FT columnist David Stevenson explains why financial advisers should be concerned by the threat from cyber criminals…
I am, by nature, a deeply cynical person. A few months back, I was asked to write a longish article about cyber crime for an important institution.
Ever since I worked on Tomorrow’s World as a producer for the BBC, I have been slightly suspicious of scary scenarios. If the grey nano goo does not get you, maybe the cyber criminals will.
In particular, I have a well developed paranoia surrounding consultancy sales pitches that usually accompany any urgent plea for action – “We must fight cyber crime now… and luckily I have a consultancy service that will do just that”.
But as I sniffed around the corporate cyber crime arena, I began to realise there may just be a problem or two – and financial advisers might be next in line.
One survey of America’s leading S&P 500 companies discovered only a handful had not been compromised in some serious way, and quite the largest threat comes from the brand damage following the release of financial information.
As one (highly paid, ex FBI) US consultant put it to me: “These cyber crime guys attack any professionally-managed organisation with a platform that gives access to deep, granular information about private clients and their finances.”
Apparently, the big new thing in the US is something called spear phishing, which involves a criminal using social media to gain access to a leading senior gatekeeper and then impersonating them to gain access to the corporate network.
This kind of activity makes the recent news the Met Police had arrested 12 people for allegedly hacking into a South London Santander branch, using what is called a KVM (keyboard, video, mouse) switch, seem so old school.
These KVM devices apparently allow tech criminals to control several computers from a single keyboard and mouse.
If the banks are having difficulties, we can imagine what challenges everyone else is likely to face. My friendly US consultant observed: “It is not just banks that face a problem. Anyone with sensitive customer information is going to be a target even if they are really small, like a financial adviser. Be very afraid.”
The next big worry for IFAs?
So, it is with a heavy heart I have to suggest the next big thing IFAs have to worry about could be cyber crime. If the cyber criminals do not get you first, I suspect the FCA will.
IFAs and virtually everyone in personal financial services is an obvious target. Most firms already have lots of identifying data for their clients. Many of these bits of data are captured ‘in the field’ by an IFA.
According to one expert I talked to, “username/password protection can be subverted by extracting the hard drive from the laptop and plugging it into another computer. The only way to protect the data on the laptop is full encryption, which is not common as it is difficult to use.”
Advisers also need to be incredibly careful about their sales lists or customer relationship management systems, especially those saved to a USB stick, Google Docs or Dropbox.
I am sure there have been plenty of occasions where a client has received a call from a new IFA who knows a heck of a lot about them based on files purloined from their old firm.
Just imagine what could happen if that new IFA was not actually a professional, but someone trying to cheat the customer?
If all this was not bad enough, I would say with 100% certainty the FCA will be taking an especially proactive approach to the area of client data, especially as it is relevant to Pillar 3 disclosure. Sure enough, many IT experts are already recommending much more drastic action.
According to one IT security specialist, James Hogbin of IP Sentinel: “The FCA should insist on advisers undertaking and publishing a full systems penetration test on an annual basis. The only way to improve security is to be open about the issues and show steps are being taken to improve”.
Hogbin suggests “mandatory encryption of all client information should become the industry standard”. His new firm has published a simple checklist on its website (http://ip-sentinel.com/checklist/) which outlines some simple steps financial services firms can take.
How worried should IFAs be? My guess is most IFA firms are already fairly diligent about their IT safety processes, but I would also observe the criminals are likely to be moving faster than any in-house IT person.
Those cyber criminals will also be helped along by the fact most data incursions are internal, or the result of an accidental loss (via USBs or laptops left on the train).
Given that, for large companies, each data breach can cost up to £2m to fix (with costs for recovering stolen data from an employee costing tens of thousands of pounds), I would start thinking long and hard about all that financial data on your system.