridge actually convinced clients to come to an event at the Boston Public Library to teach them about security precautions. “We can have the best protection possible at the office, but if the client’s personal security is compromised, it doesn’t matter,” Prostano said.
Kenneth Rashbaum, principal of an eponymous law firm specializing in information security and compliance, suggests firms do the following:
· Perform as assessment of their current safeguards by an internal committee.
· Bring in outside technology specialists to review areas like record management
· Consider hiring an information security officer
· Have access to legal counsel for guidance
Employees who deal with data should be included in any review, he added. “They are the ones who will be implementing any new security procedures on a day-to-day basis, and there’s nothing worse than a policy nobody follows.”
Firms should also be sensitive to internal fraud, said Shawn Connors, a PricewaterhouseCoopers principal specializing in information security and technical risk management services for financial firms.
Employees who can access confidential information don’t necessarily need to steal the client’s money. “By knowing what kind of investments the client has, they can sell the information to swindlers who can approach the client with deals that appeal to their investment preferences, or even to legitimate competitors who can offer the client a better deal on the same products.”
Budget and Buy-In
According to Viollis, “the vast majority” of wealth management firms aren’t doing nearly enough to protect their clients. “We’ve yet to encounter a firm that is conducting thorough background investigations on employees and the contractors that have access to their families,” he said.
To get started, a vulnerability assessment for a wealth management firm can range from about $7,000 to more than $15,000, according to Viollis. But spending any additional money on information security is “the last thing in the world a run-of-the-mill wealth management firm wants to do,” Connor said.
Money and buy-in at the top are the main culprits. “Executives in the C-suite have to make information safeguards and security a core competency and core value at the firm,” Rashbaum said. “The problem is that data security is not viewed as a revenue center. But in fact in this digital age it has become a business imperative.”
The cost of information security at most financial service firms averages about 6 percent to 7 percent of the overall IT budget, yet only a bit more than half that for independent wealth management firms, Connors estimates.
“In my mind, it’s the true definition of penny-wise and pound foolish,” Rashbaum says. “If you don’t have the right security, you risk losing money, losing the confidence of your clients and being exposed to class-action lawsuits. And the bad guys are coming up with new bugs every day.”