Wealth management firms are under increasing pressure from cyberattacks. Firms and regulators are paying more attention to digital threats and stepping up their defenses. Karl Schimmeck, managing director of financial services operations at SIFMA, talks with On Wall Street about where the threats are coming from and what is being done to mitigate the risk.
What are currently the most serious threats and risks?
I think the primary threat remains the criminal element, and then maybe the hacktivists. They’ve targeted the industry for a long time. We are seeing more advanced criminal elements, particularly oversees. They are ramping up their capabilities and firms are doing the same thing, and so is the government.
The third piece is the nation state sponsored cyberattacks. That is a concern, especially when you look at Sony. You are looking at someone with a different motivation. They are not looking to steal money, but rather to cause damage.
Are the attacks increasing?
I think we are seeing more attacks and more frequent attacks. One of the biggest issues is that the criminal element does a very good job of sharing what works and doesn’t work, like malware and viruses. They put them out for sale on the black market. That’s where we see the need for more and better sharing of information with the government.
How prepared is the industry?
Firms are taking this threat very seriously. They spend a tremendous amount of money and resources on threat identification, prevention and responses. When you look at other sectors, the financial services sector is ahead of the class on this.
How much attention are regulators giving to this issue?
They are very active on the topic, and that goes across regulators. The SEC put out guidance on this last year [and recently reissued warnings]. The FDIC and the Federal Reserve have [also] been very active in this space for years.
They take it very seriously. They are actively ramping up their capability. The SEC is making sure that their examiners are knowledgeable.
What efforts is SIFMA making this year?
We have been ramping up our program to be more responsive to the needs of our members. We had a number of programs last year focused on cybersecurity and the risks out there. We’ve gone out to 180 of our smallest members. We’ve purchased a year of membership in FS-ISAC so that they can get more awareness of the threat that they are facing and what they can do.
We do exercises and we are working with our government partners to improve information sharing programs, and to make sure that the programs that are already in place are working the best they can. And we are very happy with the focus the White House has put on this topic.
What are the precautions that firms should have in place?
We put out a small business guide that we think all firms can do. That’s one place to start. For most firms, you need to do the basics like only running applications that are known on your network. Make sure you have proper virus protections in place. Limit the privileges of your users. You might be able to address 80% of the risks by doing those basic things.
That’s the thing. It takes away all the easy things that someone can do to compromise your network. You are making it hard on them and that’s part of the process. You can then focus on the more sophisticated attacks that you could face.
User behavior is a tough one. If you have a network with no users, it’d be the safest place in the world. But it’s difficult with people sharing information — it’s very easy to develop a profile of someone at a firm.
Many advisors work at firms with large IT departments. Should they be concerned about cybersecurity?
Firms are getting very good at pushing the message down in their organizations: Cybersecurity is a core responsibility and everyone is responsible.
It’s a reputation issue; if you fail and you lose data, you can lose the trust of clients and your whole business can be at risk.