Protecting Your Firm from Data Security Threats

Transcription

1 Data Security March 2014 Protecting Your Firm from Data Security Threats Recent headlines are a stark reminder that all kinds of enterprises are vulnerable to security breaches. Broker dealers and financial advisors considered high value targets by some cybercriminals should take steps to protect their assets and data, and they have a fiduciary duty to do the same for their clients. Wire fraud, identity theft, and scams especially phishing and whaling are significant and growing threats to data security for broker dealers and financial advisors, and the schemes criminals use are becoming more sophisticated. As part of their general fiduciary responsibility to their customers, broker dealers and their advisors should remain constantly vigilant for signs of fraud. Many investment advisory firms are required under Regulation S ID to implement an Identity Theft Protection Plan (ITPP), and even financial advisors not explicitly required to adopt an ITPP should consider doing so as a best practice. Fidelity Investments has identified a number of other best practices firms might consider to help combat the growing threat of data security breaches, and they are outlined in this paper, along with a discussion of what to do should a breach occur. Introduction Data security threats have become a fact of life for those doing business in the Information Age. Organizations of all types in both the public and private sectors routinely take steps to protect their data, and many organizations including most involved in the financial services industry face regulatory requirements to do so. The widespread perception that financial services firms including broker dealers and financial advisors are high value targets makes them more likely to attract a greater level of criminal attention, according to analysis of three years worth of data from the Verizon Data Breach Investigations Report (DBIR). 1 Regulatory and compliance mandates may mean that financial services firms are likely to have defenses against such attacks that are more robust than those of the average business. A report from data security firm Vormetric finds that financial services firms have a strong focus on security processes and controls, with adoption rates in most categories tending to be about 20 percent higher than those at other types of organizations. 2 However, even though financial services firms are ahead of the curve with data centric security, only 4 percent of those polled by Vormetric feel they are not at all vulnerable, and more than 40 percent consider themselves either vulnerable or extremely vulnerable. Clearly, industry participants at all levels must still maintain a high level of awareness of data security threats, how to defend against them, and what to do if an incident occurs, and that is particularly true for broker dealers and financial advisors. Anytime your main business is dealing with money, consider yourself a potential target for attack, warns Luke Klink, Security Program Strategy Consultant with Rook Security, an IT risk management and information security firm. Broker dealers and financial advisors are great examples of prime targets for organized computer crime rings. Motivated individuals will stop at nothing short of being caught in their attempts to gain access to your clients data and money. 1 industries financial services threat landscape_en_xg.pdf 2 Vormetric, 12/19/13, peek financial services insider threats good bad/ 1

2 Biggest Concerns for Firms & Advisors Insider threats are one aspect of data security of which broker dealers and financial advisors need to be aware, but outside threats are a much bigger concern. According to Verizon DBIR, 97 percent of attacks on financial firms between 2011 and 2013 came from outside the organization, and 94 percent were financially motivated, meaning the fraudsters were after money and/or the data needed to access it. Areas of particular concern for broker dealers (BDs) and financial advisors (FAs) include wire fraud, identity theft, and scams. A common phishing scam involves an e mail that appears to come from a legitimate source asking for verification of usernames, passwords, or credit card details from unsuspecting recipients. Phishing attacks remain the predominant threat, and we are seeing an increase in the number of whaling attacks, where criminals seek to target high level executives and managers at firms, says Tim McKnight, executive vice president, enterprise information security and risk at Fidelity Investments. Identity theft is often a component in other types of fraudulent activities; that is, the criminal attempting to perpetrate the fraud tries to convince a financial institution that he or she is someone else. In a speech on April 10, 2013, Securities and Exchange Commission Chairwoman Mary Jo White described identity theft as a type of fraud that robs millions of Americans of their hard earned money and estimated that 5 percent of U.S. adults fall victim to it every year. 3 She made those statements as prelude to new identity theft red flag rules issued jointly by the SEC and the Commodities Futures Trading Commission later that month. Regulation S ID, which requires certain financial institutions to establish an identity theft red flag program designed to detect, prevent, and mitigate identity theft, became effective May 20, All advisors, brokerdealers, and other financial institutions subject to Regulation S ID were required to be in compliance as of November 20 by developing and implementing an identity theft protection program consisting of reasonable, board approved compliance policies and supporting procedures to prevent, detect, and respond to any possible identity theft situations. 3 Mary Jo White, SEC Open Meeting, 4/10/13, #.UsHc9fRDt8E Among the tactics criminals use to compromise a victim s identity and/or login credentials are malware, phishing, and social engineering. Malware is a type of malicious software criminals use to gain access to private computer systems and gather sensitive information such as biographical data, Social Security numbers, account numbers, passwords, etc. It can be inserted into a victim s computer through various means, often when an unwary user clicks on an unfamiliar link or opens an infected . Phishing is an attempt to acquire the same kind of sensitive information (user names, passwords, account numbers, etc.) by masquerading as an entity with which the victim already has a relationship, typically a bank, credit card company, or other financial services firm. Social engineering involves manipulating victims to perform actions or divulge confidential information to an unauthorized individual. Typically, the scammer leverages something they know about the person like their address or phone number to gain their confidence and get them to provide more information. Social engineering fraudsters can be very skilled at convincing others they have a legitimate right to the information being requested. Scam artists then use the illicitly obtained information to engage in criminal activity that includes fraudulent trading, EFT fraud, wire fraud, and establishing fraudulent accounts. Incidents of Fraudulent Trading Rising Incidents of fraudulent trading, (which refers to the intentional misuse of business information or technology by an individual or entity to steal money or assets from another individual or entity) increased by 58 percent through the first eight months of 2013 compared to all of 2012, according to William R. French, vice president of institutional risk management at Fidelity Investments. The majority of targeted symbols involved low priced stocks in the $5 to $15 per share range but there has been a recent uptick in the symbols of penny stocks. And this is not an isolated problem, he warns. When financial services firms identify high levels of potentially fraudulent trading activity in a particular stock, they share that information with regulators and other firms. Recently, there has been an increase 2

3 in the number of new symbols being shared by firms, suggesting a rise in this type of fraud. 4 On the EFT fraud front, the past year has seen a major shift towards the use of prepaid bank cards over the cards issued by traditional banks, and cyber security experts say the explosive growth of prepaid cards is making it easier for fraudsters to withdraw large amounts of money before being detected. Prepaid cards have fewer controls on them than the credit and debit cards issued by traditional banks, and they are easier to hack. Since new prepaid cards are basically anonymous, there are no credit histories or individual behavior patterns associated with them, so it is very difficult for banks and payment processors to monitor activity for red flags. About three quarters of fraudulent EFT disbursements through the first eight months of 2013 involved the use of a non traditional bank card. 5 Wire fraud has been around much longer than some of today s emerging data security threats, and it s experiencing a resurgence. The most common scenario involves fraudulent money transfers by phone or electronically, and the number of incidents in the securities industry has risen more than tenfold over the past decade and by more than 60 percent just since 2011, according to data from the Treasury Department s Financial Crimes Enforcement Network (FinCen) reported in The Wall Street Journal. 6 In fact, wire fraud has been increasing at a faster rate than identity theft (up about sevenfold over the same period, according to FinCen data). Of particular concern to financial advisors is that they may be held personally liable for a wire transfer that turns out to be fraudulent if they failed to follow the proper procedures, which often include calling the client to verify the transaction before initiating it. Schemes Becoming More Sophisticated An emerging trend in the misappropriation of assets involves the distribution of client funds from multiple accounts to a common destination account. In many of these cases, wire or EFT instructions used to process repetitive distributions are altered to 4 Fidelity Investments, September Ibid. 6 Weekend Investor Wealth Manager: Wire Fraud on the Rise, by Matthias Rieker, The Wall Street Journal, 10/12/13 make transactions initiated by an unauthorized third party appear as though they have been made by an authorized first party. This gives the appearance that the processed wire transfer or EFT is being paid into an account controlled by the beneficial owners of the distributing account, French explains. In reality, the receiving account is controlled by the perpetrator of the misappropriation. Unfortunately, the perpetrator in too many cases turns out to be a current or former registered representative. Several firms have incurred material sanctions for failing to have supervisory systems reasonably designed to uncover repetitive wire transfers and EFTs to common accounts. The tactics employed by criminals intent on compromising data security in order to illegally access the accounts of BD and FA clients continue to evolve and become more sophisticated. Phishing s, for example, used to be fairly easy to spot. Most were filled with typographic and grammatical errors and inaccurate information and/or requests for information. They almost always included an urgent request for immediate action. Lately, however, the financial services industry has seen an uptick in a vastly improved type of phishing scheme designed to capture the login credentials for accounts, which gives the perpetrators a gateway to their victims personal and business information. The criminals are skilled at identifying custodial financial relationships and mining saved s for critical information about account holdings, available cash, and money movement opportunities. This information is used to initiate the kinds of illicit wire transfers and EFTs discussed above. The perpetrators then impersonate legitimate customers on phone calls to determine when those funds will be disbursed and quickly withdraw them before the customers or their financial firms become aware of what s happening. In some cases, cyber criminals also modify victims account settings to divert legitimate s from their financial services providers into spam folders, providing additional time for the criminals to cover their tracks. McKnight, who spent nine years as the FBI s lead investigator for all National Infrastructure Protection Center matters (including high tech crimes, corporate espionage, foreign counterintelligence, and telecommunications fraud), 3

4 expects the struggle to be ongoing. I was paid to think like a bad guy for many years, and still am, he quips. Cyber security is an arms race. As we put in more defenses, the criminals try to leapfrog us with new means of attack. In terms of tactics and techniques, it s like a chess match with no real end game involved. Constant vigilance at all levels is the best defense. Responsibility of Broker-Dealer Firms and Financial Advisors In order to effectively determine their responsibilities to protect against the types of data security threats discussed above, broker dealers and their advisors must understand the applicable regulations, Klink says. That means not only those regulations covering their home office location, but the rules and regulations in effect in every state and locale where they transact business, he stresses. Consulting with legal counsel to gain a full understanding of what rules and regulations apply makes sense because current data protection laws vary from state to state, as do data breach notification laws, which are not necessarily the same as data protection laws. Data breach notification laws require applicable organizations to ensure that consumers are aware when their data is lost versus enforcing custodians of defined data elements to take formal, proactive measures to reduce the likelihood that a notification law will come into play, he explains. As part of their general fiduciary responsibility to their customers, B Ds and FAs should remain constantly vigilant for signs of fraud. Marshall Abbott, vice president of the institutional fraud response team at Fidelity Investments, says there are several signs that can be tip offs to sophisticated phishing scams. The current scam almost always requests a wire transfer, usually to a foreign country, although recent versions have included requests for domestic transfers as well. And while the quality of the content has improved, grammar mistakes and typos might still be evident. The scam may also include a sympathy ploy, claiming a hardship, accident, or death in the family. Often, it is accompanied by a request that the customer be contacted only through . We all want to go above and beyond for our clients, which is why these scams are so effective, Abbott says. may very well be a common method of communication, but advisors really may not want to rely on it for high risk transactions. 7 In addition, any entity registered with the SEC or CFTC (including RIAs and B Ds) which directly or indirectly holds transaction accounts for its clients must develop and implement an Identity Theft Protection Program (ITPP) under Regulation S ID. AdvisorAssist LLC, a management consulting firm that serves investment advisory firms, suggests that even financial advisors not explicitly required to adopt an ITPP should consider doing so as a best practice because: As fiduciaries, FAs are expected to know their clients and put their interests above the firm s. FAs have an obligation to take reasonable and appropriate steps to guard against loss. Since FAs are hired to manage numerous client risks, clients may reasonably assume they are taking necessary precautions to mitigate overall financial and identity risk. If a client incurs a financial loss that could have been prevented by the advisor, the FA has likely lost that client and probably also incurred a loss in the process. Clients are unlikely to be receptive to a nuanced explanation of why the FA is not technically subject to the regulation requiring an ITPP. 8 More Best Practices for B-Ds and FAs Based on its own experiences and those of B Ds and FAs to whom it provides clearing and technology services, Fidelity has identified a number of other best practices firms might consider to help combat the growing threat of data security breaches: To help limit exposure to phishing schemes, adopt customer callout practices to confirm third party wire requests received via ; faxes, voice mail messages, and s should not be used to verify wire transactions. Periodically review and evaluate other controls and verification procedures and make adjustments as needed. 7 Protect Your Clients and Your Firm Against Wire Fraud, Fidelity Investments, January Preventing Identity Theft: A Requirement for Advisors, AdvisorAssist LLC white paper, October 22,

5 Establish, maintain, and constantly update an educational program to keep all personnel abreast of the latest threats. Make sure user IDs and passwords are kept current; delete the login credentials of former employees, and periodically review the level of access granted to current employees. Make full use of all your system s security tools to help identify suspect transactions as early as possible; transactions that are unusual or atypical for a customer s historical profile should trigger an immediate attempt to contact the customer by phone to verify the transaction. Review account balances and transactions at least monthly, and encourage your clients to do the same; immediately report any unauthorized activity identified during these reviews. Surf the web safely; never click on links in unsolicited s or in pop up ads, especially those that warn your computer is infected with a virus and requires immediate attention; do not connect to the Internet via unsecured or unknown wireless networks. Do not allow children to access your device for game playing or other online activities. Review your personal accounts; do not store detailed financial information longer than needed; use secure data storage programs to archive critical data and documents. Review s carefully, change passwords often, and do not develop patterns of money movement that cyber crooks could replicate to make money movement patterns appear more legitimate. Best Practices for Clients The following best practices may be considered not only for B Ds and FAs, but for their clients as well. Firms and advisors should make increasing customer awareness of cyber fraud challenges a regular part of their client communication efforts, along with educational initiatives to show clients how they can help neutralize the threats. Install anti virus and anti spyware programs on all devices (PCs, laptops, tablets, smartphones) and update regularly; they are most effective when kept running in background at all times rather than just running periodic scans. Access sensitive data only through a secure location or device; never access confidential personal data via a public computer, such as in a hotel or cybercafé. Closely guard account passwords; use a personalized custom identifier, which is safer than using your Social Security number. Regularly reset your passwords; do not use similar passwords across a range of financial relationships. Users with many passwords might want to consider a password manager program such as LastPass, Dashlane, or RoboForm Everywhere. Be careful about the type of information and level of detail you disclose on social media sites like Facebook and Twitter. If a Breach Should Occur Despite the best efforts of all involved, sometimes security breaches still occur. That being the case, B Ds and FAs should proactively formulate a response protocol that can be implemented quickly if needed. Having an incident response team (IRT) and plan of action in place can be critical in this situation, says Tom Gorup, Security Operations Center Manager at Rook Security. There should be an incident response point of contact list. If compromise is suspected or evident the first action should be to contact the IRT based on an established communication plan. This ensures checks and balances are in place, and the IRT is taking the appropriate actions to gather as much evidence to pass to law enforcement and/or your forensics team as possible. Klink emphasizes that it is important to bring the legal team into the loop immediately in order to ensure compliance with all applicable regulations in the jurisdiction where the incident occurred. Then teams must work not only to stop the bleeding, i.e., restrict the affected accounts to prevent future disbursements, but they must also be careful not to perform any action that might impede or inhibit any subsequent investigation. Escalate the issue to the appropriate department, make sure you know the after hours escalation procedure, and understand all the resources available to you to help deal with the situation, French advises. 5

6 For more information, please contact your Fidelity representative. For investment professional or institutional investor use only. Not for distribution to the public as sales material in any form. The content provided in this document is general in nature and is for informational purposes only. This information is not individualized and is not intended to serve as the primary or sole basis for your decisions, as there may be other factors you should consider. Fidelity Investments does not provide advice of any kind. You should conduct your own analysis, review, and due diligence based on your specific situation. Firms should work with their legal and compliance advisors to understand the rules, guidance, and requirements set forth by regulators, individual states, and any other relevant agencies. The third party service providers listed are independent companies and are not affiliated with Fidelity Investments. Listing them does not suggest a recommendation or endorsement by Fidelity Investments. The registered trademarks and service market appearing herein are the property of FMR LLC. Fidelity Institutional Wealth Services provides brokerage products and services and is a division of Fidelity Brokerage Services LLC. National Financial is a division of National Financial Services LLC, through which clearing, custody, and other brokerage services may be provided. Both are members of NYSE, SIPC. 200 Seaport Boulevard, Boston, MA FMR LLC. All rights reserved