Recent cybersecurity breaches affecting financial services firms often share a common thread: risks caused by a human element.
These risks can encompass a number of threats, from phishing attacks — personalized scams that are not limited to email and are used to spread malware or obtain sensitive information — to simple employee errors that expose client data.
As such, institutional investors are increasingly checking the data security practices of their service providers to make sure their data doesn't fall into the wrong hands, as is the case with the $57.1 billion Los Angeles County Employees Retirement Association, Pasadena, Calif., which is examining its relationship with its Boston-based custodian State Street Bank and Trust Co. after it experienced three documented data security incidents last year, board meeting documents reveal.
As a result of the incidents, a State Street representative will be attending LACERA's Jan. 9 board of investments meeting to provide more information on the events, according to documents.
Moving into 2019, cybersecurity also is an examination priority for the Securities and Exchange Commission. And this comes as the number of security breaches is continuing to grow, according to an October report from Campbell, Calif.-based data security firm Bitglass Inc.
From January 2018 through August, financial services firms recorded 103 breaches, compared to 37 over the same eight months in 2016, the report said. Bitglass aggregated data from the Identity Theft Resource Center and the Privacy Rights Clearinghouse.
Firms should take note that the weak link within an organization's cybersecurity efforts is often the end user, with phishing campaigns being among the most common attack vector for entry, said Johnny Lee, an Atlanta-based principal and national practice leader of forensic technology services at Grant Thornton LLP, in a December telephone interview.
There have been "attempts when an asset manager is asked to reroute a wire transfer that was already in the midst of being approved or a recurring payment over the span of a deal or transaction," Mr. Lee said.
Intruders typically infiltrate ongoing communications, spoofing the email address of an actual employee or point person — or in some instances, sending the email from a hacked account — and then directing future transactions to be sent to an account of their choosing, he explained.
"If there was one trend that we've seen at asset managers more than any other in 2018, it's definitely (phishing attacks). We get more calls on that than any other (attack)," Mr. Lee said.
"For these kinds of scams, often very low-tech compensating controls are the answer," such as two-factor authentication or implementing other security controls that don't rely on email as the main confirmation for a transaction, he said.
Financial services firms must also implement security controls to mitigate, or minimize the impact of, other human errors that aren't prompted by a scam or cyber intruder, but result in a breach.
In 2018, State Street Bank experienced three data security incidents caused by human error, which strained its business relationship with LACERA, public board documents reveal.
State Street has served as a global custodian for LACERA for more than five years, board documents published on the pension fund's website show.