Larry Passaretti received an email from the adult child of a long-time client, telling him of a change in address. Run of the mill, but something about this particular email seemed off. He called the client. Their child was out of the country, and no, he wasn’t contacting his parents’ advisor. So what was it? A phishing attempt by a would-be cyber thief.
Even with data protection software and layers of security from his broker/dealer and technology providers, Passaretti is the front line when it comes to protecting his clients from hacking attempts on their data — and their financial resources. After all, it something goes wrong, it’s likely clients will hold him accountable.
“As a fiduciary you have to take that step,” says the Holbrook, NY.-based founder and managing partner of PPS Advisors. “You have to keep thinking one step in front of what could happen.”
What’s going on in the industry today is full-scale war on financial service companies and institutions all over the world. Multiple incidents occurred in 2012, which included denial of service (DoS) attacks that have affected firms including Wells Fargo, Citigroup, JPMorgan Chase and Bank of America Corp among others. These threats continue, with a major “event” happening about once a month, according to Joe Nocera, leader of the Financial Services IT Security and Risk Practice for Pricewaterhouse Coopers.
But beyond an inconvenience and a problem for the technology team to worry about — these attacks spread concern among investors who question the security of their funds and their data at these institutions, even if they don’t always voice them with their reps. Hearing about these incidents erodes trust.
And there is real reason for their concern. Of those individuals who received letters notifying them of a data breach in 2012, 23% also became victims of fraud, according to a 2013 report from Javelin Strategy & Research. And 37% of known data breaches stemmed from financial organizations, according to Verizon’s 2013 Data Breach Investigation Report.
“Over the last nine months to a year we’ve seen a number of denial-of-service attacks to the sector,”says Karl Schimmeck, SIFMA’s vice president of financial services operations on the recent exercise. “We’ve been very specifically targeted by a group that has significant capability. It’s caused a number of disruptions and firms have spent a number of resources to mitigate them.”
More than 140 attacks hit Wall Street alone over a six-month period, Gen. Keith Alexander, who runs the Pentagon’s new U.S. Cyber Command told a House Armed Services Committee in March. And groups including SIFMA have elevated their stance on the fact that financial services firms need to be educated on threat levels — and also trained on how to handle the ongoing assault.
“I think financial services … have invested a significant amount of time and money and have gotten better,” says Pricewaterhouse Coopers’ Nocera. “At the same time the threat landscape has changed so rapidly they need to do more.”
Arms Race
Andy Zolper likens it to an arms race. As the senior vice president and Chief IT Security Officer of Raymond James Financial, Zolper says he sees the attacks on information security as a oneupmanship — and a situation that has increased in the last five years. Zolper has worked in information security for 15 years, the last year with Raymond James, and has watched as attacks have started to spread beyond criminals but to what some call nation states. To catch them before they reach a critical peak, firms are started to analyze data patterns that can spots certain activity that can indicate an attack is starting.
Raymond James recently took part in SIFMA’s “Quantum Dawn 2” exercise in July — the organization’s second — where approximately 50 groups throughout the financial services sector, as well as government groups including the Department of Homeland Security and the U.S. Treasury Department, spent a day playing out simulated scenarios as if they’d been attacked, while running through procedures to protect their data, and ways to remain in communication with other divisions within their firms.
The exercise used simulation software designed by Cyber Strategies, a division of the Norwich University Applied Research Institutes, to test beyond how firms would secure their own breach — but looking at how breaches to other organizations would affect them as well. The goal was to keep markets moving — while also protecting client data.
“This year was much more interactive and gave firms an opportunity to work through their contingency plans at their own location,” says Zolper. “You would get information on what was occurring similar to a real life situation and indicators for each company that would mimics a real trading day, how many teams, how many failed, and how systems responded.”
Zolper found the exercise very helpful as he believes it gave firms a more realistic sense of being attacked, and plans to have the firm participate next year as well.
Playing Defense
That’s what SIFMA hopes — that those in the industry will continue to work together to fight attacks. The group plans to issue a report following the Quantum Dawn 2 exercise, with potential best practices that firms can put in place. To SIFMA, coordination is key to the financial services industry’s success against the bad guys. And that means working not just among financial institutions but with the government as well.
“Information sharing has picked up in the last three to four years in terms of the volume,” says SIFMA’s Schimmeck. “At the end of the day while you may be able to protect your own firm, it’s an interconnected system. If even a small firm were to have an issue, it would have a ripple effect.”
Groups from FS-ISAC and the Federal Bureau of Investigation (FBI) are already creating alliances to share information that previously may have been thought of as proprietary to a company. Instead the government is encouraging others in the private sector to share data with themselves and each other to better combat attacks that don’t have any sign of abating.
“Today, the private sector is the essential partner if we are to succeed in defeating the cyber threat,” John Boles, deputy assistant director, of the FBI’s Cyber Division told the House Committee on the Judiciary in March. “The private sector is a primary victim of cyber intrusions—and its networks contain the evidence of countless such attacks.”
Regulators have taken notice. New York Gov. Cuomo recently sent 308 letters, requests for information, to insurance companies to see the policies they have in place to protect themselves from cyber attacks.
FINRA, the Financial Industry Regulatory Authority, has taken action, repeatedly fining firms for data breaches, and not providing adequate cyber security. Pricewaterhouse Coopers’ Nocera says he’s an aware of an attack on an investment firm that manages 401Ks that generated maximum loan advances on all of the firm’s accounts. While the institution reimbursed the funds, it’s a significant inconvenience for clients — and not a strong vote of confidence in the institution. It’s no a shock that regulatory groups are putting online security as one of their highest priorities.
“FINRA expects cyber security to remain a regulatory focus for the foreseeable future,” Susan Axelrod, FINRA’s executive vice president for Regulatory Operations said at the PLI Seminar in October.
David Vs Goliath
Security, like any technology, is only as good as the people behind it. All of a company’s bells and whistles can break down from one individual’s simple mistake. On the flipside, individuals can also create a strong defense as well.
Betty Hedrick, a financial planner based in Mercer Island, WA., uses encryption and password protection when communicating with clients, including providing special code words that clients can use if they want to request statements or withdrawals by email. Plus the firm has set up strong firewalls and anti-virus procedures.
If anything is flagged by clients, or Hendrik receives an email from them that she knows they didn’t send, a protocol is initiated so that extra attention is placed on their activity.
Hedrick says that as a “two person shop, we know our clients and can just call them,” she says. “But we are strict about making sure we do it.”
Working with 1,300 households, Passaretti takes his responsibility to secure his clients data seriously as well. After 32 years of running his firm, one of his best tools is knowing their patterns of behavior — which can even help him find out of they’re getting hacked at home. And in the end, even with the security he has in place through his broker/dealer, he still uses a centuries-old strategy to sometimes ensure that the communication coming from his clients is really them.
“I look at security in the old-fashioned way,” he says. “My clients may want us to communicate with them electronically, and get frustrated with us. But sometimes, we need to hear their voice.”