A Money Marketing investigation has revealed the weaknesses in some platforms’ systems which expose them to the risk of cyber security attacks.
Research carried out by Money Marketing and IT security firm NCC Group shows while some platforms have comprehensive security measures in place, others look more vulnerable.
Of the 15 advised platforms approached, six declined to participate in the study. Of the nine that did respond, six revealed they had experienced some sort of security breach in the last year, including fraud.
The research comes after Money Marketing reported statistics from the Investment Management Association in May that showed the amount of money lost by clients through platform fraud more than trebled last year with a record £1.8m taken.
Despite the risk, few platforms have comprehensive insurance in place to protect them in the event of a security breach, leaving them on the hook to cover potential investor losses.
Platforms typically rely on underlying technology to power transactions while custody of assets is provided by third-party banks. But it is platforms that hold significant amounts of client data and take ins-tructions on investment decisions.
Responses from platforms have been provided on an anonymous basis so as not to expose particular businesses to potential fraudsters.
Most platforms reported they currently use “two-factor” authentication, meaning there are two layers of security to verify user logins. This can be through two security questions or the platform contacting the client directly.
Two platforms do not currently use a two-factor authentication process but say they are considering introducing this.
Most platforms take client and adviser instructions via email.
Last year Standard Life issued a warning to advisers after four platform clients were stung by a fraud that saw money withdrawn from the account. The incidents occ-urred when clients’ emails were hacked, allowing fraudsters to email instructions the victim’s advisers. Money was withdrawn and paid out to a separate bank account.
Some platforms say they use secondary methods for checking identity or refuse to carry out payments from an email instruction.
NCC Group European managing director of security consultancy Robert Horton says if a client’s IT has been completely compromised, two-factor authentication and other identity confirmation method can be bypassed.
He says: “Some financials have quite tight controls and processes for deploying their own applications so the target can often be the client. If they are using web-based email they can be targeted that way. Or an off-the-shelf malware system can allow someone to harvest details from a customer, allowing them to attempt fraudulent logins.”
There are other areas of platform security which reveal potential vulnerabilities. Criminals use what are called “distributed denial-of-service” attacks; systemic attempts to overwhelm a software system by overloading it with data requests. Successful attacks force platforms to close down, allowing assets or data to be stolen while defences are compromised.
One of the largest platforms said it had experience of successfully fending off a DDos attack. But another platform admitted it did not have software in place to filter and detect DDos attacks.
Most platforms do not have a dedicated security officer although some say they rely on their external vendor for this. Horton says while most platforms train staff in secure coding and fraud detection, policies are more likely to be rigorously enforced where there are dedicated senior management to oversee IT security.
He says: “There is a trend where if a firm has a chief information security officer it is more likely to have better levels of authentication, to have engaged in proper staff training and is less likely to allow email requests. The policies tend to be more rigorous where there is a CISO.”
Most platforms reported that the majority of incidents are caused by the security of an adviser or client system being compromised.
Deloitte says platforms should be looking to add extra checks and balances to verify who is logging in. Director of security and resilience practice Giles Taylor says: “It is difficult to be too hard and fast about saying that two-factor authentication is the answer. You have to look for other pieces of information you can compile.
“It can never be fail-safe but if, for example, a request is coming from someone’s PC and from their IP address, it gives you more confidence. Sometimes you have to accept you are not going to be able to prevent a security breach. So it comes down to other controls to try and limit the risk.”
Only two platforms reported they had cyber security insurance.
Insurance broker Marsh says ins-urers are increasing their capacity to cover cyber security risk but the market is not yet ready to meet supply. It warns take-up of insurance tends not to gain traction until a “big bang” security event triggers a reaction.
Marsh cyber risk practice leader Stephen Wares says the relatively fledgling status of cyber security threat makes it difficult to price risk. He adds: “These are some particular pricing challenges around cyber risk. You do not have a record of loss data for 10 years.At the moment pricing can be quite erratic and insurers will take quite different views on risks.”
The Platform head of data Richard Bradley says: “Should we see a platform suffer a major breach the impact would be significant. We would expect the security of clients’ assets to be pushed higher up the priority list for advisers conducting platform due diligence, potentially leading to sizeable outflows.
“In the direct-to-consumer market we see brand strength as the primary factor when looking for somewhere to invest. When talking about people’s life savings the perception of risk is as important as actual risk, so any security concerns are hugely damaging.”
One platform said most attacks on its systems were not sophisticated. It says: “Attacks are fundamentally low in complexity and show little evidence of these attacks being targeted.”
But EY financial services management consultant Mark Stringer, who is involved in the firm’s advisory service, says platforms should not see themselves as flying “beneath the radar”. He says: “It would be complacent of a small organisation to think that as they are below the radar they’re less likely to get hit.
“A pound on that platform is the same as a pound anywhere else. The regulator applies the same degree of scrutiny on platforms as they would a major bank.”
The security of investment platforms, and the reliability of their security policies and procedures, is a theme of ever-increasing interest as firms tackle the challenges presented by cyber security.
This was brought home in a communique to FTSE350 chief executives from GCHQ and MI5 last year, who both stressed the Government’s expectation of their roles in keeping UK plc secure.
Coordinated attacks are often concentrated on large, well-known firms, particularly those within financial services.
However, opportunistic groups and individuals are continually looking at smaller firms which demonstrate any vulnerability.
All firms, regardless of size, need to get the basics right and should at least be adopting the principles of sound cyber security.
Firms should regularly stress-test software apps, ensure security privileges are accurate and monitor the company’s networks for unusual user activity.
They also need to ensure employees are kept up-to-date on important information about cyber security.
The recent Government-launched scheme Cyber Essentials is helping set the bar for cyber security. It enables firms to demonstrate by certification they meet minimum security standards.
Security exposure can occur in both obsolete technology and software and through digitally-enabled customers accessing services 24/7, using a raft of devices.
Firms need to be continuously on guard to make sure they, and their clients, are protected.
Mark Stringer heads up the investment platform practice at EY
Pete Matthew, managing director, Jacksons Wealth Management
Anything we recommend carries our reputation with it, so we want platforms to show they have robust security measures. But we are not experts so it makes it difficult to analyse that ourselves. Perhaps there could be an objective minimum standard for IT security set by a third party which all platforms could meet.