Registered investment adviser ("RIA") regulators at the state and federal level continue to make information and cyber security a regulatory focus area. However, compliance issues aside, RIA firms need to continue to establish the proper policies and procedures to help prevent cyber security related-issues as such issues pose an enormous business risk to all investment advisory firms. In particular, an RIA firm improperly sending a wire to an unauthorized third party posing as a client continues to pose a growing threat.
As RIA compliance consultants, we continue to hear more concern from leading industry custodians that many investment advisory firms are not properly addressing unauthorized third party wire risk. While custodians continue to design and implement more controls and systems to protect against wire fraud, often the RIA firm is still responsible for confirming to the custodian that a client wire request is legitimate. This responsibility combined with the increasing sophistication of cyber criminals means that addressing this risk should be a top priority for investment advisory firms of all sizes.
Even when an RIA firm has established strong information security policies and defense systems, the firm can often do little to prevent client email accounts from being hacked. Unfortunately, hackers are beginning to more aggressively targeting high and ultra-high-net-worth individuals as the criminals recognize that such individuals offer greater wire fraud opportunity. This realization combined with increasing social engineering vulnerabilities means that all RIA firms are likely to experience client email hacking incidents.
Today, after a hacker gains access to an individual's personal email account, they immediately begin scanning past email correspondence to identify any financial advisor relationships. Past correspondence is examined to learn how to best imitate the client in future correspondence with the advisor. Next will often come either 1) a seemingly innocent email inquiring about the current balance of accounts or 2) an immediate wire request sent via email. At times, the hacker will even wait to send the wire request to correspond with a client's scheduled travel plans which can also be found in the client's email account. This is generally followed by an "urgent" wire request along with additional context which notes that he or she is "traveling" and "not accessible." There will also often be a convincing story as to why the funds need to be transferred to a third party account perhaps related to a large purchase or needing access to the funds while traveling internationally.
If the proper procedures are not in place and strongly enforced, the advisor or staff member may feel pressure to please the client and be too quick to approve the wire request with the custodian. Once the funds are improperly sent to a third party there is often little that can be done to retrieve the funds. With that being the case, the investment advisory firm may now have a financial liability that can reach into the millions of dollars. Furthermore, often advisors do not realize that many traditional errors and omissions ("E&O") and cyber liability insurance policies may not cover this type of loss. Thus, such a mistake can instantly jeopardize the future viability of the firm.
Given the immense business risk, we strongly recommend that all RIA firms take these immediate steps to help mitigate wire fraud risk:
- Educate clients on information security best practices: RIAs should consider providing cyber security education and training to clients. While not all client email account hacking incidents can be prevented, better education can help to reduce the risk.
- Educate clients on the firm's wire confirmation procedures: RIA firms should always verbally confirm all wire requests regardless of the circumstances. This policy and rationale needs to be communicated to clients at the start of the relationship to properly set expectations.
- Establish proper policies and procedures designed to mitigate wire fraud risk: RIA firms need to verbally confirm all wire requests. Best practices for verbal client confirmation may include 1) the RIA must call the client at a previously designated phone number to confirm to prevent a third party from calling and posing as the client and 2) a "secret word" can be established with the client to confirm all wire requests or to otherwise covertly alert the RIA firm that he or she is under distress and being improperly coerced to send the wire.
- Regularly train all RIA firm staff members: All investment advisory firm principals and staff members need to properly understand wire fraud risk. Furthermore, all staff should be trained on how to identify possible "phishing" or fake emails coming from a client. In addition, the message needs to be delivered that even when under client pressure, it is never acceptable to not follow firm policy even if it results in client dissatisfaction.
- Test wire fraud policies and procedures: RIA firms should consider mimicking these types of incidents to gauge how prepared the firm is and to serve as learning and teaching opportunities. Such mock tests can also help to identify potential gaps in current policies and procedures.