Nobody - absolutely nobody - is 100% secure from the depredations of cyber-criminals. What should private banks do in the face of this growing threat?

Every reader should know about keeping passwords secure and being careful about whom they let near their private information. In the world of private banking, however, even some of the more robust institutions have fallen victim to cybercriminals. Only last month, the world was rocked by claims - and furious denials - that the Communist regime of North Korea was behind a massive attack on Sony which led to the 'pulling' of a satirical film about North Korea.

The stakes are high. A single successful hacking attack can destroy reputations built up over hundreds of years within seconds.

Spending on fighting the menace is increasing year by year and with more and more business transactions taking place online the problem is likely to get worse, according to the leading lights of the financial services industry.

What price cybercrime?

Cybercrime costs the global economy $445 billion every year, according to a study by the Centre for Strategic and International Studies, a US organisation, and Coutts, the private bank. The study states that security could end up representing about 30% of private banks' technological budgets.

Adam Wethered, the co-founder of the wealth manager Lord North Street (now mergered with the multi-family office Sand Aire) told us recently: “The answer is to have good internal and external IT services, which means having the right processes, standards and disciplines in place.”

Wealth management firms that cannot combat this threat have lost clients instantly and figures show that they do not return, according to the experts to whom we have spoken.

Sarah Stephens, the head of cyber & commercial at Aon Risk Solutions, said: “Of course the primary hit from the crime is the loss of money, but then it's reputation and the disruption to the internal systems. It is the soft costs that actually become the bigger problem.”

Spear phishing  

Unsurprisingly, wealth management companies based in the UK, the US and Germany are the prime targets for hackers on the hunt for monetary rewards. The hackers often work together in what are known as “cyber syndicates” – 100-man teams focused solely on breaking down corporate security systems. They are, moreover, becoming increasingly more sophisticated, recently developing a practice commonly known as “spear phishing”.

In this instance the hacker will send what looks like an authentic email from a wealth manager to a client or individual asking for specific personal financial information or log-on details. If the person falls for the ploy, the attacker can masquerade as that person and gain further access to sensitive data or move money around.

According to Kroll, the spy firm, other tactics include setting up bogus WiFi networks at airports and hotels, which travelling wealth managers inevitably use. The fraudsters then send an email to a clearing bank asking for large sums of money held on behalf of clients of the wealth manager to be moved to other accounts. These emails are usually flagged up as suspicious by security departments and as a result the clearing bank will email the wealth management firm to ask for clarification. However, staff at the firm will never see this email, as the fraudsters will have set up an email filter, and can confirm the transaction themselves.

Sarah Stephens added: “The hackers are highly technical and becoming increasingly skilled at targeting financial firms. It’s a critical issue for firms and the bad guys are just as sophisticated as the good guys. It requires constant vigilance.”

Held to ransom!

In July, even an institution as supposedly robust as the European Central Bank was hacked by cyber criminals demanding payment for the return of stolen data, including personal email addresses and other contact data of people registering for ECB events. The most public cyber-embarrassment in the wealth management world, however, took place in April 2013 when 260 gigabytes of data containing information on Singapore-based fund administrator Portcullis Trustnet's offshore clients was leaked to the International Consortium of Investigative Journalists. The ICIJ has also targeted Kleinwort Benson in the Channel Islands and that bank is investigating the matter. To date, nobody seems to know how the ICIJ acquired such data.

David Chong, the chairman of the company, told a Reuters Global Wealth Management Summit in Singapore last month that as a result of the leak his firm had spent heavily on security.

"I tell clients that if the NSA (the US National Security Agency famed for spying on all Americans illegally) cannot prevent theft from their systems, we don't have much of a chance."

Hey, big spender

It is little wonder then that 52% of British bank bosses said in 2014 that they would increase spending on cyber-security in that year, adding to the £700 million ($560 million) spent in 2013 in the UK alone, according to the department for Business, Innovation and Skills (BIS) and the Cabinet Office. The figures for actual spending in 2014 are not yet in.

Spending on cybercrime in corporate America has risen steadily throughout the years, totalling $88.25 billion in 2013 - significantly up from $39.37 billion in 2006. At the same time, IT security as a percentage of all IT spending now stands at 6.9%, whereas it used to be 5% in 2006, according to the Ponemon Institute, a cybercrime research firm.

At the same time, Global Fortune 2,000 companies recorded 8,400 serious cyber-crime attacks in 2013 - a significant increase on the figure of 6,930 in 2012.

So far, JP Morgan is one of the few major financial firms to publicise its cybercrime spending. In 2014 it raised its annual budget from $200 million to $250 million and plans to build three cyber-security operation centres in regional headquarters.

The arms race

Jamie Dimon, the chief executive at JP Morgan who is often accused of presiding over crimes committed by his own bank, told shareholders in a letter: “It is going to be a continual and likely never-ending battle...not every battle will be won.”

Hackers might not be having things all their own way. Recent results in the UK suggest that spending has paid off as the number of security breaches experienced fell in 2013. The survey by BIS revealed that 81% of corporations experienced a security breach, down from 86% in 2012. Despite this, Richard Horne, the cyber-security-risk partner at PwC, has stated that the incidents that did get through were more destructive and costly than ever before.In 2013 the average cost of a security breach in a large organisation was £600,000 to £1.15 million - up from £450,000 to £850,000 a year before. For small business, it was between £65,000 and £115,000, as opposed to between £35,000 and £65,000 a year earlier.

Stephens at Aon warned: "The allocation of huge budgets is not always the best solution. There does come a point where spending more does not reduce risk further. It’s called the zero days’ issue whereby there is a hole in software that is unknown to the programmer until the day the hacker strikes.”

Instead of paying for the latest firewall or anti-virus and anti-malware software, firms should look more closely at blocking the channels through which hackers attack, according to Larry Ponemon, the founder of the Ponemon Institute.

This includes checking up on clients' and business partners' cyber-crime defence systems to make sure that they are reliable, while being wise enough to know that nothing is impregnable. Although this process can be awkward, particularly with clients, it is necessary.