800-646-0700         LOG IN        CONTACT US        FREE TRIAL
Cloud Technology Blog for RIAs and Broker-Dealers

Let the Yahoo Hack Be Your Cybersecurity Lesson

9/29/16 11:00 AM / by Justin Kapahi

Biggest data breach in history proves it. Your firm needs External IT's security awareness training.

cyberattackgetty.jpg

Last Thursday Yahoo announced that hackers stole the personal information of over half a billion of its users, including usernames, passwords, birthdates, and answers to security questions. The Yahoo hack took place in 2014, and many are questioning how the biggest data breach in history could have gone undetected for two years. 

The internet company’s woes should serve as a stark warning for wealth management firms about the vulnerability of client data, as well as the potential for regulatory scrutiny and damage to a firm’s reputation. 

Many of the issues that apply to the Yahoo case were discussed at External IT’s inaugural Wealth Management Technology & Cybersecurity Summit, held Sept. 19 in New York. Presenters there offered useful insights on how to detect, respond to, and prevent similar breaches. Furthermore, we at External IT have launched new services to help firms stay ahead of these evolving threats.

Fallout at Yahoo

Yahoo says it only became aware of the cyberattack this summer. Yahoo says the hack was perpetrated by “a state-sponsored actor,” but has not verified which country is the alleged perpetrator. The FBI is investigating those claims. Regardless of the source, the case highlights how hacks can complicate M&A deals. 

It is unclear whether Yahoo’s discovery of the hack arose before or after the July announcement of a takeover by Verizon, which plans to acquire Yahoo’s core business early next year for $4.8 billion. Verizon cannot yet investigate fully because it lacks direct access to Yahoo’s servers. The same situation could unfold between two RIAs planning to merge. A hack at the target could present legal issues for the acquiring wealth management firm. Indeed, lawmakers are calling for accountability. 

On Monday, U.S. Senator Mark Warner asked the Securities and Exchange Commission to investigate whether Yahoo met its obligation to disclose the hack to shareholders and the public in a timely manner. On Tuesday, six senators demanded a timeline of the hacking to account for the lag in uncovering the intrusion. In their letter to Yahoo CEO Marissa Mayer, the senators deemed it unacceptable that Yahoo took so long to prompt users to protect themselves. 

How to Respond

Anyone who has not changed their Yahoo password since 2014 is urged to do so now. Many people recycle the same password for numerous online services, and password reuse means the Yahoo hack poses a security risk for many other sites. After being sold on the dark web, usernames and passwords for one site could grant unauthorized access to a user’s other accounts. Business networks may be particularly vulnerable if an administrator was using the same password to log in to both their Yahoo account and their company network. 

The New York Times launched a tool to tally how many times one’s personal information might have been compromised by hackers. Check the relevant boxes about your online financial activity, and find out which parts of your identity have been exposed in major hacks over the past three years. Measures that can help limit the fallout from hacks include frequently changing passwords and using multifactor authentication, encrypted networks, and credit monitoring.

Preventative Measures

A Yahoo-related Times article published Wednesday suggests that the internet company did not invest in the same level of cybersecurity precautions as its peers in the years preceding the hack. Wealth management firms that skimp on relevant software – such as anti-malware programs, firewalls, the latest patches, user-access controls, and audit logs – run a similar risk as Yahoo. Although the scale of an RIA breach would likely be smaller, the consequences for the business may be no less severe.

The Yahoo case shows how RIAs could benefit from External IT’s new Security Awareness Training program. We developed the offering to educate advisory teams on how best to use corporate information technology systems. Our SAT program reveals how employee-related negligence is the most commonly overlooked factor in data breaches. Firms using the program can receive phish testing, reporting and online training. We then conduct follow-up testing, measure the program’s effectiveness, and share those results with the firm’s compliance manager.

Potential SEC probing of the Yahoo breach reflects how strongly regulators take such incidents. Therefore, EIT also is proud to offer wealth management firms our Policy and Procedure Development and Lifecycle Management program. This offering instructs firms on the latest SEC and FINRA developments, to help firms operate under rapidly shifting compliance guidelines. Participating firms can receive a quarterly cybersecurity update and customized yearly cybersecurity report.

Topics: Financial Services, Cybersecurity, Technology

Justin Kapahi

Written by Justin Kapahi

Justin Kapahi is VP, Solutions & Security for External IT. He has over 15 years of experience in technology & finance and is the former CTO of Fairholme Capital Management.