According to cybersecurity experts, the WannaCry ransomware attack in May was “brilliantly written” but poorly executed. And like Commander Ramius said after a failed torpedo attack in “The Hunt for Red October,” perpetrators “won’t make the same mistake twice.”
On the contrary, attackers are sharpening their blades.
Unlike the early days of cyberattacks — a mere five years ago — when firms focused on preventing mostly inconvenient software viruses, today’s attacks set off severely damaging repercussions, including extortion, fraudulent wire transfers and the theft or sale of personally identifiable information. Regulators and cyber experts cite an increase in the number and severity of cyber crimes and say this trend may continue.
“Every financial business with employees and clients — which is to say every financial services firm — needs to be aware that WannaCry is just a symptom of a much bigger scourge,” agrees Michael Brice, founder of cybersecurity consultancy BW Cyber Services, which recently partnered with my firm. “We expect to see far more attacks that will be far worse.”
Some cyber events are existential threats that can close a business overnight. Last year, for instance, a cyberattack against one of the world’s largest fund administrators resulted in a series of fraudulent wire transfers that cost a commodity pool operator (CPO) nearly $6 million in assets. This resulted in a suspension of business from which the CPO was unable to recover. The CPO and administrator are in protracted litigation, the former purportedly faulting the latter for insufficient cyber controls.
As indicated in their 2017 Priority Letters, both the Securities and Exchange Commission and Financial Industry Regulatory Authority have made cyber security a top enforcement priority this year.
Yet while cybersecurity represents a real and present danger to the industry, the majority of breaches are handled without being publicized. Thus, there’s a widespread awareness problem, and breaches that come to light may not accurately represent the pervasive threat. Adds Brice: “The dirty little secret is that one in four asset managers have been the victim of some form of cyberattack. Because those breaches are kept tightly under wraps, the vast majority of firms are unaware of the scope and severity of the problem.”
Implementing a formal cybersecurity plan along with rigorous technical and operational controls is crucial to combating cyber crime, says Doug Preveza, Director, Alaric Compliance. Prior to joining Alaric, Preveza worked with an investment advisor that encountered a breach similar to WannaCry. Someone at the firm clicked an email link that encrypted the firm’s server. Even with fewer than 50 employees, the firm had compliance controls such as nightly backups in place so, fortunately, lost only a day’s worth of work.
Registered financial firms must implement these kinds of controls, along with a formal cybersecurity policy, signed by a principal or senior executive of the firm, and reviewed on at least an annual basis. This policy should outline the following activities, performed on an ongoing basis — instead of after an attack:
- Training and Education
- Technical Security Control Assessment
- Cyber Risk Assessment
- Critical Third Party Assessment
- Incident Response Plan
In the absence of a cybersecurity program and strong commitment from management to adhere to it, breaches can happen more easily. When they do, senior management must try to identify the source of the problem. “A firm must have the right corporate culture prior to a breach, because like any other operational issue, a cyber breach can quickly become a blame game,” Preveza explained.
In addition to the obvious reputational impact, equally significant financial impact related to the legal, cyber forensic, and remedial efforts tend to consume every organization after a breach becomes public.
Indeed, if an SEC-registered firm falls victim to a cyberattack, the firm is at risk on numerous costly fronts: 1) the registrant can lose firm and client data and assets; 2) the firm can be charged and fined by regulators for noncompliance with relevant cybersecurity rules, such as Reg S-P and Reg S-ID; 3) the firm can be sued by investors for loss of their data and 4) the firm’s bottom line can be irreparably damaged.
On the other hand, firms with a solid cybersecurity plan can mitigate the repercussions of a breach and rebound more quickly. In the event of an attack, proper planning can go a long way for registrants that might hope for the best, but must plan for the worst. Even if attackers succeed in their attempts, having a comprehensive cybersecurity plan in place allows firms to provide tangible evidence that they were doing everything possible to try and reduce risk for their firm and clients.