Financial advisers and their clients must get serious about protecting themselves from cybercrime. In fact, online crime, large and small, is inflicting increasing damage on the U.S. and world economies. Symantec Corp., an antivirus firm, estimated that in 2011, the global cost of cyberattacks was $338 billion. Gen. Michael Hayden, the former head of the National Security Agency, estimated that including the theft of intellectual property, the cost was more than $1 trillion.
Most of these attacks are aimed at government departments and agencies; at corporations, where intellectual property might be found; or at banks, where details about customer accounts might be obtained.
For example, the U.S. Cyber Command estimated that about 250,000 online attacks or probes hit U.S. government networks every hour.
Among the attacks on corporate sites in 2011 were those on LinkedIn and eHarmony that compromised 65 million passwords, the denial-of-service attacks on Wells Fargo & Co.'s website, and the breach of Zappos.com's security that compromised the credit card numbers, personal information, and billing and shipping addresses of 24 million customers.
And online crime isn't aimed only at large banks and companies. The criminals often target what may be smaller, softer targets.
Symantec reported that companies with fewer than 250 employees were the focus of 31% of all cyberattacks last year, up from 18% in 2011.
As InvestmentNews senior columnist Bruce Kelly reported in the May 20 issue, a number of advisers have experienced firsthand the rising tide of online crime, and the Financial Industry Regulatory Authority Inc. highlighted online security in its annual “business conduct and sales practice priorities” note to broker-dealers in January.
In one case cited in the article, an e-mail purportedly from a client asked the firm being targeted to transfer $51,000 to Hong Kong, supposedly for the purchase of a condominium. The request included very specific information, including the client's account number, but the adviser suspected something was amiss and called the client, who confirmed that the e-mail was a scam.
The adviser had previously adopted a policy at his firm requiring a verbal confirmation from the client before any requested wire transfer would be accommodated, which thwarted the criminal in this case.
This is an example of the kinds of pre-emptive policymaking that all in the financial services industry should be adopting, because online attacks no doubt will continue to become more numerous and more sophisticated.
STEPS TO TAKE
First, firms must safeguard their own computer systems against infection or attack, and they must tighten their internal security, limiting the number of employees with access to critical client information.
Second, they must develop policies for verifying the legitimacy of client requests regarding transfers of money or securities, or even changes in portfolios, and constantly remind employees of these policies.
Third, they must work with clients to strengthen the clients' own online-security practices, including developing and regularly changing strong passwords, keeping Internet security programs up-to-date and making clients aware of the firms' security policies and practices.
Finally, they must make sure that clients have the resources to withstand denial-of-service attacks on the nation's major financial institutions.
Former Defense Secretary Leon Panetta warned before he left office that it was possible that an online attack could damage the nation's financial system, causing a financial crisis.
Those relying only on debit or credit cards and carrying little cash could find themselves in difficulty if their ATMs are locked up for a significant period by a denial-of-service attack. At the very least, they should diversify their cash holdings across several banks.
The time to prepare financial services firms and clients to withstand online attacks is now, and it isn't just a one-time effort. It will require continued vigilance and work.
