- By Harry J. Lew for Gallagher Affinity
Banks and investment firms hold deposits worth trillions of dollars, so if a cybercriminal can breach their defenses the effort can yield stupendous paydays. Public accountants maintain treasure troves of consumer data that, if stolen, can be used by these thieves to unlock bank and investment-firm accounts. No wonder these are both the best of times (in terms of job security) and the worst of times (in terms of job stress) for financial-industry data security experts.
A recent Accenture and Ponemon Institute study, however, suggests it may be more the latter than the former. According to their Cost of Cyber Crime Study, the average tab for financial-services firms has grown more than 40 percent in the past three years—from $12.97 million per firm in 2014 to $18.28 million in 2017. The study also found that the average number of breaches financial-services firms experience annually has more than tripled over the past five years, growing from 40 in 2012 to 125 in 2017.
If you work in the financial-services industry at any level, these statistics are highly disturbing. They become even more so when viewed through the lens of a specific breach. Consider the 2015 incident at Indiana-based Anthem Blue Cross Blue Shield.
According to the KPMG white paper, “Closing the Gap: Cyber Security and the Insurance Sector,” Anthem suffered a major breach that exposed the data of millions of customers. Investigators found that the incident began in February 2014 when an employee in one of its subsidiaries opened a phishing email that contained malicious content. This gave hackers the ability to not only access that person’s computer, but also dozens of others across the Anthem enterprise. At the peak of the attack, which was perpetrated by a hostile nation-state, the hackers used 50 employee accounts to compromise some 90 data systems within Anthem, including the firm’s data warehouse. Ultimately, the cybercriminals exfiltrated the confidential data of 80 million customers.
The resulting costs to Anthem were staggering. According to KPMG, the initial expenses for security improvements, remediation, and post-breach clean up totaled about $260 million. There were also so-called “slow-burn” effects, including $115 million to settle consumer litigation, as well as additional costs to provide credit monitoring for those whose data were compromised.
But what do large-scale cyberattacks have to do with you? Plenty. Think of yourself as a microcosm of all the same risks faced by large financial institutions. Cybercriminals can breach your computers to steal the identities of your clients too – perhaps with more ease than with large corporations. Your defenses against such attacks may not be as hardened and your response resources may be more limited.
In fact, because you have fewer resources, one might argue public accountants are at much greater risk than large financial-services companies. Here are some of the risks your firm faces every day.
Social engineering: A cyberattack method that relies extensively on tricking people into breaking normal security protocols to gain entry into systems and networks. Social-engineering techniques use phishing, spear phishing, and pretexting to exploit human vulnerabilities.
Ransomware: Once this form of malicious software becomes installed on your computer, it locks you out of your data unless you pay a ransom. Hackers typically use phishing emails and other social-engineering techniques to get users to click a link that downloads the application that takes over the host computer.
Hotspot Sniffers: IT administrators use so-called sniffers to monitor network activity and diagnose problems. The sniffer analyzes network traffic and generates findings so administrators can resolve problems. Bad guys use sniffers in Wi-Fi hotspots to see data as it travels from device to router, and then steals it. Cybercriminals can gain access to usernames and passwords, and potentially hijack your device.
Mobile Device Hijackers: A newer technique involves hijacking smartphones to gain access to the personal and financial data stored on them. By using your last four Social Security digits and a fake ID, criminals contact your cell phone provider to initiate a transfer of service to a new device. After the company ports the phone number to a new device, the criminals can reset passwords on your financial accounts and then loot your money or attempt to blackmail you.
Password cracking: Typically, cracking consists of repeatedly guessing a password using a computer algorithm that tries various combinations until the actual word or words become known. With passwords in hand, cybercriminals can then get access to your computers or accounts to steal and use your financial or banking information.
To prevent exposure to these scams, you should engage in commonsense defensive measures. According to Financial Planning magazine, here are 10 of the most important:
- Encrypt emails or use secure web portals
- Secure your computers and networks by storing documents offline or behind a firewall.
- Secure physical documents with client data when they aren't being used.
- Use multiple sign-offs for any fund disbursements.
- Review and change passwords frequently, and consider use of a password manager.
- Back up data, either in a physical off-site location or in the cloud.
- Update devices with the latest software patches.
- Avoid public Wi-Fi when making purchases with credit cards or when accessing client files or firm data.
- Educate clients about cybersecurity, especially relating to their finances.
- Create and update an annual cybersecurity plan.
As financial-services firms and software providers tighten vulnerabilities, hackers will move on to a new technique. It is crucial to continually update your cybersecurity plans.
You must decide whether to become your firm’s self-taught cybersecurity expert or to hire a contractor. If you choose to do it, know going in that it does take time. There will be an opportunity cost for doing this work instead of the normal sales, marketing, or management tasks you normally handle.
On the other hand, many vendors who handle cybersecurity have solutions—and fees—geared toward large corporations. As a public accountant, large cybersecurity consultants may be out of your budget.
Regardless of which way you turn, Gallagher Affinity offers cyber liability and data breach insurance for PICPA members. This is becoming an increasingly important purchase for financial professionals. It protects accountants against various first-party and third-party post-breach expenses. The former category includes breach response, credit notifications, forensics analysis, public relations consultants, cyber extortion payments, and business interruption costs. The latter category covers the payment of regulatory fines for privacy violations, attorney expenses, and the costs of future lawsuits and settlements, among others.
It’s well past time to embrace a “code-red” sense of urgency about cyberattacks and cyberbreaches. By developing and maintaining a cybersecurity plan, adhering to commonsense defensive measures, and buying a high-quality cyber-liability and data breach insurance policy, you can go to sleep at night knowing you did all you could to protect your customers, your employees, and yourself. And if cybercriminals do target your firm, you will have confidence that the procedures you established to mitigate the damage and respond effectively will perform capably. Hopefully, it won’t come to that. If it does, you will be ready.