We often remind our clients about the importance of taking cybersecurity measures. In response, we frequently hear the question, “How can I suffer a cyber loss if I don’t have custody of the funds?”

Imagine this scenario: A bad actor scrutinizes email activity, identifies recurring distribution requests, and watches for busy times in the day or month. Right at the height of activity, the bad actor notes the request for a recurring distribution and acts. The distribution request is sent, but immediately after the bank has been notified of the distribution, the bad actor sends an email requesting a change in wire instructions. The bank calls the trustee to verify and in a flurry of activity, the trustee approves the change in wire instructions, and client funds are lost.

While corporations have been focused on these issues for quite some time, trustees have not received the same level of training.  It is human error that generally sets the stage for losses, and trying to get the funds back and creating the proof of loss is complicated and stressful.

Of these email attacks, those that qualify as a business email compromise (BEC, where a specific executive or employee is impersonated) increased 71% last year. Vendor email compromises (VEC, where a supplier or vendor of the victim organization is impersonated) increased by 137%. Both types of crimes involve fake invoices, banking account change requests, and demands for immediate payments. Smaller organizations (less than 1,000 employees) saw the highest number of BEC attacks. Therefore, financial services firms including trustees, trust companies, family offices, and registered investment advisors should focus their attention on this threat.

What Should You Do After an Incident?

Like for other businesses, a cyber incident for a trust company or a trustee can be catastrophic. It can interrupt your business, lead to loss of private client information and/or funds, and result in loss of client trust. Until recently, cyber claims within the trustee world have been speculative. However, we are now witnessing actual claims.

In a recent incident involving a trust company, the company worked with multiple vendors and law enforcement agencies to mitigate the effects of a cyberattack on their business. Coordinating the response on your own can be daunting. This is where a cyber insurance policy can provide value.

Most cyber insurance policies have built-in services that can help mitigate the risk and coordinate your response to the incident.  Here are steps you should take upon discovering a cyber incident at your firm:

• Notify your cyber insurance carrier and broker. Typically, cyber insurance carriers will offer a 24/7 monitored hotline for companies to call and initiate an incident response playbook. Typically, your cyber insurance policy will require you to work with specific response vendors.
• Engage legal counsel. Doing this first allows you to protect attorney-client privilege as you work through a cyber incident.
• Engage a cyber forensics provider. Hired by the legal counsel on your behalf, these specialists can help you investigate the origins of the attack, ensure the bad actors are out of your system, and identify what systems might have been impacted during the attack.  They also can negotiate with ransomware attackers and identify the population of consumers potentially impacted by your breach.
• If an attack led to funds being transferred out of your accounts, working with the FBI, other law enforcement agencies, and your bank within the first 72 hours will provide the best hope for recovering the funds.

Cyber breaches are complex, and so is the recovery process. Identification of the breach, remediation of the systems, and recovery of funds are part of a complicated team sport. However, using a pre-determined incident response plan that includes the contact information you need can help your organization get through what is an often shocking and frustrating situation. A good broker may also find additional coverage from crime insurance and/or professional liability insurance, also known as E&O (errors and omissions) insurance.

How to Reduce Your Cyber Risk as a Trustee

Even with multi-factor authentication and financial institution callback protocols, human errors can occur that lead to losses. Therefore, the number one risk management technique is to provide cybersecurity and awareness training for all users.

Awareness training ensures that everyone knows about the heightened risk of cybercrime and can recognize phishing attempts and other fraudulent activities. In addition, keeping up to date on new tactics, which change daily, is essential. For example, by using generative AI, criminals are becoming more sophisticated by the day.

Here are some steps to enhance security and mitigate your risks:

• Verified Requests: Always confirm distribution requests and wire instructions through a secondary communication channel, like a phone call, especially if they come via email. Double- and triple-check the instructions, especially if there are urgent requests to change the wire instructions.
• Secure Communication: Use secure, encrypted email or platforms for sending sensitive information.
• Regular Monitoring: Frequently monitor accounts and transactions for any unusual activity.
• Strong Authentication Protocols: Implement strong authentication methods, such as multi-factor authentication, for accessing sensitive systems and information.
• Update Security Measures: Regularly update and patch your cybersecurity systems to protect against new vulnerabilities.
• Incident Response Plan: Have a robust incident response plan in place. This plan should include immediate steps to take if you suspect a breach or fraud.

By being proactive and maintaining a high level of vigilance, you can significantly reduce the risk of falling victim to cybercrimes during these critical periods.