What Mackenzie breach says about state of data security in wealth

Tech expert breaks down consequences of cyber incidents, and steps financial firms should take to minimize risks

What Mackenzie breach says about state of data security in wealth

It’s been several weeks since news broke of the third-party data breach that affected tech ecosystems around the world and in Canada, including several prominent investment firms.

The incident, whereby an unauthorized party used a zero-day vulnerability to access a third-party data transfer service’s system, reverberated across multiple organizations and industries. In Canada, the fallout reportedly reached clients at several investment firms including Mackenzie Investments and Franklin Templeton. The firms were clients of InvestorCom, a wealth tech provider, who in turn was a client of GoAnywhere, the data transfer service provider that was originally hacked.

The firms wasted no time notifying clients whose information was exposed, informing them of measures being taken to mitigate the impact. In a statement, InvestorCom said it had engaged a third party to conduct an internal forensic investigation, and reassured affected clients that the situation was contained.

Vivin Sathyan, senior technology evangelist at ManageEngine, says the incident reflects the accelerating challenge of data management for firms around the world, especially since the Covid-19 crisis hit and forced organizations to adopt a more flexible remote work structure.

“Initially, your data, applications, and the devices users worked on within your organization were all inside four walls. … Everything was confined to a traditional perimeter,” Sathyan told Wealth Professional. But ever since the pandemic, things are getting stored outside corporate networks, which means you as an organization have more data points to monitor.”

Across all industry verticals, including financial services, Sathyan says organizations now use third-party providers for any number of business services, and he doesn’t expect that trend to reverse or change anytime soon. It doesn’t matter how many degrees of separation there are between a firm and a data breach, he adds, as a firm’s responsibility to protect the data it collects from clients doesn’t stop.

“You might have some contractual terms that try to shift responsibility towards a third-party provider. But it doesn’t work that way,” he says. “If I am an organization and I extend my infrastructure to a third party, for whatever business reasons, the responsibility is on me. I onboarded them, and I gave them access to the data. … There's no point in giving them access to data without knowing what security posture they are maintaining.”

From his experience, Sathyan sees four categories of consequences from data breaches, whether direct or through a third party. First, the organization involved takes a reputational hit. Second, it experiences infrastructural damage, as adversaries will now know at which point in the tech supply chain they should strike.

Third, organizations that experience a data breach may expect legal challenges from customers or clients who were expecting the data they shared to be kept safe. And the fourth impact, Sathyan said, is increased compliance challenges as regulators may step up scrutiny of firms they oversee after a cyber incident occurs.

The recent high-profile third-party breach raises a crucial question for the wealth industry, advisors included: what can be done to minimize the risks of client data being compromised?

“You have to ensure that basic security controls are in place before you onboard a vendor,” Sathyan says. “Make sure they have policies in place to reduce the detection time. … It shouldn’t be weeks, but they should try to cut that down to as quickly as possible.”

Before onboarding a vendor or third party to access client data, he says advisors should have a vendor risk management policy in place.

“You have to look at how they handle indicators of compromise,” Sathyan says. “What are their penetration testing strategies? What about their risk assessment policies? Are they covering the basic security controls they should be covering?”

There’s no common yardstick to evaluate data security across all industries, he says, as the specifics depend on the vertical a firm is in. But no matter where they’re operating, he says firms should not make the mistake of assuming vendor risk assessments are a one-and-done exercise.

“When you onboard a third party, you will have to hold quarterly reviews of the vendor’s performance and also have performance metrics in place that tell you about their security posture, so that you know that you didn’t just give them open access,” he says. “You’re also ensuring that data is being handled the way it is supposed to be handled.”