Robert Masse is used to giving out cybersecurity advice to investment firms, but last month he had to tackle a particularly strange incident. Masse, a partner in enterprise risk services at Deloitte LLP in Montreal, recounted an incident about a wealth-management company that had unwittingly sent $500,000 to an online scammer.
The cybercriminal had compromised the email systems used by the wealth-management company's institutional client, and had silently trawled through the company's email history, understanding how the firm operated and who it spoke to.
When the time was right, the scammer had pounced, sending to the wealth-management firm an email that appeared to be from the client. The email instructed the company to transfer half a million dollars to a bank account. Because the client, a wealthy institution, frequently made such requests, it didn't seem out of the ordinary.
"They executed, because it seemed legitimate, and now the wealth-management company realized a little into the process that it was false, and now they're trying to get the money back, but the money's gone," says Masse, who can't name the firm involved.
Such scams are becoming more commonplace, and they're a symptom of an increasingly money-driven criminal community. Cybersecurity is now a top priority for financial services sector regulators, with several issuing specific warnings and guidelines in the past year. As a result, financial advisors and their firms are under increasing pressure to ensure that their digital security is rock solid. Mark Nunnikhoven, vice president of cloud research at security firm Trend Micro Inc. in Ottawa, explains that criminals follow the money, finding the most profitable attack vectors and then sticking with them.
"[The hackers] are doubling down on their investments in these areas, because they're making money hand over fist."Nunnikhoven says. "They're not experimenting with the next greatest thing so much as maturing these techniques."
For this reason, while business email compromise scams like the one Masse describes may be happening, the biggest money maker is still ransomware. This malware infects computers and then encrypts files, rendering them inaccessible and has become one of the most common attacks in the past year. Victims are forced to pay a fee, typically in the untraceable cryptocurrency bitcoin, to unlock them. Even then, there's no guarantee that this will always work. Should they pay?
"In our experience, paying is just temporary," says Masse, who points out that crooks may simply not keep their side of the bargain. "Even if they're true to their word, someone else can get in, and the second person may not be."
Nunnikhoven adds that, although criminals are sticking with ransomware as a concept, it's becoming increasingly targeted toward high-value organizations. "As early as 2015, we tracked targeted malware campaigns against Canadian financial services companies," he says.
Backups have traditionally been the answer to ransomware, because they enable companies to recover saved versions of data, but financial advisors must be sure to understand the concept properly. Simply replicating files to an online file-sharing service in real-time may not be adequate, because if malware scrambles your files, it will cause the replicated ones to be scrambled, too.
Some professional online file replication services such as Dropbox's premium accounts store multiple versions of a file over time so that users can recover an earlier version of a file that they were working on. This might be useful, but it's still risky, Nunnikhoven says: "We're starting to see ransomware that's looking at how to address that." Some smarter ransomware programs will deliberately save multiple encrypted versions of a file, causing file storage services to simply forget the unencrypted versions.
Ransomware criminals are also becoming increasingly creative and devious. To persuade victims to pay up quickly, the "Jigsaw" ransomware strain counts down to a point when files simply cannot be retrieved, increasing the ransom at set points along the way. Another strain, "Popcorn Time," lets victims off the hook and restores their files - so long as they share a link to the malware enough times to dupe at least two of their contacts into installing it.
Perhaps one of the biggest evolutions in ransomware is yet to come. Nunnikhoven believes that the attacks will morph, so that instead of threatening not to restore your data, cybercriminals will steal it and threaten to publish it to the world. This could be particularly damaging for financial services companies dealing in investment advice and wealth management.
In these cases, backups are certainly important but they're not going to solve the problem that someone else has your data. What might help?
Encryption is one possibility. Complementing backups by encrypting data on your hard drives with encryption keys that only you have access to will render any stolen data unusable by attackers. However, it's important to keep those encryption keys backed up in a safe place, lest you lose them and deny yourself access to your own data. Experts recommend the BitLocker system built into Windows, or BestCrypt, from Finland.
These measures may help to prevent people encrypting or stealing your files, but what is to be done about business email compromise attacks such as the one Masse saw?
Several regulators have recently published guidelines to help financial services companies bolster their cybersecurity. Both the Investment Industry Regulatory Organization of Canada (IIROC) and the Canadian Securities Administrators (CSA) highlighted cybersecurity as a key priority last year. IIROC released a best practices guide and an incident management planning guide last year, and in October it announced that it would begin giving regulated firms individual report cards assessing their cybersecurity.
These and other guides were referenced in CSA Staff Notice 11-332 on cybersecurity, published last September, which replaced a staff notice from three years prior. It instructed securities commissions to follow best security practices as laid out in these documents.
Regulated entities that don't follow these mandates risk repercussions when things go wrong, warns Bradley Freedman, a partner at law firm Borden Ladner Gervais LLP in Vancouver.
"When there's a problem and there's a question about whether these organizations or their management have fulfilled duties of care, this guidance is there and will be considered as establishing benchmarks and standards of reasonable care that organizations ought to fulfil," he says.
Technologies such as anti-malware are useful for financial advisors securing their networks, but incidents like the business email compromise scam experienced by Deloitte's client illustrate a need for more than just technical solutions. Freedman highlights the need for better security processes. "The solution to this issue is not [purely] a technology solution," he says, arguing that most security incidents happen because of what people do, either through intentional misconduct or inadvertent error. "It's all about technology, people and processes."
The regulatory community's increasing focus on cybersecurity highlights a growing concern that clients and their financial advisors are likely targets for financially motivated attackers. How employees behave - and how well educated they are - is just as important here as the protective software that makes its way onto a hard drive.
STANDARDS OF CARE
Protecting client data from cyber threats can be a daunting and confusing process. Regulatory guidelines provide some top-level guidance. Here is a selection of tips, condensed and edited from CSA Staff Notice 11-332 on the topic:
- Make senior executives accountable for cybersecurity governance.
- Organize cybersecurity awareness programs for employees.
- Analyse the cybersecurity risks and determine your risk tolerance.
- Audit your third-party service providers to assess their cybersecurity readiness, and determine if they put your organization at risk.
- Determine a plan for protecting client privacy and reporting any sensitive data breaches to the appropriate authorities.
- Prepare a cybersecurity incident response plan so that you can hit the ground running in the event of a data breach.
- Continually review your cybersecurity plans and procedures to cope with new and emerging threats.
Tech Tips: Making the most of the tools that drive your business
© 2017 Investment Executive. All rights reserved.