How to protect your clients from a cyber attack

It’s a scenario no advisor wants to be faced with.

Imagine turning on your computer one morning to find your systems frozen and your files inaccessible. Same for your staff. Then you find the ransom note, with contact details for the cyber criminal holding your clients’ data hostage.

These crooks are increasingly targeting small- and medium-sized businesses, and financial advisors are a juicy target, a panel of cybersecurity advisors told the Advocis Symposium in Toronto last month.

“You folks are like a gold mine of data,” Neal Jardine, chief cyber intelligence and claims officer at BOXX Insurance said.

“You deal with money on a daily basis. You hold information about clients. You will be targeted if you are not already,” he said, adding that smaller businesses account for up to nine out of 10 of the financial crime and fraud claims he deals with.

Dramatic to down-low

The type of cyber attack advisors may face range from a ransomware attack that paralyzes their entire business and costs millions to resolve to a stealthy attack targeting one client.

In the former, payment demands can be steep — around 5% of revenues, Jardine said. One advisor client, he said, recently got a ransomware demand for $10 million, with the perpetrator eventually coming down to about $6.7 million (which his client could not afford to pay).

At the other end, criminals may target much smaller amounts. Jardine said one advisor followed a client’s emailed instructions to cash in and withdraw $20,000 from an account, only to hear from the client later that they never made the request. On investigation, BOXX found that the client’s Gmail account had been hacked after they’d clicked on a phishing link.

The request contained the right documentation and client signature, but the advisor didn’t notice that it came from the wrong email address — one letter had been changed by the hacker.

Stolen data and identity theft that may follow from data breaches can also lead to expensive lawsuits from clients, who may find that they need to monitor credit activity in their name indefinitely.

But perhaps the most devastating risk to advisors is the reputational hit that comes with a major data breach.

“You want to damage your reputation, send a notice to a client saying all their information is now available on the dark web,” Jardine said.

With so much at stake for advisors, the panel outlined best practices that can reduce the chances of facing an attack or avoid the worst repercussions if you are targeted.

Training

Malware, including ransomware, can enter advisors’ systems via multiple points, including a single employee clicking on a malicious link. Training on cybersecurity tools and best practices should include all staff, as human error is a factor in 90% of cyber attacks, Jardine said.

“I can tell a computer system not to do certain things,” he said. “You folks, I can’t control. You’re going to click on stuff, you’re going to open stuff.”

Insurance providers such as BOXX and Zurich provide free training that includes basic education on what financial crime and fraud is and how to identify it; why data encryption, strong passwords and multi-factor authentication (MFA) matter; and the need to verify payment requests.

Back up your data

In the case of a ransomware attack, you can rebuild your database if you have it backed up securely. That means you don’t need to pay the ransom, Jardine said.

On the other hand, if you don’t have a backup, paying the ransom is one of the quickest ways to get back on your feet again, said Julian Halton, senior underwriter, professional liability and cyber at Zurich Insurance. Otherwise, “you’re just a bunch of dead laptops in a room.”

Have a data retention policy

A data retention policy should spell out how long you will keep different types of data on file.

In one data breach case Jardine dealt with last year, an advisor’s email was hacked, and they had to notify 1,000 people that hackers had their information. “They had 20 years of client information all neatly organized in their email.”

Check out third-party apps

Halton said advisors should familiarize themselves with and use the cybersecurity features available through third-party apps.

“You probably have much more MFA, much more encryption, much more backup than you think you do,” Halton said. “[For many] third-party tools, IT vendors will have very good backup systems in place and MFA on login, even though it might be annoying,” Halton said.

At the same time, as advisors start to use tools driven by AI, such as note-taking apps to assist with record keeping, they need to do their due diligence to avoid putting sensitive data at risk.

“Be conscious that you’re putting data out there,” Halton said. Advisors should look into the vendor company, their security levels and privacy policy.

Jardine added staff who may be using tools like ChatGPT — whether approved or not — should be trained on the importance of anonymizing data.

Stick to the protocol

In some cases, clients insist on communicating with advisors using methods that aren’t secure. If advisors act on requests through such channels that turn out to be fraudulent, the liability is with the advisor, Jardine said.

“If you’ve set up established protocols and communication methods with the client, and the client chooses to deviate from it, how do you know it’s the client?” he said. “What’s your strategy for verifying them?”

Jardine said if you do get a client request via an unapproved channel, you should send a standard response explaining that it’s not a secure way to communicate — without providing any information about the client in case it’s a bad actor.

The response can explain that criminals may use these channels to get access to client information and accounts, and to infect the advisor’s systems with malware.

Spread the word

The panel also noted advisors should communicate with clients about cybersecurity proactively and let them how their data is being safeguarded. This can include reminders about established communication protocols.

Plan ahead

Have a plan in place to respond to an incident before it happens, the panel stressed. How will you communicate what’s happened to employees and clients? What will you say? “Think it through in advance, so that you’re not trying to decide when you’re in a complete trauma,” said Jack Mazakian, vice-president, Advocis Broker Services, who moderated the session.

Jardine suggested printing out phone contact lists, response plans and your insurance policy. If you have a cyber-insurance policy, Jardine also advised not to store it on your computer, as the first thing a bad actor will do is search for “policy” to see what your coverage is.

Cyber insurance

A cyber insurance policy can provide coverage for legal and regulatory costs, third-party liability, cyber-service costs for data breach victims, lost profits in the event of a related business disruption and the costs of managing your reputation after a cyber breach. But it’s not necessary for all advisors to have cyber insurance, the panellists said.

Being able to qualify for cyber insurance already puts you in a lower-risk category, Jardine said, as you will already be complying with basic best practices like using MFA and putting a limit on the number of password login attempts on systems.

“The insurance is there to kind of bring a standard to things. So instead of saying everyone in the room needs insurance, I think it’s better to say that these are kind of the minimum controls that you should have in place, and insurance will come along and provide you with loss transfer when you have those.”