David is a Cyber Underwriting Specialist at The Hanover Insurance Group, in Howell, Michigan, USA. As part of the Certified Cyber Insurance Specialist (CCIS), he completed a complex assignment on cyber risk in the Financial Planning Industry.
What is Financial Planning?
Financial planning is the process of determining how an individual can meet life goals through the management of his or her financial resources, such as planning for retirement, buying a home, saving for a child’s education, or starting a business.
A financial planner assists clients in analyzing their finances, identifying financial objectives, and developing comprehensive strategies to achieve their goals. Services provided include preparing written financial plans, offering relevant products and services such as life insurance, reducing taxable income, advising on asset allocation, and recommending specific investment options like stocks, bonds, mutual funds, annuities, and money market accounts.
The Financial Planning Industry is subjected to strict regulations and monitoring worldwide, and rightfully so. Financial institutions store substantial amounts of confidential information ranging from personal financial data to trade secrets, and are accountable for securing this information. Nevertheless, the fast-paced evolution of technology and digital transformation has given rise to various cybersecurity challenges for financial companies.
Increasing Cyber Risk in the Financial Planning Industry
Cyber criminals are increasingly targeting the Financial Planning Industry, and the number of attacks has risen dramatically in recent years. Between the beginning of February through the end of April 2020, cyber attacks on the financial sector have grown by 238% and the cyber and intelligence unit of BAE Systems found that 74% of financial institutions have experienced a rise in cyberattacks since the pandemic began.
Over the last couple of years, various companies have suffered significant setbacks in their finances and reputations due to cyberattacks. According to the Federal Reserve’s 2022 report, these attacks represent the most significant threat to financial institutions on a global scale.
Cyber Risk Considerations in the Financial Planning Industry
The Financial Planning Industry is a key target for cyber criminals due to the sensitive nature of the information it holds, including personal and financial data of clients. Cyber risks such as hacking, phishing, malware, and social engineering attacks pose a significant threat to financial planning firms, and the attack vector for these risks is broad and constantly evolving.
The Financial Planning Sector Attack surface
With banking services becoming increasingly convenient and accessible, the number of potential entry points for cyber attackers has also increased. Mobile banking services, ATM transactions, and interbank transactions are just a few examples of the entry points that attackers can exploit to gain access to sensitive information. These systems are linked on complex, extensive IT networks that are critical for their operations and present many potential points of attack that all need to be protected. Attackers may take advantage of relatively light security on mobile apps or attack an ATM that isn’t closely watched with a skimmer or malware.
Once cyber attackers gain access to these systems, they can use the information they obtain for identity theft and financial fraud. Therefore, it is crucial for financial institutions to implement robust security measures to protect against potential attacks and safeguard customer information.
Phishing and social engineering attacks can easily lead to compromised online accounts, data breaches, and ransomware attacks. Financial advisors are especially at high risk for phishing attacks that are being used to produce credentials or install malware or ransomware on the company’s network.
With remote work growing in popularity in the industry, there is an increased chance of having lax security procedures and access to sensitive information in place which makes it an easy game for cybercriminals seeking to exploit vulnerabilities. Therefore it is absolutely vital for financial advisers to review their systems and stay up to date on their IT security practices.
Internal Threats and Exposures
Financial planning firms face significant cyber liability exposure when it comes to protecting clients’ personal information from cyber attacks. Cyber risks include both third-party and first-party exposures, which could result in lost data, business revenue, and claims resulting from negligence or inadequacies in the insured’s computer network or website. Exposures may arise from both internal and external efforts to hack or steal confidential client information, including computer viruses and Denial-of-service (DDoS) attacks that can shut down operations for extended periods. In addition, the costs incurred to notify those affected and offer credit-monitoring can be significant.
Financial planning firms must take proactive measures to protect themselves against cyber risks. The human employee is typically the weakest link, with employees being the main cause of breaches. Therefore, financial planning firms must prioritize cybersecurity by implementing robust cybersecurity measures, regularly testing and updating them, and raising awareness of cyber risks among employees. By taking these measures, financial planning firms can reduce the likelihood of cyber attacks and minimize the potential impact of cyber risks on their clients and their business.
Case Study: Cyber Risk in the Financial Planning Industry
Crelan Bank, in Belgium, was the victim of a Business Email Compromise (BEC) scam that cost the company approximately $75.8 million, when employees fell into the trap of a sophisticated social engineering email scam known as CEO fraud.
This type of attack involved the phisher gaining access and compromising the account of a high-level executive within a company and instructing their employees to transfer money to an account controlled by the attacker, all while masking as the high-level executive.
Although the Crelan Bank phishing attack was discovered during an internal audit, and the organization was luckily able to absorb the loss since it had sufficient internal reserves, to this day, the identity of the hackers remains unknown.
Cyber Liability Risks in Financial Planning Firms: Protecting Client Information
Financial planning firms face significant cyber liability exposure protecting clients’ personal information from computer viruses and hacking attempts to the insured’s computers, servers, and networks.
Exposed to third-party losses that include neglect or breach of duty to protect the security and confidentiality of non-public proprietary corporate information, and personally identifiable non-public information (including information of a medical, financial, or personal nature in electronic form). Failure to protect against unauthorized access, use, or disclosure of such information can result in claims, as can failure to protect or prevent anticipated threats and hazards, such as phishing.
To prevent these losses, Financial planning firms must prioritize cybersecurity and take proactive measures to protect themselves against cyber attacks. This may involve implementing robust cybersecurity measures, regularly testing and updating them, and raising awareness of cyber risks among employees.
In the event of a cyberattack, a swift response, along with proper insurance coverage, can help mitigate financial losses, limit downtime, and manage liability, ultimately preserving a company’s reputation and brand loyalty.
In conclusion, the financial planning industry faces a significant cyber risk due to its increased digitalization. With a rise in cyberattacks on financial institutions, financial planning firms must prioritize cybersecurity measures to protect themselves and their clients from cyber risks such as hacking, phishing, and malware attacks. With the potential for significant financial loss and reputational damage due to cyber attacks, it is essential for financial planners to be vigilant and proactive in implementing robust cybersecurity measures, regularly testing and updating them, and raising awareness of cyber risks among employees. By doing so, they can minimize the potential impact of cyber risks on their clients and their business.
Want to read more about our CII-accredited Certified Cyber Insurance Specialist (CCIS) Course? Click here.