Wealth Management/Stacey Robinson: Cyber Attacks May Make Financial Industry "WannaCry"

Wealth Management

May 02, 2017

Technology

Cyber Attacks May Make Financial Industry "WannaCry"

The financial services industry is a huge target for cyber criminals — more than any other industry.

 By Stacey Robinson | May 24, 2017

Large-scale cybersecurity breaches are in the news on a weekly and even daily basis in 2017. The WannaCry ransomware attack that sent millions of malicious emails and infected hundreds of thousands of computers globally, the Google Docs phishing scheme that spread rapidly, granting access to a malicious third party under the guise of a shared document and dozens of other smaller attacks have affected organizations across industries and put cybersecurity on everyone’s minds.

The financial services industry is a huge target for cybercriminals — more than any other industry — and the risk has evolved from financial theft and fraud to more complex and serious consequences like theft of intellectual property, business disruption and reputation damage (Deloitte).

In other words, hackers are not just stealing lists of Social Security numbers anymore, but rather executing serious breaches with more far-reaching consequences. Even large firms may struggle to keep up with the evolving cybersecurity threats and the situation is particularly challenging for mid- and small-tier firms. As recent events like WannaCry show, malicious cybercriminals are only getting quicker and more sophisticated.

Cybercriminals Exploit Financial Services Firms’ Vulnerabilities

At financial services firms, cyberattacks exploit flaws in security programs that allow threat actors to gain access. Among the most common attack targets are endpoints, such as laptops, tablets and smartphones. Endpoints are particularly vulnerable because they require both robust security protocols and effective education for the firms’ employees, who act as the last line of defense.

Attackers use weaponized email attachments and links to attack sites in order to compromise credentials and establish a foothold on the endpoint. The 2016 Data Breach Investigations Report (DBIR) from Verizon points out that it only takes minutes to compromise a host and collect a set of valid credentials, and in most cases, data exfiltration is underway just days after compromise.

Additionally, the DBIR uncovers some surprising figures about common security vulnerabilities. In 2015, the top 10 unpatched vulnerabilities accounted for 85 percent of successful exploit traffic. Furthermore, of those top 10 unpatched vulnerabilities that were exploited, only two of the patches were from 2015, and all of the remaining eight patches were published in or before 2003. The SEC’s Office of Compliance Inspections and Examinations found recently that while nearly all firms surveyed had regular system maintenance processes in place, including the installation of patches to address vulnerabilities, 10 percent of broker/dealers and 4 percent of investment management firms had not updated a significant number of critical, high-risk security patches. Given these statistics, it’s unsurprising that attackers find success.

The WannaCry attacks that started on May 12, 2017 exploited the EternalBlue vulnerability. Microsoft had released a critical patch for EternalBlue on March 14 — almost two full months prior to the attacks. “Frankly, if you wait two months to apply a critical Microsoft patch, you’re doing something wrong,” said Kasper Lindgaard of Flexera Software. “This time, we even had a warning in April that this could very likely happen, so businesses need to wake up and start taking these types of threats and risks seriously. There is simply no excuse.”

Why Are Endpoints Especially Vulnerable

Endpoints are a primary target for several reasons: 1) they are not being patched consistently or fully, 2) policy configuration may be ineffective, 3) they directly interact with attack sites and are often exposed to untrusted networks such as public hotspots and ineffectively secured home/home-office networks and 4) a portion of end users will inevitably open malicious attachments and click links to attack sites.

Compromising an endpoint gives the attacker a lot of bang for their buck, since they provide easy access to additional data and systems. One of the most effective ways to exploit endpoint security vulnerability is via phishing, a form of social engineering that commonly targets financial services companies. Per the DBIR, 30 percent of phishing emails were opened and 12 percent clicked on the malicious attachment or link, thereby enabling the attack. Clearly, we still have a long way to go in educating employees on security risks associated with emails and social engineering.

Successful endpoint security is a complex endeavor, requiring an extensive framework and consistent attention. It requires quality and maturity in areas such as OS hardening, the principle of least privilege and patching. Particular consideration should be paid to advanced security solutions around application whitelisting, exploit detection and prevention, device blocking, firewalls, web filtering and malware prevention.

While attackers will continue to use phishing as an attack vector in order to capitalize on human error, it’s certainly possible — and these days, essential — to develop and implement a robust security framework that accounts for all vulnerabilities.

From simple patch maintenance programs to in-depth user awareness and education, the best approach to preventing a breach involves difficult and too expensive for criminals to infiltrate your organization. Consistently adapting and improving security controls and countermeasures drives up the cost and risk for cybercriminals, while in turn makes companies better and more effective at spotting and stopping attacks sooner.

While recent global attacks are unfortunate, they may be the wakeup call that some financial services firms need in order to put stricter protocols in place.

Stacey Robinson, CISSP, is Chief Technology Officer at Mediant.

TAGS: Industry

Related
Moran Stanley times square
Morgan Stanley's 16,000 Human Brokers Get Algorithmic Makeover
May 31, 2017
humans and robot
Plancorp Takes Unique Path To Digital Advice
May 26, 2017
cybersecurity
Ten Cybersecurity Best Practices for Wealth Managers and Fintech
May 26, 2017
night view of Mar-a-Lago resort
Mar-a-Lago Is Losing Galas
May 25, 2017
Bloomberg brought to you by
Moran Stanley times square
Technology
Morgan Stanley's 16,000 Human Brokers Get Algorithmic Makeover
The best hope human advisers have against robots is to harness the same technologies that threaten their disruption: algorithms combined with big data and machine learning.

May 31, 2017

By Hugh Son

(Bloomberg) --Call them cyborgs. Morgan Stanley is about to augment its 16,000 financial advisers with machine-learning algorithms that suggest trades, take over routine tasks and send reminders when your birthday is near.

The project, known internally as “next best action,” shows how one of the world’s biggest brokerages aims to upgrade its workforce while a growing number of firms roll out fully automated platforms called robo-advisers. The thinking is that humans with algorithmic assistants will be a better solution for wealthy families than mere software allocating assets for the masses.

At Morgan Stanley, algorithms will send employees multiple-choice recommendations based on things like market changes and events in a client’s life, according to Jeff McMillan, chief analytics and data officer for the bank’s wealth-management division. Phone, email and website interactions will be cataloged so machine-learning programs can track and improve their suggestions over time to generate more business with customers, he said.

“We’re desperately trying to pattern you and your behavior to delight you with something you may not have even been asking for, but based on what you have been doing, that you might find of value,” McMillan said in an interview. “We’re not trying to sell you, we’re trying to find the things you want and need.”

Faced with competition from cheaper automated wealth-management services and higher expectations set by pioneering firms like Uber Technologies Inc. and Amazon.com Inc., traditional brokerages are starting to chart out their digital future. It turns out that the best hope human advisers have against robots is to harness the same technologies that threaten their disruption: algorithms combined with big data and machine learning.

The idea is that advisers, who typically build relationships with hundreds of clients over decades, face an overwhelming amount of information about markets and the lives of their wealthy wards. New York-based Morgan Stanley is seeking to give humans an edge by prodding them to engage at just the right moments.

"Technology can help them understand what’s happening in their book of business and what’s happening with their clients, whether it be considering a mortgage, to dealing with the death of a parent, to buying IBM,” McMillan said. “We take all of that and score them on the benefit that will accrue to the client and the likelihood they will transact.”

Morgan Stanley will pilot the program with 500 advisers in July and expects to roll it out to all of them by year-end.

Additional high-tech tools are coming: McMillan and others are working on an artificial intelligence assistant -- think Siri for brokers -- that can answer questions by sifting the firm’s mountain of research. (The bank produces 80,000 research reports a year.) The brokerage also is automating paper-heavy processes like wire transfers and creating a digital repository of client documents, such as wills and tax returns. Established advisers tend to be older, so Morgan Stanley is hiring associates to train those who need help.

The technology means that for the first time in decades, the balance of power between financial advisers and their employers may shift. For years, top advisers could command multimillion-dollar bonuses by jumping to a competitor. That slowed to a crawl this year because of regulatory changes, and now the technological push will further the trend, according to Kendra Thompson, a managing director at Accenture Plc.

Bonuses Obsolete

Backed by a firm’s algorithms, “advisers are going to be part of a value proposition, rather than the service conduit for the industry,” Thompson said. “The cutting of the bonus check, it’s nearly over.”

Morgan Stanley isn’t swearing off robo-advisers, either. It plans to release one in coming months, along with rivals Bank of America Corp., Wells Fargo & Co. and JPMorgan Chase & Co. The technology was pioneered by startups Wealthfront Inc. and Betterment LLC and went mainstream at discount brokers Charles Schwab Corp. and Vanguard Group Inc. Robos could have $6.5 trillion under management by 2025, from about $100 billion in 2016, according to Morgan Stanley analysts.

An in-house robo-adviser and a learning machine that acquaints itself with rich clients might alarm advisers who plan to keep working for decades. McMillan is adamant that the flesh-and-blood broker will be needed for years to come because the wealthy have complicated financial planning needs that are best met by human experts.

“When I talk to financial advisers, they’re always like, ‘Is this going to put me out of business?’” he said. “That’s always the big elephant in the room. I can tell you factually that we are a long ways away from that.”

To contact the reporter on this story: Hugh Son in New York at hson1@bloomberg.net To contact the editors responsible for this story: Peter Eichenbaum at peichenbaum@bloomberg.net David Scheer, Dan Reichl
TAGS: Advisor Channels
Related
humans and robot
Plancorp Takes Unique Path To Digital Advice
May 26, 2017
cybersecurity
Ten Cybersecurity Best Practices for Wealth Managers and Fintech
May 26, 2017
night view of Mar-a-Lago resort
Mar-a-Lago Is Losing Galas
May 25, 2017
man wiping eyes at computer
Cyber Attacks May Make Financial Industry "WannaCry"
May 24, 2017
  
Copyright © 2017 Penton