WannaCry is a cyber wakeup call for wealth management firms

by AM admin on June 20, 2017

By Thomas J. Holly, US Asset & Wealth Management Leader –

Wake-up calls are generally never pleasant. From the mundane (travelling) to significant events (fill in the blank), they’re oftentimes necessary and lead to a much stronger outcome.  Getting there, though, is a journey.  It’s never easy—it’s tough, it’s constantly evolving and it’s expensive—but the alternative is even more painful to contemplate.

The WannaCry attack should be a wakeup call for wealth managers that should force them to re-think their cyber portfolio.

Beginning May 12th, a cryptoworm targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. Once a computer on a network was infected, it subsequently replicated across the network using a Windows file sharing vulnerability allegedly from the NSA and made public by the Shadow Brokers. This represents an escalation in the capability of hackers who now have access to new and potentially more effective tools.

For wealth management firms, it’s also a call to action. It means paying closer attention to their Financial Advisors (FAs), as the branch office and independent FAs are particularly vulnerable to slow patching and end of life hygiene.  And it also means that it’s no longer OK to exclude an independent wealth adviser from the cyber boundary, as their computers retain the company’s—and, more importantly, the client’s—data.

While WannaCry didn’t target asset and wealth managers directly, the objective is arguably still the same: data and money. What if an attack manifested itself when a FA received an urgent email from what appeared to be a new client with a new account form as an attachment?  How many would open it?  The attack’s deviousness lies in its simplicity, as just one person on the network needs to fall victim. Question for consideration: So, what if these schemes evolve to the point where no one even needs to click on the email?

What we’re seeing now is an evolution in sophistication and a need to look for vulnerabilities across the enterprise and with partners that could be exploited. WannaCry, in particular, is ransomware, which encrypts desktop files. The stolen information can be recovered from the core systems—in a process that takes weeks—but it is not the worst case scenario, what if the information was disclosed? What might a client think about internal emails, texts and other messages about them if they were released? Question for consideration: What if the software didn’t announce itself, but attempted to harvest trading models, corrupt data or just spy on trades?

WannaCry was also demonstrated hacker’s ability to quickly adapt and evolve. When attacks are thwarted, attackers are able to update their software in just hours or days. Question for consideration: What if you thwarted one attack, only to experience another more sophisticated and more damaging version hours later. Would you be ready? How long does it take you to roll out patches to your environment?  

While major IT Vendors usually try to provide patches for current version of the software, the update has to be deployed to protect you. These assets need to be regularly patched, and even quarterly updates are not good enough.  Question for consideration: How many financial advisers are running the latest, or even just a supported version of all of the OSes and software they run?  When was the last time the fax machine and printer firmware last updated? How many of your independent financial advisors are up-to-date?

While there are no perfect answers and any response will need to be tailored to your organization, here are a few things wealth managers can start today to improve your odds during the next attack:

  • Educate & Inform: Develop targeted programs for FAs and employees / partners to reduce their vulnerability to phishing and develop tools to warn them when they are talking with a new party.
  • Protect & Detect: Evaluate email and web monitoring systems for additional protections against malware. For partners, provide these services as part of a bundle or educate them on available services to decrease this risk.
  • Update: Dust off your digital hygiene programs, plan to keep your operating systems and software up to date. Plan and prepare for when a patch may need to be installed in hours, not days. Prioritize the exit of end of life software and OSes from the environment.
  • Plan: In addition to your internal cyber plans, have a communication plan for your advisors and partners in place for the next attack.
  • advisors and partners in place for the next attack.

Unfortunately all of this takes time and resources. But when making the case ask the following questions to calibrate your spend:

  • What’s the financial and reputational ramifications if your firm lost a family office client or relationship with some of your top producing financial advisors as a result of a cyber attack?
  • What if client data was stolen, tampered with or trade data monitored rather than just being ransomed or destroyed in place?
  • What do you think the odds are of a future cyber attack?

An ounce of prevention is worth a pound of cure—and beats getting an even more unpleasant wake-up call.

Additional PwC content can be found in our Strategy + Business, “Cybersecurity after WannaCry: How to Resist Future Attacks,” and our Global State of Information Security Survey 2017.

Print Friendly, PDF & Email

Previous post:

Next post: