Why Office-Client Communications are a Security Risk — And How to Fix It
Cybersecurity risk is one of the biggest threats faced by wealth managers and their clients today. Indeed, a recent report by Northern Trust ranks cybersecurity as Family Office managers’ top concern, outstripping market volatility and geopolitical uncertainty for the #1 ranking.
While it’s true that some basic cybersecurity practices, such as implementing strict password policies and keeping anti-virus software up to date, go a long way, it’s also true that there are numerous parts to a fleshed-out cybersecurity strategy.
When engaging with a third-party software vendor, a wealth manager will want to make sure the vendor’s software meets rigorous security criteria. For instance, firstly, it would be advised to ensure hosting is physically secure. Then, from a cyber perspective, check that the requisite layers of defence are in place, such as firewalls, intrusion detection, close employee vetting, access controls, encryption of data, regular vulnerability assessments, and security scans. A vendor should meet certified security standards, such as ISO 27001, and conduct SOC (System and Organization Control) audits. Multi-factor authentication and exponential password lockouts are important functionality to block brute force attacks.
There remains, however, one often overlooked vulnerability in the cybersecurity picture: office-client communications.
The problem with traditional institution-client communications
There are two primary methods of institution-client text-based communication: email and chat. Chat refers to instant messaging apps, such as WhatsApp, which are sometimes used as a communication channel between institutions and their clients. Both carry risks and should be vetted as part of a joined-up security strategy.
For many institutions, email is still the primary method of communication between office and client, despite email being an increasingly antiquated protocol. There are two primary risks associated with email: phishing and related impersonation fraud; and large scale data breaches.
Phishing risks stem from email’s open-to-anyone design, which from a 2021 standpoint seems to reflect a kind of naive techno-utopianism characteristic of the early web. These days, it can seem strange that we are reachable by any bad actors with the correct address. And unlike phone numbers, which are similarly accessible, email addresses can be easily guessed, typically formed by a combination of the person’s name and initials, a number, and a domain. This is particularly true of business addresses.
For the HNWI, their wealth makes them a target for a more sophisticated type of fraud called “spear phishing”. Spear phishing is similar to common phishing attacks in that it aims to trick a target into clicking a dangerous link or otherwise giving up valuable information. Where it differs is in the targeting — the rich — and in the level of personalisation in its fraud attempts. Fraudsters will go to great lengths to create authentic, believable attack emails. They may use official-looking email addresses, correctly apply corporate branding, and reference accurate personal information.
Some estimates put spear phishing attacks as up 250% since 2018, accelerated in the past year by the onset of the coronavirus pandemic. According to the Financial Times, the sudden surge in homeworking has “increased opportunities for fraudsters to exploit communication links.”
The second email risk pertains to the threat from data breaches. Hackers target consumer companies that hold a large amount of customer data, including but not limited to email addresses, passwords, and other sensitive personal information. As millions of people worldwide can be affected in a single breach, they make headlines frequently. Microsoft email servers have notably been in the news recently as part of widespread hacking.
Chat apps have grown in popularity in recent years among wealth management institutions and their clients. WhatsApp in particular has seen extensive uptake thanks to its familiarity, flexibility, and end-to-end encryption. One such advocate is the head of a multi-family office in Geneva, who expressed his satisfaction with Whatsapp to CityWire Switzerland in no uncertain terms. “If they took Whatsapp away from me, I would die,” he said, adding that Whatsapp is “the most powerful tool that exists to simplify communication.”
Despite this testimony, however, there are risks associated with WhatsApp that are worth evaluating. For one thing, there is no additional authentication to access the app after logging into the handset, meaning once a hacker has access to the phone they can read the chats. Meanwhile, question marks over WhatsApp’s GDPR compliance are cause for concern, too.
More broadly, WhatsApp’s prominence as a mass tool of communication subjects it to political scrutiny. Sitting at the juncture of Big Tech and politics, WhatsApp must be vetted from a governance perspective. The parent company of WhatApp, Facebook, has a complicated relationship with privacy, and it can’t be assumed that Facebook will never try to monetize the valuable personal information contained within chats. Additionally, some governments increasingly view WhatsApp as a potential facilitator of illegal activity as even intelligence agencies are kept at arm’s length by its end-to-end encryption. Both angles could lead to a softening of WhatsApp’s credentials as a secure channel in the future.
…And how to fix it
There are alternatives to email and consumer messaging clients that address the cybersecurity concerns of the HNWI. Digital wealth management solutions are one such alternative, offering a portal built from the ground up with cybersecurity in mind.
Digital wealth management solutions remove email from the equation entirely and replace it with a dedicated office-client communication channel running on your own software instance in your own cloud. Unbreakable AES-256 encryption can be applied to all communications, including chats, while secure document transfer can be conducted through self-contained portals. To defend against man-in-the-middle attacks, security at rest processes apply traffic encryption, fine-grained access policies, and mutual TLS (transport layer security) for flexible service control. Meanwhile at the app level, an extra layer of security is provided by built-in two-factor authentication.
And looking beyond security, there are multiple compliance and efficiency benefits through having easily extractable and searchable records of conversations and decisions all in a single system.
There are lots of pieces to the cybersecurity puzzle, but using dedicated communication channels is a relatively easy piece to place. An email inbox can be a dangerous place — and especially so for the super-rich. The right digital solutions provider will tighten the security, improve compliance and provide peace of mind to both institution and client.
Topaz provides best-in-class experience for high-net-worth clients. Contact Topaz to find out more.