Cybercriminals Targeting Financial Services Firms
By Harry J. Lew
Is it any surprise cybercriminals are targeting the financial-services industry? Banks and investment firms hold deposits worth trillions of dollars from hundreds of millions of consumers. Breaching their defenses can yield stupendous paydays for today’s cybercriminals. Meanwhile, insurance companies maintain treasure troves of consumer data, which, if stolen, can be used to unlock the bank and investment-firm consumer accounts just mentioned. No wonder these are both the best of times (in terms of job security) and the worst of times (in terms of job stress) for financial-industry data security experts.
However, a recent Accenture and Ponemon Institute study suggests it may be more the latter than the former. According to their Cost of Cyber Crime Study, the average tab for financial-services firms has grown more than 40 percent in the past three years—from US$12.97 million per firm in 2014 to US$18.28 million in 2017. This compares with the average cost for firms across all industries of $11.7 million.
Making matters worse, the study also found that the average number of breaches financial-services firms experience annually has more than tripled over the last five years, growing from 40 in 2012 to 125 in 2017. Not surprisingly, Accenture and Ponemon uncovered a spike in financial-services security spending of 10 percent from 2016 to 2017.
What impact have mounting cyberattacks had on financial-services firms? They’ve disrupted business operations and led to business data loss, to name just two, which account for 87 percent of the post-incident costs; the remaining 13 percent results from revenue loss.
If you work in the financial-services industry at any level, these statistics are highly disturbing. They become even more so when viewed through the lens of a specific breach. For example, consider the 2015 incident at Indiana-based Anthem Blue Cross Blue Shield.
According to a case study in the KPMG white paper, “Closing the Gap: Cyber Security and the Insurance Sector,” Anthem suffered a major data breach that exposed the data of millions of customers. Post-breach investigators found that the incident began in February 2014 when an employee in one of its subsidiaries opened up a phishing email that contained malicious content. This resulted in the downloading of malicious files to the user’s computer, giving hackers the ability to not only access that person’s computer, but also dozens of others across the Anthem enterprise. At the peak of the attack, which was perpetrated by a hostile nation-state, the hackers used 50 employee accounts to compromise some 90 data systems within Anthem, including the firm’s entire data warehouse. Ultimately, the cybercriminals exfiltrated the confidential data of 80 million Anthem customers.
As one would expect from a hacking incident of this size, the resulting costs to Anthem were staggering. According to KPMG, the initial expenses, for security improvements, remediation, and post-breach clean up, totaled some $260 million. There were also so-called “slow-burn” effects, including $115 million to settle consumer litigation, as well as additional costs to provide credit monitoring for those whose data were compromised.
Since the Anthem attack, there have been many highly damaging cyberattacks and data breaches in the financial-services sector. Some of the more noteworthy include:
- Equifax (Missouri credit-reporting agency): Hackers exploited an application vulnerability to steal the Social Security Numbers, addresses, birth dates, and in some cases, drivers’ license numbers for 143 million consumers. Another 209,000 people had their credit-card data stolen.
- CareFirst BlueCross Blue Shield (Maryland health insurer): A sophisticated cyberattack compromised the personal data of some 1.1 million CareFirst customers, the largest regional insurer in the state.
- Premera Blue Cross (Washington health insurer): A cyberattack resulted in theft of 11 million customer records, including credit-card and Social Security numbers and patient medical histories.
- Scottrade (Missouri discount brokerage firm): Theft of 4.6 million customer files, including names and addresses.
But what do these incidents have to do with you—individual insurance agents or agencies or your counterparts in the securities-brokerage or invest-advisory industries? Plenty. Think of yourself as facing a microcosm of all the risks embedded within large financial institutions. Cybercriminals can breach your computers to steal the identities of your clients as easily, if not more so, as they can those of large corporations. That’s because your defenses against such an attack may not be as hardened and your resources for responding to an attack may be more limited than those available to a larger firm.
In fact, because you have fewer resources, but are subject to many of the same risks, one might argue individual agents and advisors are at much greater risk today than large financial-services companies are. For instance, here are just a few of the risks your firm faces every day:
Social engineering: This refers to hacker’s using people’s brain chemistry against them. It is a cyberattack method that relies extensively on human interaction . . . i.e., tricking people into breaking normal security protocols in order to gain entry into systems, networks, or physical locations, for financial gain. Hackers use social-engineering techniques such as phishing, spear phishing, pretexting and more—because it’s easier to exploit human frailty than it is to find and leverage network or software vulnerabilities. Most cybersecurity experts agree that the human element will always your key weakness when it comes to mounting an effective cyberdefense.
Ransomware: This is a form of malicious software that, when installed on your computer, threatens to lock you out of your data unless you pay a ransom, typically via payments of hundreds or thousands of dollars in Bitcoin. Hackers typically use phishing e-mails and other social-engineering techniques to get users to click and download an application, which then takes over the host computer and locks down user files.
Wi-Fi Hotspot Sniffers: IT administrators use so-called sniffers to monitor computer-network activity and diagnose problems. The sniffer analyzes network traffic and then generates findings in words and numbers so that administrators can resolve problems. Bad guys also use sniffers to see your data as it travels from your device to the router and then to steal it. Using this approach, cybercriminals can grab your unencrypted data, getting access to your usernames and passwords and potentially hijacking your device—and your life!
Mobile Device Hijackers: One of the newer techniques involves hackers hijacking smartphones in order to gain access to the personal and financial information on them. How does it work? Criminals contact victims’ cell phone providers to initiate a transfer of service to a new device. How? By providing the cell phone company with your last four Social Security digits and a fake ID. Lacking this information, they may also provide convincing stories about losing or damaging their phone. When pressed for details, they can provide your address, birth date and other information found on the Internet. After the company ports the phone number to a new device, the criminals can now reset passwords on your financial accounts and then loot your money or attempt to blackmail you.
Password cracking: This refers to various techniques used to uncover computer passwords. Typically, cracking consists of repeatedly guessing a password using a computer algorithm that tries various combinations until the actual word or words become known. With passwords in hand, cybercriminals can then get access to your computers or accounts to steal and use your financial or banking information.
So what should you do? Engage in common-sense defensive measures. According to Financial Planning magazine, here are 10 of the most important:
- Encrypt Emails
Either don’t send private information over email or encrypt your message first. Many financial firms offer advisors and clients secure web portals for communicating with them. Use such portals to avoid information theft.
- Secure Your Computers and Networks
Consider discarding your old emails and store your documents offline or behind a firewall.
- Secure Physical Documents
Lock up any paper files with client data when they aren't being used.
- Use Multiple Sign-offs
Require multiple people to approve any funds disbursement.
- Review Passwords
Change passwords frequently and make them long, complex, incoherent, and hard to guess. And don’t store lists of passwords on paper or on a computer where outsiders can get access to them. Better yet, use a password manager to access multiple websites using only one password.
- Back Up Data
Have a comprehensive, dependable backup system in place, either in a physical off-site location or in the Cloud. The latter can help to make archiving and restoring your data easy and convenient to do.
- Update Devices
Always keep your electronic devices updated with the latest software patches. This will prevent hackers from leveraging known vulnerabilities in system or application software. Also consider using security applications such Malwarebytes and Microsoft Security Essentials, both of which are free. Use them to periodically scan all your computers and devices for viruses, malware, and other bugs that criminals use to wreck havoc with your computer hardware, software, and data.
- Avoid Public Wi-Fi
As we mentioned earlier, avoid using public Wi-Fi to make purchases with credit cards or to access client files or firm data. This will put your devices at risk. Instead access the Internet through your own personal cellphone “hotspot” or 4G access. And consider using a VPN application to encrypt your outgoing files.
- Educate Clients about Cybersecurity
Encourage clients to engage in safe computing, especially relating to their finances. Email hygiene is one of the most important safety techniques of all. Obviously, they should refrain from opening emails from people or entities they don’t know or clicking on links included in email messages.
- Create and Update an Annual Cybersecurity Plan
As financial-services firms and software providers tighten vulnerabilities, hackers always move on to the next successful technique. This means it’s crucial for you to continually update your cybersecurity plans. Complying with the cybersecurity requirements of your regulator will help you to stay safe in the face of current threats.
Of course, now you must decide whether to become your firm’s self-taught cybersecurity expert or to hire a contractor. Although the former is possible using various free planning templates, it does take time. And there’s an opportunity cost for doing this work vs. your normal sales, marketing, or management tasks.
You could hire a vendor to handle cybersecurity for you, except most have solutions—and fees—geared to large corporations. As a “solopreneur” or operator of a small insurance agency, securities broker-dealer, or registered investment advisor (RIA), large cybersecurity consultants may be out of your budget. Fortunately, the National Association of Professional Agents (NAPA) has pioneered a third approach, which allows you or a staff member to manage your own cybersecurity under the guidance of a highly knowledgeable expert. How? By working with our cybersecurity partner, INVISUS, a leading provider of computer repair and security services for small-to medium-sized companies.
Established in 2001, INVISUS has been a pioneer in digital protection and risk management for both businesses and consumers. Its flagship InfoSafe® security compliance service (which shows you how to certify the safety of your computer systems), iCare Pro® on-demand tech support service, and iDefend® business and employee identity theft protection programs are well regarded and available at a substantial discount for NAPA members. You can select the flagship service and/or add one or both supplemental services, based on your needs and budget.
Finally, consider purchasing cyber liability and data breach insurance for your business. This is becoming an increasingly important purchase for financial professionals of all stripes, says Scott Reid, National Director of Cyber Insurance for Gallagher Affinity Insurance Services. It protects insurance agents and registered investment advisors against various first-party and third-party post-breach expenses. In the former category are breach response, credit notifications, forensics analysis, PR consultants, cyber extortion payments, and business interruption costs. In the latter category are the payment of regulatory fines for privacy violations, attorney expenses, and the costs of future lawsuits and settlements, among others.
By maintaining a “code-red” sense of urgency about cyberattacks and cyberbreaches, developing and maintaining a cybersecurity plan, adhering to common-sense defensive measures, and buying a high-quality cyber liability and data breach insurance policy, you can go to sleep at night knowing you did all you could to protect your customers, your employees, and yourself. And if a cybercriminals do target your firm, you will have confidence that the procedures you established to mitigate the damage and respond effectively will perform capably. Hopefully, it won’t come to that. But if it does, you WILL be ready!
- Ponemon Institute