Every Wealth Manager Needs to Know About MOVEit

John O’ConnellAdvisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.

Many of you have likely never heard of MOVEit, Progress Software, or cl0p. But you may not have heard of the MOVEit breach that affected every college student in the United States, anyone who lives in Louisiana, current and former teachers, and nearly every annuity holder. Class action lawsuits have already been filed with Fidelity and Schwab/TD as defendants. Emisoft reported over 1,160 firms affected and the personal information of over 60 million people is in the hands of cybercriminals.

The MOVEit breach affected the clients of every wealth manager in America.

This article is not hyperbole or written to scare the reader. My article will cover:

  • Defining the breach in executive terms;
  • The meaning of the breach to your clients and your firm;
  • The steps you can recommend for your clients today; and
  • The steps that you can take to protect your firm and your employees.

What is MOVEit?

MOVEit is a software program owned by Progress Software. The program is used to move sensitive information from one organization to another. It is called file transfer software because it transfers the files between two organizations. The software is marketed as a secure managed-file-transfer application. Its marketing materials say that it is an essential ingredient in meeting HIPAA, GDPR, and ISO 27001 compliance. It is called “secure” because MOVEit encrypts the data at the source on its server. Then it encrypts the data by sending it over a secure file transfer capability. MOVEit also uses mult-factor authentication (MFA) to provide an extra layer of security when entering credentials to access the software. MOVEit is called “managed” because it creates an entry for nearly every event that happens in the software in an audit log. Think of an audit log like a captain’s log (Star Trek fans) in that it has an entry for every major event and every day. We’ll come back to the audit log a bit later.