Cover story: Why advisers should worry about cyber hackers right now

How good is your personal and professional cyber security? I have discovered mine could be better after speaking to experts for this cover feature. And so could the IT culture at advice businesses that make themselves a tempting target for tech-savvy fraudsters.

Although there has not yet been a highly public hack of a major UK advice firm, the chance of it happening is great. Major attacks have occurred in other sectors, such as pensions administration, healthcare and airlines, both at home and abroad.

According to recent research from encryption tool NordLocker, the financial sector faced a considerable surge in ransomware attacks last year, with a total of 120 incidents reported. This increase propelled the sector to become the second most-targeted industry, globally, in 2022.

I want people to realise that using open email is a bit like driving without a seatbelt

Previously, the manufacturing, construction and transportation sectors were consistently among the most targeted.

NordLocker says this shift in focus towards the financial sector highlights the evolving tactics of cyber criminals. In short, it shows the importance of staying vigilant and adapting cyber-security strategies to address emerging threats. The trends can be seen in the infographics below.

The cyber crimes involving pensions cut close to the bone for advice firms, which derive so much of their revenue from them.

In March this year, Capita — which administers the UK’s largest private pension plan, the Universities Superannuation Scheme (USS) — was compromised.

I am not hearing people say cyber security is a high priority. The FCA could do an audit

Media reports said the USS estimated that hackers might have stolen pension details from 470,000 members, which had been stored on Capita’s servers. At the beginning of May, The Pensions Regulator wrote to trustees of schemes that used Capita as an administrator to ask if their members’ details were at risk.

Pensions are clearly a tempting target for criminals due to the large sums of money involved. The pension freedoms of 2015, and the defined benefit transfers bonanza that peaked several years afterwards, have shown how valuable retirement pots are.

The fact that both retirement and estate planning are such large chunks of advice business revenue streams means firms should be sensitive to that client data.

Sophistication

Examples of scenarios that could unfold here come from North America, where the sophistication of cyber criminals is alarming. In January 2023, several of Canada’s major wealth managers were hacked and saw personal information, including social insurance numbers, stolen.

One day we should look back and ask how we got this wrong for so long

Mutual fund providers Mackenzie Investments and Franklin Templeton Canada were among those hacked. Only at the beginning of May did they inform clients about the breach, which was linked to a back-office service provider, InvestorCom Inc. It provides printing and delivery of client materials using the data transfer tool, GoAnywhere.

The Clop gang, thought to be based in Russia, has been linked to these and many other attacks. According to the Flashpoint intelligence platform, Clop originated in 2019 and is an extortionist-type malware gang. In the first quarter of this year it was the second most-active ransomware group, surpassed only by LockBit.

Clop steals company data and threatens to publish files on its dark web leak website unless its ransoms are paid. It has been very successful at exploiting vulnerabilities in the GoAnywhere system.

FTRC managing director Ian McKenna believes these examples from Canada are totemic in that they involved a third-party back-office system — which itself used the GoAnywhere data transfer tool — being compromised.

How many advice firms work to a clear-desk policy or put all files away into a safe at the end of the day?

The key point here is that an advice firm, or any type of financial services company, cannot worry just about its own defences. It also has to be vigilant about the cyber policies of third parties that handle client data.

“This whole question of third-party supplier authentication has not had the focus in the UK that it has had in other markets such as the US,” says McKenna. “Cyber security is a higher priority in the US compared to the UK.

“The second big issue is: do you use the same phone for work and personal business? Most firms allow this.”

In an April column for Money Marketing, McKenna wrote about how the US Securities & Exchange Commission had rolled out extensive new requirements for advisers. US-based advisers must now make sure their suppliers apply similar diligence to the protection of client data.

There has been a bit of an awakening that mistakes can be extremely damaging. Reputations are won over years and lost in seconds

In his column McKenna said, while there was no indication the Financial Conduct Authority planned to impose similar rules on UK advisers, it would be wise to adopt the same approach as best practice.

“It can be argued advisers owe clients a duty of care to protect their data in every way possible anyway. Indeed, I can see such an approach being necessitated by the Consumer Duty,” he continued.

McKenna also quoted research from IBM last year that found 60% of small and medium-sized businesses failed within six months of a data breach.

A sobering thought.

Old wine, new bottles

The whole topic has a degree of déjà vu for seasoned tech nerds because these vulnerabilities and concerns are hardly original.

Our ambition is to close the gap between small advice firms and large players on cyber security

Back in 2008 the regulator’s predecessor, the Financial Services Authority (FSA), highlighted the issue of unsecure email communications at small firms, having investigated it.

It said: “In general, small firms had very poor or no controls in place to prevent staff accessing web-based communication sites. Thirteen of the 20 small firms we visited allowed their staff to use web-based email, putting their customer data at unnecessary risk.”

That passage is equally applicable today because many advice firms are small businesses run by a handful of people. The FSA gave some examples of good practice, such as giving internet and email access only to staff with a genuine business need; and considering the risk of data compromise when monitoring outbound email traffic.

McKenna estimates 15% to 20% of advisers still use webmail, even though the regulator said they should not do so in its 2008 paper. This practice could lead to fines.

10 years ago the score for cyber security was probably a three out of 10. I don’t think we are beyond five out of 10 right now

He adds: “Cyber security should be a huge part of your Consumer Duty.

“It is not just digital measures. How many advice firms work to a clear-desk policy or put all files away into a safe at the end of the day?

“A fact-find is the perfect document to commit fraud against clients. Imagine if I was to set up a cleaning company that promised cheap cleaning services to financial advice firms? Cyber criminals are happy to pay for the latest tools to steal your money. The criminals know the flaws and know how to exploit things.

“Make sure you do everything you can to enable every layer of security on [personal and company] devices.”

Up your game

Other commentators worry about the lack of progress advice firms have made to address gaps in their cyber policies and behaviour.

Origo CEO Anthony Rafferty says the sector faces almost “a perfect storm” where cyber criminals are world class but the companies they target are not.

He has a shocking first-hand experience of this, which is coincidental to his job as the director of a tech firm.

If you don’t invest in your business to do this properly, you are leaving yourself and your clients wide open

Back in 2020 Rafferty wanted to consolidate his various pensions, so he contacted the administrator of his final salary scheme to arrange a transfer out.

“The administrator wanted to send my transfer quote to me through unencrypted email and use my National Insurance number as the password for the document. I was incredulous, complained and said it was a GDPR breach.

“But the administrator came back, said it did not think it was a GDPR breach and sent the transfer quote through the post instead. An encrypted email should have been used and I mention this as an example of what is happening every day in our industry.

“If I was not chief executive of a tech business, I probably would have thought everything was fine.”

Advisers have an obligation to ensure clients can receive documents in a secure manner and send them back that way

Rafferty thinks his background does give him an edge when spotting cyber scams.

He gives an example he is proud of where he was at a recent webinar and received an email from someone with a business proposal attached. He knew this person but not well enough for them to send a business idea, so he was suspicious.

“I sent them a LinkedIn message asking, ‘Is this you?’ and they said, ‘No, my account was hacked.’ They thanked me for picking up on what had happened,” Rafferty says.

He argues many advisers are not doing enough and laments the lack of progress over the past decade.

“I think 10 years ago the score for cyber security was probably a three out of 10. I don’t think we are beyond five out of 10 right now.

Just because you have good IT, it is not sufficient if someone does something they shouldn’t do

“The advice sector has been lucky a big hack has not happened here yet. Any financial advice business not using secured email or a secure portal is at risk of being a victim of cyber crime.”

What explains the lack of urgency from some advice firms? Rafferty flags up a combination of naïveté and an emphasis on efficiency rather than risk aversion. So advisers may send critical client documents on unsecured email because it is perceived as convenient, without realising the potential danger for everyone.

Another problem Rafferty has noticed is the practice of an adviser sending a document securely to the client but leaving it to the client to respond in the manner they choose.

This is ultimately counterproductive, both being inefficient and exposing the adviser to the charge of negligence.

A lot of smaller IFAs may not have an IT department that can help them and provide a solution

“When the advice firm does this there is a sense of, ‘We have done our bit and it is not our fault if the customer chooses not to send back [the document] securely,’” says Rafferty.

“These occurrences would fall foul of the Consumer Duty as they would put the client at risk.

“If I was policing the Consumer Duty, I would look at things like that. Advisers have an obligation to ensure clients can receive those documents in a secure manner and send them back that way.”

Nonetheless, the upside is that these shortcomings can be remedied easily by investing in an encrypted email or portal. Such things are not expensive, says Rafferty, and can be purchased for around £10 a month.

The distinction between a portal and encrypted email is that with the former you log into a secure virtual location. With email that is ubiquitous, you don’t.

A fact-find is the perfect document to commit fraud against clients

There are several further measures Rafferty thinks could be worthy of development. One is to have a person who is a champion of cyber security within the advice firm; a second is for firms to partner each other and conduct friendly ‘hacking drills’; a third, at the individual level, is to send fake phishing emails to staff to see who clicks on the link.

All of these would help educate staff on what to do, and what not to do, next time.

Case study

Reeves Financial director Adam Reeves is passionate about cyber security. His firm pays for annual accreditation provided by the government’s National Cyber Security Centre.

This is called Basic Cyber Essentials and Reeves thinks it is a good benchmark for advice firms to use.

Third-party supplier authentication has not had the focus in the UK that it has had in other markets such as the US

His firm does an internal test with staff every two weeks on malware and phishing emails to ensure they are freshly trained to deal with cyber threats.

“The other threat is something I call ‘people hacking,’” says Reeves. “Just because you have good IT, it is not sufficient if someone does something they shouldn’t do. If you look at most of the hacks, it is mostly through people hacking where someone lets an outsider in through the back door.”

Reeves has a sense that other advisers do not give as much attention or thought to cyber as he does.

The administrator wanted to send my transfer quote to me through unencrypted email. I was incredulous

He adds: “I am not hearing people say it is a high priority.

“It is down to the Chartered Insurance Institute and the Financial Conduct Authority to find out what is going on. The FCA could do an audit on advice firms using its RegData returns to see whether IFAs use Cyber Essentials and what other things they have done. That would be a sensible place to start.

“A lot of smaller IFAs may not have an IT department that can help them and provide a solution. For me, if you don’t invest in your business to do this properly, you are leaving yourself and your clients wide open.”

The guardians

Beyond Encryption chief executive Paul Holland knows the intricacies of internet security intimately. His company is responsible for Mailock that ensures secure email communications for 55,000 advisers and/or paraplanners connected to its ecosystem.

Make sure you do everything you can to enable every layer of security on [personal and company] devices

Holland says: “The market is fragmented as there are the big players and small ones. The advice sector is no different from the legal and accountancy professions.

“There are many small advice firms that are great but do not have a technical director. Our ambition is to close the gap between small advice firms and large players on cyber security.

“Technology should be a complement for an advice business but technology can also get in the way.

“One of the reasons we did what we did was the tech out there was not that easy to use.”

Financial advisers tend to be heavily educated in terms of the exams they sit and the qualifications they pass. Beyond Encryption strives to teach them about technology, which is where, traditionally, they are weak.

Cyber security should be a huge part of your Consumer Duty

One of the lessons it wants to ram home is that simple steps, such as the use of a portal or secure log-in, can counter many threats effectively.

“We can give advisers and customers the equivalent of airbags and seatbelts to create a free flow of information,” says Holland.

Consumer Duty

Holland is not a big fan of the regulatory sticks driving change but he envisages the Consumer Duty pushing the sector towards more cyber security.

The advice sector has been lucky a big hack has not happened here yet

“It is a driving a last-minute surge of product providers because companies are thinking, ‘I have to act and do something about this.’”

His greatest hope is that one day measures will be put in place on cyber that are akin to seatbelts and airbags.

“I think there has been a bit of an awakening that mistakes can be extremely damaging. Reputations are won over years and lost in seconds,” says Holland.

“It took a pandemic to make people realise the capabilities of technology available.

Do you use the same phone for work and personal business? Most firms allow this

“I want people to realise that using open email is a bit like driving a car without a seatbelt.”

Holland is clearly passionate about this.

“We need to do something to protect against the evil. Front seatbelts were made mandatory by law back in 1983; back seatbelts in 1991 and airbags in 1999.

“One day we should look back and ask how we got this wrong for so long.”

This article featured in the July/August 2023 edition of MM. 

If you would like to subscribe to the monthly magazine, please click here.