Think twice before clicking that link

Noah Billick remembers the time a financial advisor accidentally sent $120,000 of a client’s money to a cybercriminal.

It was RRSP season, and everyone was busy, said Billick, who was chief compliance officer for several financial institutions and is now partner and director of regulatory, funds and compliance with law firm Renno & Co. in Montreal.

The criminal hacked into the email of a client’s daughter and requested a money transfer, pretending to be the daughter. The daughter lived overseas and the client had transferred funds to her previously, so the advisor complied with the criminal’s request. They realized the mistake when the advisor tried to do a second transfer and a staff member flagged it.

The advisor received a fine from a regulator and the company. The client was made whole, but it was a negative experience for the advisor and the firm.

Wealth management firms often implement stringent security policies that can reduce advisor convenience. But it’s “a heck of a lot less inconvenient” to have cybersecurity measures than a breach, Billick said.

And cybersecurity breaches can cause lasting reputational damage, said Maria Flores, president of Carte Wealth Management in Mississauga, Ont. For example, people still talk about a 2023 security breach of third-party file sharing service GoAnywhere that affected several Canadian financial services firms, she said.

To fulfil a legal obligation to care for their client’s data, firms need adequate policies, follow-up training and a secure technical setup. While policies such as multifactor authentication are prevalent, some firms go further.

Two-factor authentication and requiring a fresh login after changing physical locations are common cybersecurity practices, Flores said. At Carte Wealth, file sharing between advisors and clients occurs using Docusign and SideDrawer, an encrypted file sharing service.

“[Advisors] say, ‘You know what? I’m kind of tired of this two-factor authentication.” And I say, ‘You know what? Sorry, but that’s the policy. I cannot remove it,” Flores said.

Multifactor authentication can be set up to minimize disruption to advisors, said Larry Keating, CEO of NPC DataGuard, a cybersecurity response company in Markham, Ont. One option is to require fewer re-logins between sessions if a user stays active. Carte is an NPC client and uses this method for their NPC-managed emails and devices.

Carte Wealth has also set up a streamlined method for reporting phishing emails. When someone spots a suspicious email, they can tell others through the firm’s internal messaging platform, Microsoft Teams, and forward it to a “phishing 911” email address, which causes the company’s system to block the sender for everyone.

Carte also encourages advisors to purchase cybersecurity and errors and omissions insurance, and invites third parties to provide training to advisors. Flores said her staff have found training sessions useful.

Windsor, Ont.-based Sterling Mutuals also has mandatory two-factor authentication and locks accounts after too many failed attempts, said founder and CEO Nelson Cheng. Every file uploaded to the company’s database is scanned by antivirus software, and users can only upload certain file types.

However, Cheng said that as social engineering attacks have become more common, he’s more worried about advisors clicking on a malicious link than a hacker breaking through a firewall.

“If I wanted to break into our system, I would send you a document with a link and embed [it], you would click on it when you open a document,” he said. “That’s pretty much the only way to break in.”

To reduce Sterling’s vulnerability to such attacks, staff are required to participate in online training on different types of cyberattacks, including social engineering and identifying suspicious emails.

Staff receive simulated phishing emails periodically, Cheng said. The emails vary in difficulty from being easy to spot to very sophisticated. If an employee clicks on a link, they will be flagged for retraining.

Similarly, Carte’s staff watch a short video on a different cybersecurity topic every month followed by a quiz, Flores said. Their system also sends simulated phishing emails. People who click on the link will receive additional coaching.

Simulated phishing is part of a good cybersecurity training program, Keating said. It’s important to teach employees the errors of their way, but it doesn’t have to be done in a punitive manner.

“I don’t think it’s necessary to make the staff member feel like you’re trying to catch them,” he said. Managers can explain to staff that “it’s better we find out that we’re not getting it right when we are doing it than when the bad guys do,” he added.

If wealth management firms suffer a breach, they call lawyers like Billick whose job includes communicating with regulators to “keep the temperature down,” he said. Regulators would be interested in the firm’s cybersecurity training, prior incidents and how they handle problematic behaviours.

A review will also help a firm set policies to prevent a repeat incident, Billick said. For example, while the advisor who sent $120,000 to a criminal’s overseas account violated several rules, the firm didn’t prohibit advisors from taking client instructions by email. (The incident pre-dated CIRO’s requirements for cybersecurity.)

The firm now requires advisors to verbally confirm transactions with clients.

Measures to prevent social engineering

• Periodic cybersecurity training
• Simulated phishing attempts to identify staff for additional coaching
• Streamlined phishing reporting
• Policies against accepting client instructions by email
• Passphrases and verification questions
• Balanced spam filters to reduce false positives
• Location-based authentication so emails can only be read from locations where an advisor normally performs business