This website uses cookies. Learn more

Okay

Equifax, CrowdStrike & Cybersecurity

2 Aug 2024
Read: 15 min

"If we think about private banking, businesses that deal with high-net-worth individuals, ultra-high net worth individuals... the market for this information is significant. And the embarrassment factor and the reputational damage of having this information be leaked out is colossal for any financial organisation."

David masters
David Masters
Director and Asset Management Lead at Lansons
(mis)Conduct, Money & Reputation
Podcast Series by Lansons and Katten. Dissecting misconduct in financial services, from the rules and regulations - to the reputational fallout when things go wrong. This podcast series is an essential listen for those in asset management (and more broadly financial services) who are responsible for the safeguarding of business and brand; from compliance and corporate affairs to comms and marketing.

Episode Background

E06: Equifax, CrowdStrike & Cybersecurity

Cybersecurity is an issue which continues to dominate headlines, concern investors and have substantial and very real implications for asset and wealth managers. In the data rich world of investment management, understanding the implications of cyber breaches has never been more critical.

In this episode, David and Neil examine high-profile breaches such as the Equifax data scandal and NHS ransomware attack. They explore why these failures should be seen more widely as misconduct, common myths about cybercrime, debunking misconceptions about its targets and motives and how others are addressing these challenges as digital threats evolve and in light of the recent CrowdStrike IT outage. For most financial firms it’s about when and how often these attacks will come, not if.

This episode provides a crucial guide for asset managers and financial services professionals in preparing for, mitigating against, and avoiding reputational fallout required when things go wrong.

Episode Transcript

David Masters: Hello and welcome to the episode. This is our sixth episode in this series for those working in financial services, particularly in and around asset and wealth management, where we seek to navigate a path through some of the more complex issues where regulation and reputation overlap. My name is David Masters, Director and Asset Management Lead at reputation consultancy Lansons Team Farner.

Neil Robson: And I'm Neil Robson, regulatory compliance partner at US law firm Katten.

David Masters: Great. Today we are diving into the extremely complex world of cyber security and related incidents. This is a timely topic, especially after the recent global IT outage caused by the near apocalyptic software glitch with the CrowdStrike update. This recent incident is an interesting sidebar to the whole cyber security issue, the failure of software specifically designed to protect businesses and organisations against cyber-attacks, resulted in more disruption and chaos than most actual cyberattacks do themselves. With the aftereffects lasting well into the following week and likely to continue for some time in some form or other.

This incident will doubtless see much finger pointing and regulatory and legal investigation. CrowdStrike’s CEO has already been called to testify before the US House of Representatives' homeland security committee and class action lawyers are already circulating and asking shareholders to get in touch as they explore the issue of securities fraud.

So, before we get going, I wanted to highlight an important point about reputation. Cyber security often feels like something that just happens to us, but we forget the importance of our response and preparedness in resolving these situations. Reputation is nearly all about behaviour and failures in cyber security are often due to inadequate preparation and security measures. Failing to protect sensitive data and responding poorly to attacks, particularly in terms of openness, honesty and transparency can severely damage reputation.

Although, CrowdStrike are not victims of a cyber breach, and therefore we won’t dedicate too much more time to them. How they both act and communicate over the next few weeks will be key to how the business fares over the longer term. One false step too many could well take them beyond the point of no return. Now let’s get started on the regulatory side. Neil, over to you.

Neil Robson: Thanks, David. So, cybersecurity impacts on all sectors, not just financial services. Cyber criminals, whether they be the hackers, identity thieves or cyber terrorists, they use technology to steal sensitive information. Data, it's all about data mining effectively and they then go and sell it on the deep web or the dark web, where it's used for nefarious purposes by criminals and illicit third parties.

David Masters: The invariable bad actors as the American say.

Neil Robson: Bad actors, indeed. So, it's quite interesting because frankly, there's a really sophisticated underground market for information - our information. The public generally, and we're talking about things like, ransomware where they disable a system and you have to pay money to get your system back, but they might have also mined the data and then sold that on to third parties.

But there's also phishing, there’s spoofing. And what's really quite interesting I think is last year, so in the US there's a data analytics outfit called Statista. Who did all the analysis of cybercrime, reported cases of cybercrime, I should say. They found that phishing and spoofing were the top two cybercrimes last year in the US. 

But that's a total of 300,000 cases that were reported across the board.

David Masters: It's quite surprising that things like ransomware often come quite low in terms of, statistics about frequency of the types of attack.

Because I think ransomware is one of the things we're talking about a lot, certainly in terms of conversations with clients. If we look about what's in the news and we'll come on to the NHS attacks, in a little bit. But I was recently speaking to, Professor Erica Boyton from DMU. He's a cyber boffin at DMU. 

And, we were talking about ransomware, and he was really going into how this has been quite an interesting evolution. And I think this is really important because obviously cyberattack, cyber security is a rapidly evolving issue the whole time. But previously if you go back eight, ten years or so, most ransomware was just sort of random attacks, targeted at people who might not have the latest update on their systems.

And it was fairly random. The attackers knew very little about their victims. And what would happen is, they would land it somewhere and then they'd get in touch with the victim and say, you've got a problem and we're the guys to solve it, so pay up. Whereas now it's much more targeted.

And it's not just about, stopping services working by saying we're going to encrypt all your services, so you won't have access to your systems, but it is about, targeting specific data. And I think in financial services and particularly in sort of wealth management, private banking and asset management generally, these are really important issues. But I think it's quite interesting that this shift has moved. Where was it used just to be around disruption and disrupting systems. Now it's much more around targeted attacks around data.

Neil Robson: Yeah. And then getting hold of that data, mining it, selling it or indeed trying to get the ransom. So, the NHS case you reference just now I think is one that every man, woman and child in this country should be really focused on right now because I don't think it's had enough media attention, what with the recent general election, not to mention the euros in the football.

There hasn't been enough attention on the fact that in June there was a ransomware attack on South London NHS trusts, affecting quite a lot of hospitals and GP surgeries. But the fundamental point is 2 million Londoners were impacted by this. And what happened was, it’s a public private partnership outfit called Synovus, that basically do blood tests.

And their network was hacked by a Russian gang called Keelin, who then basically shut down the network, which meant that for a period of time, the NHS had to cancel 1600 operations, not to mention thousands of acute outpatient appointments. So, we're talking about a really, really big group of people who were impacted by this. As I say, there's 2000 NHS patients, again, men, women and children.

Just random, normal Londoners whose data has now been sold on the dark web and it's all the data relating to what blood tests they've had. Was it a hepatitis test? Was it HIV? Was it cancer? Who knows what it might have been. But their name, their address, the date of birth, critical information that is protected by GDPR.

All the key information that a hacker or a bad person would need to be able to access somebody. They might know, for example, how to get hold of someone's passwords. They might be able to try hacking into someone's bank accounts as a result of getting that information. And it all comes down to one thing. According to recent BBC reports, the NHS is using aging, archaic infrastructure and computers that are ten years old, software that's been outdated for years and there hasn’t been no patches.

And it's probably something as simple as they were just finding time to get into Synovus, and then they got hold of all this data. And, the NHS has its problems, but not least of which is to upgrade their cybersecurity network. It would be very expensive, but it's going to have to be done now.

David Masters: Yeah. And that again brings us back to that, this issue of trust isn't it. Clearly, there are concerns about the state of the NHS generally. So, from a trust perspective, this is quite significant because for people who are in stuff that is sensitive to their careers or anything like that from a health perspective, might be reluctant now to use the NHS or might be concerned about it.

I mean, obviously if this had been a private business that had been attacked in this way, a private healthcare provider, for example, I think we would have seen a very different response, probably from the media.

Neil Robson: Absolutely.

David Masters: As well as what is the regulator, the ICO.

Neil Robson: Yeah. Which would have thrown the book at them for their failings. And they would have been fined significant amounts of money, but the NHS won't get a fine because it doesn't have any money.

David Masters: Well, no I think I think that's it. I go back to my conversation I had with, Professor Boyton about complexity and obviously the increasing complexity of systems, the increasing complexity of organisations, makes defence against cyber security a lot more difficult and a lot more challenging.

Because there are just so many more different bits that you have to protect against. And I think also, if we think about this again in terms of financial services and the investment management sector, if we think about private banking, businesses that deal with high-net-worth individuals, ultra-high net worth individuals.

You know, the market for this information is significant. And the embarrassment factor and the reputational damage of having this information be leaked out is colossal for any financial organisation.

Neil Robson: Absolutely.

David Masters: So, I mean, there are a lot of things here we need to unpack Neil, but it seems to me, when I talk to people about cyber security, a lot of things come up which I hear and I think, well, is that right or not?

It seems to me there are a lot of a lot of preconceptions or misconceptions about cyber security. So, are there any things you think that we should be looking at which perhaps aren't quite understood or, sort of just misnomers?

Neil Robson: Yeah. Well, I think there’s quite a lot of myths about cyber security. Every business really does have to have a really robust cyber security policy, procedures.

So, if you think about one myth is that they're opportunist. These cybercrime gangs, they're not, they play a very long game. Sometimes they spend years and use, artificial intelligence. They use algorithms to try and figure out how to get into a network because it is targeted.

Another myth, I suppose, is that they're not trying to cause harm. They just want money. That's not always the case. As we said, with ransomware, they will shut down network sometimes, if they don't get the money. And what's interesting, again, just to tie back to the NHS case is, clearly the NHS did not pay any ransom.

There's been lots of healthcare providers in the US who have paid ransom. But the NHS is not and hence all that information is now publicly available on the dark web. Just as a legal warning, health warning. Do not attempt to access the dark web, it is a criminal act to do so. And GCHQ is watching. 

I spoke with a cybersecurity specialist who gave us cyber training at the law firm, a few years back. He has a special government pass to access the dark web. And explained that literally all the information you can think of is out there. You might find somebody's bank account details, all the transactions they're doing, that's available to buy and you can get the password to someone's bank account. You can then steal their money, and it's available to buy. It might be a few pounds or few pennies per piece of data, but nonetheless it's out there. So, this is a business. That's another myth that we can bust. They’re not opportunists. This is a real big business.

And it's complicated. As I say, they use algorithms, artificial intelligence, and oftentimes, again, it's not a spotty teenager in his bedroom. These are gangs, sometimes state supported. So again, the Keelin gang, there's a general belief that it's supported by the Kremlin. Chinese gangs, very similar arrangement supported by Beijing. So, we shouldn't, you shouldn't underestimate how much resources and power these people have and the support of governments to do what they're doing to destabilise.

David Masters: I think North Korea is another actor in all this. I think there's one myth I'd like to jump in on. And that is, I often hear people say that the real focus of cybercrime is these big organisations, these big firms. And I don't think that's quite right.

I think small firms are often, attractive targets to cyber security villains because they often have weaker security. And for a lot of them, it's a matter of commercial life or death. The statistics I've heard and seen on this vary slightly. I think I've seen a range of statistics, somewhere between 30 and 60% of smaller businesses, basically stop functioning or go out of business within six months of a cyber-attack, which I think is a sort of indicator of how fatal this can be.

So, what's the regulatory perspective on this?

Neil Robson: Yeah, let's focus in on that. So again, for asset managers or indeed any FCA or PRA regulated financial institution, there are in the UK some quite strict rules, there spread out.

They're not all in one place. So just to sort of do a bit of a compare and contrast. So, the FCA and PRA are both very vocal in their support at the message that, firms have to be resilient to cybercrime. And they talk about cyber resilience quite often. So, the PRA review cyber-attacks, in light of financial stability issues, whereas the FCA season in light of consumer protection as well as market integrity.

So, in terms of these disparate rules, certainly the ones that would be applicable to an asset manager. So, the FCA principles for businesses, really high-level principles, the umbrella principles under which everybody in the regulated sector has to abide. So, principle three is that a firm must take reasonable care to organise and control its affairs, responsibly and effectively with adequate risk management systems.

Well, if you're subject to a cybercrime that suggests that maybe your risk management systems were not adequate, so they could throw the book at you simply under principle three. There's also principle eleven, that you must deal with your regulators in an open and cooperative way, and you must disclose to the regulator anything that you think they need to know about.

More granular rules, in the Systems and Controls Handbook, there's a requirement that a firm must take reasonable care to establish and maintain citizen controls appropriate for its business. Another one, which is really an important one, is under the supervision manual, there's a rule that you must notify the FCA immediately.

If you become aware or have information that comes into your possession that reasonably suggests that you've had a cyberattack, it goes into all sorts of detail. But basically, if you've got anything that could cause serious detriment to a customer of the firm or any other matter that could cause serious financial consequences for the firm, other firms or the UK financial sector, you must immediately notify the FCA.

David Masters: So, if by accident, I send an email to a customer with the wrong customers data in that, would I have to notify the regulator? Would I have to notify the ICO of that?

Neil Robson: Probably not if you do it once, but if you do it a thousand times with 5000 customers data, then absolutely, yes. So, there's a sort of a balancing act in terms of is it material? Is it a minor point that can be amended, you can resolve it straightforwardly, and then you need to upgrade your systems to make sure that that can't happen again.

But human error is often one of the issues that you can't really legislate for, people are people. So, in the US, just to sort of give a bit more context because obviously a lot of asset managers are dual regulated here in the UK as well as by the SEC in the States. So, in the US, the Securities Exchange Commission is actually putting a new rule in place as of 1st of January, which is essentially a cyber security resilience rule.

So, it's quite widespread. This is not just us here in the UK. This is a global issue.

David Masters: And what about Europe? I believe there's the EU regulation on digital operational resilience for the financial sector, also known as DORA. And there's the DORA directive. So now perhaps you could be our Dora explorer for us.

Neil Robson: Yes, indeed. So, unlike the UK, the EU has gone a lot further. So, they are putting in place, as you say, a regulation and a directive. So, a single piece of legislation to govern cyber security, it applies to most EU financial services firms. there are some exemptions for smaller asset managers for example. So, a small firm operating in in the EU wouldn't have to comply.

But what it comes down to is they must have really robust, information and communication technology, ICT as they define it in the legislation, which must be robust, it must be kept up to date, must have patches applied regularly. You've got to have a governance framework to make sure that everything is put in place appropriately.

Senior management has to be responsible. One individual ultimately will have to take the flack if something goes wrong. So there has to be essentially a senior director level person who is cyber security responsible. There has to be a risk framework put in place. All of these have to be documented, of course. And there's a reporting obligation much like the FCA rules that we were just talking about a moment back, that you have to notify the regulators in Europe if there's a significant cyber threat.

There has to be regular testing put in place. There has to be third party, information, communication, technology risk assessments. So, it’s a really robust piece of legislation. Some have said it's a sledgehammer, cracking the proverbial nuts. But actually, in many ways, this is simply codifying the good principles that we should all be abiding by, frankly.

Now the UK's not putting DORA in place because we're not in the EU. But nonetheless, if you have an affiliate, a subsidiary that's operating in the EU and you are the UK parent of that entity, you're probably going to have to operate under DORA principles anyway. So, a lot of firms in the UK will have to be looking at DORA, which comes into effect, the start of next year in full.

But nonetheless, it's a big deal across Europe right now. And firms are looking at this. Do they have appropriate systems of controls and risk management frameworks and everything else in place? So, yeah, it's a big piece of legislation. Dora the Explorer is all over the place right now, but it's a big and important piece of legislation because it's ultimately about protecting all of us, the public.

David Masters: And we've talked a little bit about the NHS today, but other sort of cases you'd like to pick on today in terms of, things that we could look at and sort of analyse how it worked and what the issues were and how these things got dealt with.

Neil Robson: Well, I think there's perhaps two that we can really focus in on. So one is, Tesco Bank, so Tesco Personal Finance PLC, which some years back admittedly, so the fine was actually published by the FCA in 2018, and it was a cyberattack that took place in November 2016. And what happened was that the hackers got into Tesco Bank systems through, the Tesco Bank debit card, and there were some weaknesses in how it was structured.

The fact that the debit card, obviously everyone can go online onto the bank account, etcetera, and they were able to hack into that and take a lot of money from Tesco Bank clients. They actually netted 2.26 million. So, this was hacking in and stealing people's money. Much more sort of straightforward in parentheses, rather than a ransomware attack or trying to steal data to put on the dark web and sell it on in that way.

This was a straightforward hacking in and then just doing electronic transfers out of people's accounts into the criminal’s accounts. The fine at that time that the FCA imposed on Tesco Bank, which was 16.4 million, was actually the biggest cybercrime penalty fine that the FCA had at that point put in place. So, it was quite significant.

I should note, I don't, at this point know of any major Asset Managers who've had cybercrime fines from the FCA. But again, it just shows that if you look through how the FCA investigated it, then the FCA’s final notice for Tesco banks quite telling that, the bank was just asleep on the job frankly.

They didn't in 2016. Okay, nearly ten years ago, eight years ago, the FCA was saying that they just weren't adequately prepared for a cyber-attack. Now, eight years is a long time obviously in financial services. I would hope that now they've got multi-level sort of security on those accounts and so on. But really, let's jump now actually to Equifax, which is a much more recent case, which is even more telling.

David Masters: Well before we do, I think the Tesco one is quite interesting because I think if you think about what what's in the public consciousness about cyber security, particularly with financial services, that somebody is going to hack into my bank account and steal my money. It's probably right at the top.

Neil Robson: It’s a fear.

David Masters: And it has happened as we've just discussed, but it's probably now not the primary incident. So, I think Equifax, and ransomware and those sorts of things we're going to be talking about probably are now much higher up the sort of agenda, rather than just straightforward theft.

Neil Robson: Yeah, I think that's true. but again, it comes down to in financial services, the rules I talked about earlier about having adequate systems and controls, that's a fairly bland statement. But nonetheless, if you are subject to a cyber-attack and somebody does get in and they are able to steal data, then your systems were not adequate and the FCA will throw the book at you. And that's exactly what happened with Equifax.

Equifax is a, FCA regulated consumer credit broking firm. They do credit reference checks and they do references for consumers. Man in the street, they're a US outfit with a UK subsidiary, very, very big. They deal with thousands, if not millions of people and what happened here was that the US entity had a hack.

The hackers were able to get hold of the data of 13.8 million UK customers. So, we're talking a really big group of people, and it was frankly a shambles because Equifax in the States were investigating, trying to figure out what was going on. It took months before they even told their affiliates in the UK. And then once it became public and Equifax told their customers in the UK, as I say, 13.8 million UK Brits were involved here, they set up a complaint’s hotline or, people were concerned that their personal data had been stolen.

And their system fell over because there were so many complaints. And then they switched off part of the system, which was a sort of, how to manage those complaints, how to deal with the customers who had very valid concerns. And ultimately, I mean, to your point that you've said in the past on the podcast series, reputation is about how you manage things, not necessarily about the fact that it's gone horribly wrong, but how do you resolve something? They didn't resolve things very well at all.

David Masters: No, if you're a concerned customer and you're hearing things or you're reading things, but you can't find anything further about it, that a red flag, that really is.

Neil Robson: Absolutely. And in fact, the FCA, through the book of Equifax, because not only did the management of Equifax in the UK not really know what was going on, they made some very misleading statements to the public that were frankly either negligent or just frankly wrong or potentially misleading.

Who knows? But what appears to have happened is that they didn't give clear information to their customers. So, people were very spooked. They didn't realise how bad it was, in fact, at that point in time. So, the FCA basically said, ‘Okay, this is a shambles.’ This is one of the largest cybersecurity breaches in history, and you really didn't even know it was happening for months.

13.8 million UK customers lost their data there on the dark web. Now people, I would hope, changed all their passwords and set up multi-level security. But nonetheless, they got an 11 million pound fine. Their name is now the number one cybercrime risk issue. We’re all talking about them. But yeah, quite a shambles frankly.

David Masters: And I think probably a good opportunity to just talk a little bit about sort of the key things that you should be doing as a business. Because, in terms of safeguarding your reputation on this. I mean, the impact of data breaches as we've been hearing or cyber security breaches as we've been hearing, obviously, it has a massive reputational impact.

I mean, that loss of client trust is really quite significant. And in Equifax's case that that's quite considerable. And there was absolutely no reason really for them to go down that route. That was a significant wrong turning, I would say, from a reputation management perspective.

Neil Robson: Sure, yeah.

David Masters: Obviously, the regulatory consequences are huge. And for, businesses, whether that's they're B2C or B2B in the asset management and investment management world, the regulatory consequences are often, not just do you get significant fine? Does it have an impact on maybe specific individuals within the firm? But often, that reduces the attractiveness of your business to other investors or what have you. Clearly exposure, public exposure through the media, through social media, etc. can be very damaging as well.

Neil Robson: Of course.

David Masters: Particularly in the world of financial services, where the sectors operate at quite a low level of public trust. If we're quite brutal and honest about it and therefore a negative story about a financial firm, failing on the cybersecurity level is quite an easy story to tell. It's quite combustible, particularly in social media.

So, the key things here are preparedness and, ultimately, how do you stop, a cyber-attack being successful? Because they are going to happen, I mean, I don't think these are things, now we can talk about where it may or may not happen. You will be subject as a firm operating financial services. You are going to be subject to a or multiple cyber-attacks over a period of time.

Neil Robson: Because the risk/reward for those criminals is potentially so high, they can either get money or they could do ransomware to get money, or they can sell the data. If they get enough information, it's well worth their while doing, of course.

David Masters: Absolutely and there is an issue around the alignment of incentives around cyber security, which we can pick up in a moment. But obviously you've got to have proactive measures.

Neil Robson: Absolutely.

David Masters: That’s really important. So, you've got to be able to audit, you've got to have updates on your security, updates on your systems.

Complexities, as I mentioned earlier, complexity is an increasing problem. So how do you overcome that? How do you have the right security to protect all the different parts of your business, all the different parts of your organisation? It's about training employees. I mean, we do this as an organisation. We have regular, education, regular training, regular tests.

Neil Robson: Well, as I said earlier, I mean, human nature is such that people sometimes slip up. People make mistakes, but you need to make staff vigilant. Be focused on; ‘This email. Looks a bit dodgy. Should I open that link?’. No, of course you shouldn't know. Run it by the IT department and say, ‘Is this safe to open?’ They can scan it.

That's assuming it's got through the firm's firewalls. Of course, there should be really robust systems controls in place. In fact, cyber security is now an industry, of course. Making sure that firms are safe and protected from cyber-attack is a really big business. And there are firms out there who will try and hack into your systems, for you as a test.

And of course, if they can't get in, that's a very good sign. Probably quite recommended to engage firms like that on a very regular basis. And I should point out, I don't have interests in such firms.

David Masters: But it's also, I mean, from an investor's point of view. I think it was sort of probably in the sort of late 2010’s , there was a lot of research being published on this.

But cyber security went and operational risk really, where it sort of I think fits for most people, went from being not such a big issue. What why would you hire or fire a fund manager, as a pension fund or something like that? Normally, it’s around performance and the team and changes in the team, or maybe it's around the ownership structure of the asset manager, but cyber security suddenly became a hot topic.

I think in some surveys it actually pushed performance or underperformance off the top spot of reasons why you would fire a fund manager. I think now if you, when people do this research cybersecurity, is identified less by the people doing the research. And I think it tends to come under the operational risk factors, but I think those are quite significant.

Neil Robson: Well, as well as operational risk, as I was saying earlier, cybercrime is now a regulatory risk as well. You could be at risk of significant fines. You know, an 11 million or 16 million pound fine to a small asset manager might kill the business.

David Masters: And as we discussed earlier, cyber-attacks on small businesses can shut them down and have a very large chance of being fatal.

Neil Robson: And of course, with Equifax, it's worth noting that as well as the big find from the FCA, they were also fined by the ICO. The information Commissioner's Office, because it was a GDPR breach. So, you're going to be slammed from every direction you can think of.

And the ICO fines are potentially really big. It's a percentage of your global turnover. So, this should not be understated how important this is.

David Masters: A lot of people will want to have a communications playbook. Playbooks are great for getting things started, but often things can go a bit off piste a little bit. So, you have to be prepared for that. But it's important that you can deal with it, because the important thing about playbooks is they get they make things happen quickly.

And then the communication is really, really important. It’s about being transparent. You have to be seen to be doing, trying to do the right thing. You will get forbearance; cyber security is now a fact of life. People, private individuals, are increasingly aware of this in their own lives. So, you will get a degree of forbearance, if you're a victim of a cyber-attack.

But if you're not seen to be trying to do the right thing, if you're not trying to protect your client data, if you're not trying to protect your colleague’s data and business, etc., then that forbearance will be removed very, very quickly. And I think also, it's important as a business part of that being seen to do the right thing is, to make sure that you're dealing with the right people, whether that's internally or externally.

It's quite interesting. I think we've both, while we've been talking about this, we’ve both brought up experiences where things like spear phishing and social engineering. We had one recently. It looked great. I mean, it looks it looks authentic at first glance. and that's probably what the attackers were hoping that nobody would look at it too closely.

It was an accounting issue for our clients. the email address looks absolutely genuine. It looked like it was, how that well-known accounting organisation, auditing organisation would structure their email addresses. It was quite genuine on that, on that basis, what actually caught our attention was that A, it was sent to us.

That we aren't that we aren't our client. We are a representative of our client. And secondly, we spotted that there were different fonts in the email. So, ultimately, when you looked at it closely, it didn't quite add up. 

Neil Robson: Ultimately, anybody can be a victim of cybercrime. But certainly, if you're a financial services firm, you've got to have those robust systems of controls, you've got to do testing. You've got to be absolutely on it. You can't let the guard down. You've got to be so careful. Because at the end of the day, data is money.

If there's big fines, it could put you out of business. That's a significant concern.

David Masters: Great. Well thank you very much, Neil. I think that's all we've got time for today. So, we'll be back next month where we will be exploring a further area where reputation and regulation overlap in the world of asset and wealth management. Thank you very much. I'm David Masters.

Neil Robson: And I'm Neil Robson.

David Masters: Thank you for listening.

**

Disclaimer: The content in this podcast is for informational purposes only. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest standards of care applicable to attorneys in any given situation. This podcast is considered attorney advertising. Prior results do not guarantee a similar outcome. Any views, opinions or comments made by external guest speakers - are not to be attributed to Katten Muchin Rosenman LLP and/or Katten Muchin Rosenman UK LLP or their individual attorneys/lawyers. All rights reserved.
Newsletter

Stay in the loop
with our experts

Subscribe for the latest news, events and insights straight to your inbox
Ready to work together?

Let’s start something great together

Newsletter

Stay in the loop with our experts

Follow us
Carbon neutral white 616b2c32fb7bb9679ad560fc61635847
Lansons GB English 2023 2024 Certification Badge
CCS BLK Supplier white 616b2c32fb7bb9679ad560fc61635847