The revelation of the Equifax cybersecurity breach, along with the news the Securities and Exchange Commission had been breached in 2016, has reinforced the message that no institution is invulnerable.
Even the IRS was hacked twice so far this year, with a February breach exposing the Social Security numbers of at least 464,000 taxpayers. And just last week, global professional consultancy Deloitte announced it was hacked as well.
In contrast, no major financial institution involved in managing retirement, endowment or foundation assets, has reported a successful cyberattack so far in 2017.
But to ensure that record continues through the rest of the year and beyond, the financial institutions will have to continue to spend increasing amounts of money on cybersecurity. They cannot become complacent because the number of security breaches is increasing year by year, and so is the sophistication of the hackers.
Through June 30, there were 791 corporate cybersecurity breaches this year that exposed more than 12,389,462 records before the revelation of the Equifax breach, according to the Identity Theft Resource Center and CyberScout LLC. That's a 29% increase from the same period in 2016. During all of 2016 the number of breaches increased 40% from 2015.
In 2016, only 3.6% of these breaches involved companies in the banking/credit/financial sector. This increased in the first half of 2017 to 5.8%, suggesting more hackers have turned their attention to the sector.
Like the bank robbers of the past, hackers will gravitate to where the money is — banks and trust companies where billions of pension, endowment and foundation assets are housed. But the access portals could be any money management firm, record keeper or service provider with insufficient security that exposes client information.
The Equifax breach, which exposed Social Security numbers and drivers' license numbers along with other personal data of 143 million consumers, has provided hackers potential tools with which to access those victims' financial accounts wherever located.
The effects of this breach likely will be felt for many years as hackers and scammers slowly make use of the information gleaned from the Equifax files. For that reason, financial institutions will have to step up their client verification practices so they do not inadvertently hand client assets over to scammers.
The Equifax, SEC and Deloitte breaches carry two additional messages. First, a firm's cybersecurity program and defenses probably are not as solid as top management might believe. Clearly, top management at Equifax, the SEC and Deloitte assumed their cyber defenses were sound. They weren't, and the costs for top management, at least at Equifax, were great. CEO Richard Smith resigned in late September. The defenses must constantly be tested by outside cyber security testing companies. Vulnerabilities thus revealed must be fixed immediately.
Second, new threats are constantly emerging. What was a solid defense last year might well be a porous one this year. Companies will have to constantly upgrade the defenses of their computers, and constantly retrain their staffs as to cybersecurity practices. According to the ITRC, employee error or negligence or improper disposal was responsible for 9% of data exposure in the first half of 2017. The good news is that was down from the same period in 2016.
During World War II the slogan was: Loose lips sink ships. In the cyber war being waged around the world, the slogan might be: Loose computer practices hurt clients and companies.
On the corporate side, breaches hurt companies in at least two ways.
First, customers stop doing business with the breached company. According to the Ponemon Institute, a Traverse City Mich.-based cybersecurity research organization, companies suffer a 7% loss of customers after a breach is reported, and for public companies, the stock price drops 5% the day the breach is reported. For Equifax the price has been much steeper: the company's stock price dropped more than 26% between Sept. 7 and Sept. 25.
The breaches also hurt affected companies by forcing them to spend money revamping their cybersecurity systems and often to make customers whole for any loss they might experience.
They hurt clients by exposing their private information, including Social Security numbers and addresses, often including email addresses and even passwords. This makes them vulnerable to phishing campaigns by hackers.
According to the ITRC, almost half of 2017 hacking attacks involved phishing. Clients might be able to reduce the threat by changing email addresses and passwords, but drivers' licenses and especially Social Security numbers will be valid long after the breach.
All money management firms and trust organizations, record keepers and other service providers — large and small — must continue to upgrade their cyber defenses if they wish to avoid finding themselves in the glare of a cyber breach spotlight.
No one will want to be the Equifax of the financial services sector.
