Cyber threats continue to impact private banking
Cyber security is a pressing issue for all but the foolhardy. An attack can have devastating effects, not just in the information that is stolen but in the damage to reputational risk and trust that a bank’s clients have in its ability to hold secure their assets, personal information and sensitive private details. Alison Ebbage writes
ot limited to the private banking sector, cyber threats are as old as the internet and have taken place in most areas with some attacks being very high profile.
As a consequence, awareness of cyber-attacks and the threat they pose is high and private banking clients expect this issue to be one the private banks have got well under control.
Why is wealth management vulnerable?
Private banking is a tricky one in terms of how at risk it is. The motivation to attack might be less than a retail bank in terms of the amount of client information and data. But in terms of the sensitivity of the data and information and the possibility of stealing data belonging to a high-profile person, then the temptation to have a go must be immense.
For this reason, ransomware attacks are an issue – wealthy individuals and banks have the means to pay a ransom and, in some instances, will do so before they would see personal details made public. Protection of sensitive data and reputational risk are high up the priority list in private banking.
Private banks and wealth managers, thus, need to focus strongly on how they store and share data and information. The range and the amount of information to store and transit is dependent on the client and the bank but the principle is the same – where are the weak spots and how can the risk be mitigated? How can you make an attack on your bank harder than an attack elsewhere and thus make yourself unattractive?
This conundrum becomes all the more important now that moves toward digitisation are well underway. This is a leading play within the sector and received a boost due to Covid, some say that digitisation was fast tracked by about five years.
Broader technology adoption such as SaaS, the cloud, componentisation and ecosystems have also come into play to give a rapid pace of change and an agile approach – where the aim is to fail quickly and get back up again, making misconfigurations and tweaks rife – it also means that holes in protection can become rife too if attention to detail vis-à-vis not just functionality but also security, is not there during a given process.
In addition, the sheer volume of data now being produced, shared and stored makes it easier for cyber criminals to hide in plain sight.
A KPMG blog acknowledged this. “It’s an unfortunate fact that fraudsters tend to prey on unexpected events or challenges. When normality becomes disrupted, they see an opportunity they can exploit. It shouldn’t be a surprise, therefore, that the COVID19 pandemic has brought with it a significant increase in fraudulent activity,” it said.
The blog points to the rise in the number of ‘phishing’ emails on the back of the pandemic. This is essentially a lure asking customers to provide or validate their account or identity information. Other emails may contain malware that downloads onto a customer’s system once a link is clicked.
Open banking is starting to play its part in terms of what is possible for cyber criminals to attack. The whole idea around open banking is data sharing and aggregation to provide better customer service and more choice. An unappealing consequence of this is that cyber criminals could end up with a lot of very rich data to sell on or use, as opposed to lots of single data points that would then need aggregating and making sense of themselves.
Cyber risk is also partly a generational issue. Younger people are much more giving in terms of data sharing and understand the trade-off between sharing data and getting better products or services. That means that they might share information on say social media that would reveal something about the overall family and make it vulnerable to attack at private banking level.
Wealth managers need to ensure their families have a good awareness of the risks of sharing personal information and that their clients too are leveraging sensible information sharing and protecting their own privacy. Trust is a two-way thing. With privacy requirements comes responsibility.
What then do private banks need to be aware of and how can they mitigate their risk?
Speaking to PBI, Chris Ansara, CEO at ALT/AVE comments: “A lot of the pre-sales stuff like leaflets and other generic stuff is very easy to digitalise and by and large does not contain any sensitive information. Over the past three to four years it has all been digitalised and the industry has been good at doing this and take up levels have been good too. But where things become more difficult is in the post-sales literature where you get into the realm of the regulated, so information of forecasts, projections and earnings need to meet certain criteria in terms of both content and distribution.”
“In the physical world this would have been on a piece of paper – printed and therefore unalterable or immutable. There are six durable mediums that are considered to be acceptable but each has operational constraints and drawbacks and one of them is security,” he says.
File sharing and document storage
The three most common attacks are on emails, passwords and misconfigured remote access. A password manager, two-factor authentication and strong security processes around misconfigurations go a long way to solve these issues and serve as a good starting point.
But sharing information via email as attachments or file sharing is still particularly problematic.
Speaking to PBI, Ali Qureshi, chief revenue officer & co-founder of SideDrawe, says: “E-mail is relied on by many people but it is very easy to send an e-mail to the wrong address or not see a phishing attempt for what it is. Mailbox server attacks, many of which are not detected until well after the event are also on the rise. We think that emails exchanging sensitive client information have to be removed from play in favour of tools and platforms that allow for communications with secure and immutable access. They are really a standard requirement now.”
Ansara adds: “PDF attachments are the target of ransomware and malware – this saw an increase over Covid as people switched to sending out PDFs over emails. A way round this is to send out information within the body of an email but this is sometimes hard to read and isn’t really all that visually attractive. It also does not get round the fact that emails can be missent and end up in the wrong hands.”
All of this is more pressing within the wealth management industry given the fact that a hybrid model where there is less face-to-face meeting and thus a need to work digitally and collaboratively – sharing documents with trusted financial professionals such as lawyers or tax experts, there is also the need to share information within a family or between business contacts. All of this needs to be done remotely and securely.
To this point many wealth managers use client portals as a selling point, as something that allows for greater levels of engagement within a secure environment.
Ansara comments: “There has been in increased focus on the use of client portals for all these reasons – they are a means for a wealth manager and individual to communicate safely and securely – it does raise the question of who is in charge or in control of the data and documents and who is ultimately responsible for it all. It can be a bit like marking your own homework because the wealth manager needs to timestamp and self-audit to show that nothing within a given document has changed.
“Blockchain is a good way of solving these issues because it is very transparent and you can see when something has been placed and whether any changes have been made to it. “ You can send a client an email with an immutable hyperlink to the document that is stored on the blockchain – it is fully auditable and it would be immediately obvious if any changes had been made.”
He adds that portals can work well when it comes to information sharing with different family members or financial professionals.
“Say you are drawing up a 200-page contract and it needs editing and there is a lot of back and forth, if that is on a ledger then you can easily see all the amends and marks up and it makes the whole process less open to mistakes and ticks the immutable box too,” he says.
Qureshi says that awareness with the wealth management industry is growing and that a willingness to outsource document sharing and security is also coming along – but there is an education piece that needs tackling. “We know that it’s moving up the list but alongside heightened priority we see a need for knowledge and education around when and how to take action and what is actually on offer from various providers.”
He cites the need to go right into the detail of what a provider is actually giving you and whether that is fit for purpose – what are the risks it does and does not mitigate against?
Qureshi says that this requires a good internal board-level understanding of what the risks actually are and what the firm is looking to achieve in terms of both process and the reach of the security.
“With private banking nowadays, it’s not just a point relationship between two people, it is the other family members and professionals. The net needs to be cast far and wide to eliminate the risk of the weakest link,” he explains.
Ansara adds: “This is highly dependent on the individual use case. Clients are very aware of the issues surrounding cyber security and being able to reassure them is actually a massive value add and point of differentiation.”
Indeed, if a private bank can show that it is safeguarding the client’s information and privacy then they get better levels of conversation and loyalty – customers see their wealth manager cares about their security and about them. “It gives a comfort level and makes the client feel like they are being taken care of,” concludes Qureshi.
Common risks include
Malware – once installed on a device malware listens in for sensitive data and information and can move to steal data as well as attack a bank’s networks.
Spoofing – impersonating a bank’s website and getting users to input their log in details which are then stolen.
Ransomware attacks – where data and information are stolen and is returned only once a ransom has been paid.
Misconfiguration – with staff working at home and commonplace use of mobile devices, there are more endpoints for organisations to keep track of.
Misdirected emails – where emails are sent to the wrong person.
Phishing – where emails pretending to be reputable companies are sent with the aim of individuals to reveal personal information, such as passwords and credit card numbers.