Poison Ivy Scenario: Wealth Management Partners Surveillance
Planning Resources
Scenario Details for IMs
Wealth Management Partners
Investment advisory firm, 120 advisors, managing $2.5B in assets
Key Assets At Risk:
- Client investment data
- Financial privacy
- Regulatory compliance
- Investment strategies
Business Pressure
Quarterly client meetings this week - investment data breach threatens client trust and SEC compliance
Cultural Factors
- Investment advisors clicked on fake SEC compliance emails during quarterly preparation
- Unauthorized parties have remote surveillance of client investment accounts and trading strategies
- Confidential client financial information and proprietary investment algorithms have been accessed
Opening Presentation
“It’s Monday morning at Wealth Management Partners, and the investment advisory firm is preparing quarterly client reviews for meetings throughout the week - managing $2.5 billion in client assets and reviewing proprietary investment strategies. But advisors notice troubling signs: portfolio management systems showing remote activity after hours, client accounts being accessed during private meetings, and trading algorithms displaying unauthorized modifications. Investigation reveals remote surveillance tools providing unauthorized parties complete monitoring of confidential client financial information.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Major clients discover potential exposure of confidential investment accounts threatening advisory relationships and firm reputation
- Hour 2: Compliance review reveals SEC notification requirements for client financial data compromise and regulatory investigation
- Hour 3: Proprietary trading algorithms found modified affecting investment performance and fiduciary obligations
- Hour 4: Client data exposure threatens advisory business model and regulatory standing with financial authorities
Evolution Triggers:
- If investigation reveals client account access, SEC compliance violations affect regulatory standing and client trust
- If remote surveillance continues, unauthorized parties maintain persistent access to confidential financial information
- If investment strategy theft is confirmed, competitive advantage and fiduciary obligations are compromised
Resolution Pathways:
Technical Success Indicators:
- Complete remote access trojan removal from advisory systems with forensic preservation of evidence
- Client financial data and investment strategy security verified preventing further unauthorized access
- Surveillance infrastructure analysis provides intelligence on coordinated wealth management targeting
Business Success Indicators:
- Quarterly client reviews protected through secure evidence handling and transparent client communication
- Advisory relationships maintained through professional incident response and financial privacy demonstration
- SEC compliance obligations met preventing regulatory penalties and maintaining fiduciary standing
Learning Success Indicators:
- Team understands classic RAT capabilities and long-term financial advisory surveillance operations
- Participants recognize wealth management targeting and regulatory implications of client data theft
- Group demonstrates coordination between cybersecurity response and SEC compliance requirements
Common IM Facilitation Challenges:
If Remote Access Sophistication Is Underestimated:
“Your malware analysis is progressing, but Sarah discovered that unauthorized parties have been monitoring confidential client meetings in real-time for weeks. How does complete remote desktop access change your client financial protection approach?”
If SEC Compliance Implications Are Ignored:
“While you’re removing the RAT, Amanda needs to know: have client investment accounts been accessed by unauthorized parties? How do you coordinate cybersecurity response with SEC notification and client data protection investigation?”
If Client Trust Impact Is Overlooked:
“Michael just learned that proprietary trading algorithms have been modified affecting investment performance. How do you assess whether stolen client information has been used for unauthorized financial activities or investment fraud?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish financial advisory surveillance crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing classic RAT capabilities and client data protection implications.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of wealth management surveillance challenges. Use the full set of NPCs to create realistic client meeting and SEC compliance pressures. The two rounds allow discovery of client account access and investment strategy theft, raising stakes. Debrief can explore balance between cybersecurity response and regulatory coordination.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing quarterly reviews, client data protection, SEC compliance, and advisory reputation. The three rounds allow for full narrative arc including remote access discovery, client trust impact assessment, and regulatory response coordination.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate advisory tools causing false positives). Make containment ambiguous, requiring players to justify client notification decisions with incomplete forensic evidence. Remove access to reference materials to test knowledge recall of RAT behavior and financial privacy principles. Include deep coordination with SEC and potential investment fraud investigation.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal classic Poison Ivy remote access trojan providing complete system control over Wealth Management Partners advisor workstations. Security analysis shows unauthorized parties maintaining real-time screen surveillance, keystroke logging, and client financial data exfiltration. Investment advisors report workstations performing unauthorized actions during confidential $2.5B client portfolio review meetings.”
Clue 2 (Minute 10): “Timeline analysis indicates remote desktop access maintained for weeks through targeted fake SEC compliance emails during quarterly client preparation. Command and control traffic analysis reveals financial surveillance infrastructure coordinating multi-target wealth management firm client data theft. Investment portfolio security assessment shows unauthorized access to client accounts and proprietary trading algorithms affecting fiduciary obligations and investment performance.”
Clue 3 (Minute 15): “Compliance investigation discovers client financial information accessed by unauthorized parties confirming privacy breach and SEC notification requirements. Major client communication reveals concerns about account security threatening advisory relationships and firm reputation. Financial regulatory assessment indicates coordinated targeting of multiple wealth management firms requiring immediate client protection and SEC compliance coordination.”
Pre-Defined Response Options
Option A: Emergency Advisory Isolation & SEC Notification
- Action: Immediately isolate compromised advisor systems, coordinate comprehensive SEC investigation with client data protection assessment, conduct client financial privacy damage assessment, implement emergency security protocols for quarterly review protection and regulatory notification.
- Pros: Completely eliminates remote surveillance preventing further client data theft; demonstrates responsible SEC compliance management; maintains client relationships through transparent privacy protection coordination.
- Cons: Advisory system isolation disrupts quarterly client meetings affecting business operations; SEC investigation requires extensive regulatory coordination; damage assessment may reveal significant client financial information compromise.
- Type Effectiveness: Super effective against APT malmon type; complete remote access removal prevents continued surveillance and client financial data theft.
Option B: Forensic Preservation & Targeted Remediation
- Action: Preserve SEC investigation evidence while remediating confirmed compromised systems, conduct targeted client data privacy assessment, coordinate selective regulatory notification, implement enhanced monitoring while maintaining advisory operations.
- Pros: Balances quarterly client requirements with SEC investigation; protects critical advisory operations; enables focused client protection response.
- Cons: Risks continued remote surveillance in undetected locations; selective remediation may miss coordinated targeting; forensic requirements may delay client data protection.
- Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate remote access presence; delays complete financial privacy restoration.
Option C: Business Continuity & Phased Security Response
- Action: Implement emergency secure client review environment, phase remote access removal by client priority, establish enhanced financial monitoring, coordinate gradual SEC notification while maintaining quarterly operations.
- Pros: Maintains critical client meeting timeline protecting advisory business; enables continued wealth management operations; supports controlled regulatory coordination.
- Cons: Phased approach extends remote surveillance timeline; emergency operations may not prevent continued client data theft; gradual notification delays may violate SEC compliance requirements.
- Type Effectiveness: Partially effective against APT malmon type; prioritizes client operations over complete remote surveillance elimination; doesn’t guarantee financial privacy protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Client Data Surveillance Discovery (35-40 min)
Investigation Clues (Time-stamped)
T+0 (Round Start): “It’s Monday morning at Wealth Management Partners. Your investment advisory firm manages $2.5B in client assets with quarterly client reviews scheduled throughout this week. Senior Advisor Michael Chen reports portfolio management systems showing remote activity after hours. Compliance Director Amanda Foster detected unusual account access patterns. Initial investigation suggests potential unauthorized surveillance of confidential client financial information.”
T+10 (Detective): “Michael’s workstation forensics reveal classic Poison Ivy RAT with complete remote control capabilities - screen capture during client meetings, keystroke logging of trading credentials, file exfiltration of portfolio strategies. Email analysis shows fake SEC compliance documents targeting advisors during quarterly preparation period. Malware active for approximately 3-4 weeks during sensitive client review cycle.”
T+15 (Protector): “Sarah Martinez’s security analysis confirms multiple advisor workstations compromised with real-time surveillance of client financial data. Portfolio management logs show unauthorized access to high-net-worth client accounts during off-hours. Network monitoring reveals sustained command and control traffic indicating ongoing surveillance sessions during confidential client meetings and trading activities.”
T+20 (Tracker): “Command and control infrastructure analysis reveals financial surveillance operation targeting wealth management firms. Traffic patterns indicate systematic exfiltration of client investment data, trading algorithms, and portfolio strategies. Threat intelligence suggests coordinated campaign across multiple advisory firms in your region - likely financial fraud or competitive intelligence operation.”
T+25 (Communicator): “Advisor interviews confirm suspicious computer behavior - client accounts opening automatically, trading platforms accessing without input, portfolio views displaying during private meetings. Managing Director Robert Kim extremely concerned about SEC compliance implications. Major clients calling with questions about account security after noticing unusual login patterns in their wealth management portals.”
Response Options
Option A: Emergency Advisory Isolation - Action: Immediately disconnect compromised advisor workstations, secure client account access offline, initiate comprehensive SEC breach investigation - Pros: Stops active surveillance immediately; protects client financial privacy - Cons: Disrupts quarterly client meeting schedule; may alert attackers to detection - NPC Reactions: - Robert Kim: “This disrupts our business, but protecting client trust is paramount.” - Amanda Foster: “SEC notification requirements trigger immediately with client data exposure.”
Option B: Monitored Containment - Action: Leave systems online while implementing enhanced monitoring, document ongoing theft, gather intelligence for SEC reporting - Pros: Maintains client meeting operations; gathers evidence of compromise scope - Cons: Continued client data exposure during observation; risky if attackers escalate - NPC Reactions: - Sarah: “We can learn their objectives, but every minute risks more client data theft.” - Compliance: “Each moment of delay could violate our fiduciary obligations.”
Option C: Selective Remediation - Action: Isolate high-value client systems only, phase removal by client sensitivity, maintain some advisory operations - Pros: Balances client meetings with security; protects most critical accounts - Cons: Partial approach may leave surveillance gaps in lower-priority systems - NPC Reactions: - Robert: “Acceptable compromise - protect our largest clients first.” - Major Client: “Why wasn’t my account in the priority protection group?”
Pressure Events
T+30: “PRESSURE EVENT - Your largest client ($250M portfolio) contacts you directly: ‘My wealth management portal shows login from unfamiliar IP address last night. I received two-factor authentication requests I didn’t initiate. Is my account compromised? I’m considering moving assets to another firm.’ How do you respond while investigation is ongoing?”
Round 1 Transition
Based on team response choice, reveal:
If Emergency Isolation: “Your rapid isolation prevented further theft. Forensics confirms approximately 40% of client portfolios were accessed - primarily high-net-worth accounts worth $1.2B in combined assets. Attackers had real-time surveillance of confidential investment strategy meetings for 3 weeks. Amanda needs SEC notification plan immediately.”
If Monitored Containment: “Your monitoring documented extensive client data access. Attackers accessed 65% of client accounts and observed proprietary trading algorithms. Evidence suggests financial fraud preparation - stolen credentials could enable unauthorized trading. SEC compliance counsel warns: continued exposure may constitute fiduciary breach.”
If Selective Remediation: “High-value accounts secured, but surveillance continued on mid-tier client systems. Approximately 55% client exposure. Quarterly meetings feasible for protected clients, but others remain at risk. SEC notification required regardless of phased approach - you’ve confirmed breach of investment advisory systems.”
Round 2: SEC Compliance & Client Trust (35-40 min)
Investigation Clues (Time-stamped)
T+35 (Round Start): “Advisory systems partially secured, but scope of client data compromise now clear. SEC Regulation S-P requires notification of customers whose financial information may have been accessed. Team must decide: immediate transparent disclosure to all clients, targeted notification to confirmed exposed accounts, or phased communication while completing forensics. Client meeting schedule this week adds urgency.”
T+45 (Detective): “Client data exposure forensics complete. Attackers accessed: investment account credentials, portfolio holdings, trading strategies, personal financial information, and tax documentation. Timeline shows systematic intelligence gathering aligned with quarterly review cycle. Evidence includes keystroke logs capturing advisor-client confidential discussions about financial planning and estate strategies.”
T+50 (Protector): “Portfolio system security audit reveals deeper exposure than initially detected. Trading platform credentials were compromised - attackers could potentially execute unauthorized trades. Security rebuild estimated at 3-4 weeks for comprehensive remediation. Emergency secure client meeting protocols possible in 5 days with enhanced monitoring and manual account access controls.”
T+55 (Tracker): “Financial fraud investigation analysis suggests this may be investment scheme preparation. Stolen credentials combined with detailed client financial profiles enable sophisticated social engineering and unauthorized trading. Similar attacks on other wealth management firms in your region suggest organized financial crime operation rather than isolated incident.”
T+60 (Communicator): “Robert facing intense client pressure about quarterly meetings. Several high-net-worth clients demanding immediate explanation of security incident. Amanda preparing SEC Form ADV amendment and Regulation S-P notifications. Legal counsel advising on potential class action exposure if clients suffer financial losses from compromised accounts.”
Response Options
Option A: Immediate Transparent Disclosure - Action: Notify all clients immediately, file SEC reports, offer complimentary credit monitoring and enhanced security, reschedule quarterly meetings for post-remediation - Pros: Demonstrates fiduciary responsibility; protects clients from fraud; maintains regulatory compliance - Cons: May trigger client defection to competitors; reputational damage to advisory practice; quarterly revenue impact - Victory Conditions: - Technical: Clean systems deployed with enhanced account security - Business: Client trust maintained through transparent handling - Learning: Team understands fiduciary obligations during security incidents
Option B: Targeted Client Communication - Action: Notify only confirmed-compromised accounts, enhanced monitoring for all, forensics completion before broader disclosure - Pros: Minimizes immediate client panic; targeted security response; allows time for remediation - Cons: May violate SEC notification requirements; risks client discovery before notification; potential regulatory penalties - Victory Conditions: - Technical: Compromised accounts secured with validation - Business: High-value relationships preserved through managed disclosure - Learning: Team appreciates regulatory complexity in phased responses
Option C: Phased Disclosure with Enhanced Security - Action: Implement emergency secure meeting protocols immediately, begin client notifications while continuing quarterly meetings, phase disclosure by client tier - Pros: Maintains some business operations; demonstrates action while investigating; gradual client communication - Cons: Complex coordination; mixed messaging may confuse clients; regulatory ambiguity - Victory Conditions: - Technical: Emergency protocols enable secure operations - Business: Quarterly meetings proceed with enhanced security - Learning: Team learns balance between business continuity and compliance
Pressure Events
T+70: “PRESSURE EVENT - Local news outlet calls: ‘We’ve received tips that Wealth Management Partners suffered a security breach affecting client accounts. Multiple sources report clients are withdrawing assets. Can you confirm the breach and explain why clients weren’t notified immediately?’ Story publishing in 2 hours. How do you respond?”
Facilitation Questions
- “What SEC regulatory requirements apply to investment advisory cybersecurity incidents?”
- “How do you balance client notification obligations with business continuity needs?”
- “What fiduciary duties exist when client financial data has been accessed by unauthorized parties?”
- “How do you prevent client defection while maintaining transparent communication?”
Victory Conditions
Technical Victory: - All Poison Ivy infections removed from advisory systems - Client account access secured with multi-factor authentication - Trading platform credentials reset and validated
Business Victory: - Client relationships maintained despite security incident - Quarterly meeting obligations met with secure protocols - SEC compliance demonstrated through timely notification
Learning Victory: - Team understands wealth management cybersecurity regulations - Participants recognize balance between fiduciary duty and business survival - Group demonstrates coordination between security, compliance, and client relations
Debrief Topics
- RAT Surveillance of Financial Services: Complete remote access to client portfolios and trading systems
- SEC Regulation S-P: Investment advisor obligations for client privacy protection
- Fiduciary Duty: Advisory responsibilities during cybersecurity incidents
- Financial Fraud Risk: How stolen credentials enable unauthorized trading
- Client Trust Recovery: Rebuilding advisory relationships after privacy breach
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Advisory System Compromise (35-40 min)
Open Investigation Phase
Opening Scenario: “Monday morning, Wealth Management Partners, 120 investment advisors managing $2.5B in client assets. Quarterly client reviews scheduled throughout this week. Advisors report portfolio management systems showing signs of remote activity - accounts accessed after hours, unusual login patterns. Investigate and recommend initial response.”
Available Investigation Paths:
Detective Role: - Advisor workstation forensics - Email security analysis - Client account access logs - Timeline reconstruction - Malware analysis
Protector Role: - Portfolio management system security - Trading platform access controls - Network traffic analysis - Client data protection assessment - Financial system hardening
Tracker Role: - Command and control infrastructure - Financial fraud indicators - Threat actor attribution - Industry targeting analysis - Financial crime intelligence
Communicator Role: - Advisor interviews - Client communication planning - SEC compliance coordination - Executive briefings - Legal counsel consultation
NPCs Available for Consultation
Robert Kim (Managing Director): - Priorities: Protect client relationships, maintain quarterly meeting schedule, preserve firm reputation - Concerns: Client defection, revenue impact, competitive disadvantage - Conflict: Client trust vs. business continuity pressure
Amanda Foster (Compliance Director): - Priorities: SEC regulatory compliance, fiduciary duty fulfillment, client privacy protection - Concerns: Regulatory penalties, client notification requirements, legal liability - Expertise: Investment advisor regulations, Regulation S-P, Form ADV amendments
Michael Chen (Senior Advisor): - Priorities: Client communication, investment operations, advisor team morale - Concerns: Client trust, system reliability, colleague security awareness - Information: Specific suspicious behavior patterns during client meetings
Sarah Martinez (Cybersecurity Consultant): - Priorities: Complete threat removal, comprehensive forensics, future prevention - Concerns: Threat sophistication, financial fraud risk, incomplete remediation - Expertise: Financial services security, incident response, threat analysis
Pressure Events (Deploy as appropriate)
T+15: “Michael: ‘I just discovered my trading platform credentials were used at 2 AM last night. I was asleep. No trades were executed, but someone had complete access to all my client accounts.’”
T+25: “Amanda: ‘SEC Regulation S-P requires we notify clients of financial information breaches promptly. We need to determine exposure scope immediately to meet our notification obligations.’”
T+30: “Robert: ‘Major client just called - their wealth portal showed suspicious login attempt. They’re threatening to move their $250M portfolio if we can’t guarantee security today.’”
Round 2: Financial Fraud Risk Assessment (40-45 min)
Open Investigation Phase
Round Transition: “Your initial response has contained active surveillance, but forensics reveals weeks of undetected access to client financial data. Attackers accessed 40-65% of client portfolios including high-net-worth accounts. Evidence suggests this may be financial fraud preparation - stolen credentials combined with detailed client profiles enable sophisticated schemes. Investigate full scope and develop SEC-compliant response strategy.”
New Investigation Options:
Detective: - Financial fraud indicators analysis - Trading authorization review - Client identity theft assessment - Account manipulation detection - Evidence compilation for regulators
Protector: - Trading platform security audit - Client account damage assessment - Secure meeting protocol design - Enhanced authentication implementation - Incident response documentation
Tracker: - Financial crime network analysis - Similar attack pattern research - Regional advisory firm targeting - Organized crime indicators - Law enforcement coordination
Communicator: - Client notification strategy planning - SEC reporting coordination - Media inquiry management - Internal advisor communication - Legal strategy development
NPC Evolution
Robert Kim: - Increased pressure: “Clients are calling asking about the ‘rumors’ of a breach. News is spreading. We need a communication strategy now.” - New concerns: Firm survival, advisor retention, competitive vulnerability - Demanding: Balance between transparent disclosure and business protection
Michael Chen: - Client impact: “Three of my largest clients are scheduling meetings with competing advisory firms this week. They’ve lost confidence in our security.” - Team morale: “Advisors feel violated - their confidential client discussions were monitored.” - Question: “How do we reassure clients when we’re not sure ourselves that all threats are removed?”
Amanda Foster: - Regulatory requirement: “SEC requires Form ADV amendment disclosure of this breach. It becomes public record. All potential clients will see it.” - Notification timeline: “Regulation S-P requires ‘prompt’ notification - legal interpretation suggests within days, not weeks.” - Warning: “If clients suffer financial losses due to delayed notification, we face regulatory penalties and civil liability.”
Sarah Martinez: - Investigation findings: “Attackers had access to everything - account credentials, trading authorization, personal financial data, even confidential estate planning discussions.” - Fraud risk: “With this level of detail, they could impersonate clients, execute unauthorized trades, or conduct sophisticated social engineering.” - Remediation: “Full security rebuild: 3-4 weeks. Emergency protocols for quarterly meetings: 5 days with manual controls.”
Pressure Events
T+50: “High-net-worth client attorney: ‘My client’s portfolio is worth $180M. If your security breach causes any financial loss, we’re holding your firm personally liable. Explain immediately what protections you’re implementing.’”
T+65: “Media inquiry: ‘Sources report Wealth Management Partners cybersecurity incident exposed client financial data. Multiple advisory firms in your region have been breached. Are you coordinating with regulators and law enforcement?’ Response expected today.”
T+75: “SEC examination staff: ‘We’re aware of your incident. We expect Form ADV amendment and Regulation S-P notifications within regulatory timeframes. Schedule briefing with our office this week to explain client protection measures.’”
Round 3: Fiduciary Response & Recovery (40-45 min)
Open Investigation Phase
Round Transition: “Team has full understanding of client data exposure and financial fraud risk. Final decisions needed: client notification approach (immediate/targeted/phased), quarterly meeting strategy (proceed/postpone/secure protocols), SEC reporting timing, and long-term security rebuild. Develop comprehensive strategy fulfilling fiduciary duties while maintaining advisory business.”
Strategic Decision Points:
- Client Notification
- Option A: Immediate transparent disclosure to all 15,000 clients
- Option B: Targeted notification to confirmed-compromised accounts only
- Option C: Tiered notification (high-value first, others phased)
- Option D: Minimum disclosure pending forensics completion
- Quarterly Meetings
- Option A: Proceed with emergency secure protocols (manual/offline)
- Option B: Postpone all meetings pending security rebuild (3-4 weeks)
- Option C: Selective meetings (secured accounts only)
- Option D: Virtual meetings with enhanced authentication
- SEC Reporting
- Option A: Immediate Form ADV amendment and public disclosure
- Option B: File required reports but minimize public attention
- Option C: Coordinate with SEC staff before formal filing
- Option D: Delay until investigation complete (risks penalties)
- Security Rebuild
- Option A: Complete advisory system rebuild (3-4 weeks offline)
- Option B: Phased remediation with enhanced monitoring
- Option C: Emergency protocols with gradual improvement
- Option D: Third-party takeover of client operations during rebuild
Final Pressure Events
T+90: “Robert: ‘The partnership is splitting on response strategy. Half want immediate transparent disclosure. Half say that guarantees firm failure. You need to recommend which path keeps us in business while fulfilling our fiduciary duties.’”
T+105: “Class action attorney announcement: ‘Investigating Wealth Management Partners security breach. Clients who have suffered financial losses due to inadequate cybersecurity may be entitled to compensation. Free consultation available.’”
T+115: “Major institutional client ($500M relationship): ‘Our investment committee meets tomorrow to decide whether to terminate our advisory relationship. Convince us by then that your firm has adequate security, or we’re moving assets to your competitor.’”
Facilitation Questions
- “What evidence satisfies you that client financial data is now secure?”
- “How do you balance fiduciary duty to notify clients with business survival concerns?”
- “What level of transparency is required when client assets haven’t been directly impacted?”
- “How do you rebuild client confidence after surveillance of confidential financial discussions?”
- “What security measures distinguish your firm from competitors after public breach disclosure?”
Victory Conditions
Technical Victory: - Comprehensive Poison Ivy removal with verified clean systems - Client account security enhanced with multi-factor authentication - Trading platform access validated and monitored - Portfolio management system hardened against future compromise
Business Victory: - Client notification strategy fulfills regulatory requirements - Quarterly meeting obligations met through secure protocols - Client defection minimized through transparent communication - Firm reputation recovery plan demonstrates commitment to fiduciary duty
Learning Victory: - Team articulates SEC investment advisor cybersecurity regulations - Participants understand fiduciary duty implications during incidents - Group demonstrates sophisticated balance between compliance and business - Discussion includes lessons for financial services security culture
Debrief Topics
- Financial Services RAT Targeting: Why wealth management attracts surveillance
- SEC Regulation S-P: Investment advisor client privacy obligations
- Fiduciary Duty Complexity: Balancing transparency with firm survival
- Financial Fraud Mechanics: How stolen credentials enable unauthorized trading
- Client Trust Economics: Cost of privacy breach in advisory relationships
- Regulatory Reporting Requirements: Form ADV, Regulation S-P, examination staff coordination
- Advisory Business Continuity: Maintaining operations during security rebuild
Advanced Challenge Materials (150-170 min, 3+ rounds)
Additional Complexity Layers
Red Herrings
- Legitimate Financial Software:
- Portfolio management software with remote access features
- Trading platform automated alert systems
- Wealth management portal legitimate after-hours batch processing
- IM Challenge: Distinguish malicious surveillance from authorized financial system operations
- Advisor Remote Work:
- Advisors working from home access client accounts at unusual hours
- International markets require early morning/late evening trading
- Automated investment rebalancing triggers off-hours activity
- IM Challenge: Separate authorized advisor remote access from unauthorized surveillance
- Client-Initiated Activity:
- Clients accessing their own portals from new devices/locations
- Legitimate two-factor authentication requests during travel
- Family members authorized on accounts generating access patterns
- IM Challenge: Differentiate client legitimate activity from attacker reconnaissance
Ambiguous Evidence
- Incomplete Access Logs:
- Some client account access logs deleted by anti-forensics
- Portfolio management system logging gaps during critical period
- Network captures incomplete for full surveillance timeline
- IM Challenge: Determine notification requirements with uncertain exposure scope
- Trading Authorization Uncertainty:
- Unclear whether stolen credentials were used to execute trades
- Some trading activity within normal parameters but timing suspicious
- Client authorization documentation accessed but unclear if misused
- IM Challenge: Assess financial fraud risk without definitive proof
- Personal Information Exposure:
- Keystroke logs captured some client discussions, but not all
- Uncertain whether estate planning documents were exfiltrated
- Tax information access logged but exfiltration unclear
- IM Challenge: Determine identity theft notification obligations with incomplete evidence
Knowledge Recall Testing (No Reference Materials)
Teams must recall from training:
- Financial Regulations:
- What are SEC Regulation S-P requirements for investment advisors?
- When does Form ADV amendment require cybersecurity incident disclosure?
- What constitutes “prompt” notification under financial privacy regulations?
- How do state privacy laws interact with federal investment advisor rules?
- Fiduciary Duty:
- What cybersecurity obligations exist under fiduciary duty?
- When does security incident breach fiduciary obligations?
- What duty exists to prevent identity theft of client information?
- How does fiduciary duty apply to business continuity decisions?
- RAT Capabilities in Financial Services:
- How does keystroke logging capture trading credentials?
- What does screen surveillance reveal about client portfolios?
- How does remote access enable unauthorized trading?
- What persistence mechanisms allow long-term financial surveillance?
- Financial Fraud Patterns:
- How do attackers monetize stolen wealth management credentials?
- What social engineering becomes possible with detailed client financial profiles?
- How do organized financial crime groups operate?
- What indicators distinguish fraud preparation from other motivations?
Enhanced NPC Complexity
Robert Kim - Business vs. Ethics: - Public position: “Our clients’ security and trust are our top priorities.” - Private pressure: “Transparent disclosure will destroy this firm. 30-year reputation gone.” - Team challenge: Managing director who prioritizes firm survival over full transparency
Amanda Foster - Regulatory Constraints: - Initial guidance: “We must notify clients promptly as Regulation S-P requires.” - Later pressure: “Legal counsel suggests we have some flexibility in timing and scope…” - Team challenge: Compliance officer facing pressure to interpret regulations favorably
Michael Chen - Client Advocate: - Ethical stance: “These are my clients. They deserve to know everything immediately.” - Business reality: “But if we tell them everything, they’ll all leave and we’ll have no firm to serve them from.” - Team challenge: Advisor torn between client advocacy and firm loyalty
Sarah Martinez - Security Purist: - Technical position: “We need complete rebuild. Anything less leaves clients vulnerable.” - Business pressure: “But Robert says 3-week shutdown means bankruptcy. Can we do minimum viable security?” - Team challenge: Security consultant pressured to compromise technical standards
Scenario Variations
Variation 1: Client Discovers Breach First - High-net-worth client’s personal security team detects compromise - Client already coordinating with FBI before firm notification - Team must respond to client-led investigation - Additional pressure: Reactive response after client lost confidence
Variation 2: Insider Facilitation Suspected - Some evidence suggests potential advisor involvement - Disgruntled advisor recently terminated had access to systems - Unclear if compromise was external only or insider-assisted - Additional pressure: HR investigation and potential law enforcement involvement
Variation 3: Coordinated Regional Attack - Multiple wealth management firms in region breached simultaneously - Industry association coordinating collective response - Regulatory pressure for industry-wide security improvements - Additional pressure: Competitive disclosure considerations and industry reputation
Extended Pressure Events
T+30: “Anonymous tip to local news: ‘Wealth Management Partners covered up major breach affecting client accounts. Clients deserve to know their financial data was stolen.’ Media investigating story. How does anonymous leak affect your notification strategy?”
T+60: “Competing advisory firm marketing campaign: ‘Trust your wealth management to a firm that prioritizes your security. Recent incidents in our industry remind us why cybersecurity cannot be compromised.’ Indirect attack on your firm. Impact on client retention?”
T+90: “SEC examination staff informal call: ‘We’re hearing from other advisory firms that you may have suffered an incident. If you’re delaying notifications or reports, I suggest you reconsider. We take Regulation S-P very seriously.’”
T+120: “Partnership emergency meeting: Some partners want to dissolve firm and move clients to their individual practices to avoid collective liability. ‘Better to split now while we still have clients than wait for mass defection.’ Does partnership dissolution affect your incident response?”
Advanced Facilitation Challenges
Challenge 1: Fiduciary Duty Dilemma “Your investigation shows client data was accessed, but no evidence of actual financial harm. You could potentially satisfy minimum notification requirements with vague language, avoiding detailed disclosure that might trigger client departure. Does fiduciary duty require more transparency than regulations mandate?”
Challenge 2: Selective Disclosure “Forensics shows high-net-worth accounts ($5M+) were specifically targeted, while smaller accounts may not have been accessed. Do you notify all clients equally, or provide more detailed information to clients facing higher risk? What are the regulatory and ethical implications of tiered disclosure?”
Challenge 3: Business Survival vs. Client Protection “Financial projections show that full transparent disclosure results in 60%+ client defection and firm bankruptcy within 6 months. Minimal disclosure may allow firm survival to continue serving remaining clients. Do you prioritize transparency that kills the firm, or controlled disclosure that preserves some client service capacity?”
Challenge 4: Regulatory Interpretation “Your attorney argues that Regulation S-P’s ‘prompt’ notification allows time for complete investigation - potentially weeks. But ethical interpretation suggests clients deserve immediate warning of potential identity theft risk. Do you follow legal minimum or ethical maximum?”
Deep Coordination Requirements
Multi-Stakeholder Complexity: - Clients demanding immediate information - SEC examination staff monitoring compliance - Partnership divided on response strategy - Legal counsel recommending minimal disclosure - Security team requiring remediation time - Team must navigate competing stakeholder demands
Regulatory Framework Coordination: - SEC Regulation S-P notification requirements - Form ADV amendment public disclosure - State privacy law notification obligations - FINRA examination potential - Team must coordinate across multiple regulatory frameworks
Client Tier Management: - High-net-worth clients ($5M+) expect white-glove service - Institutional clients have security audit requirements - Retail clients varied sophistication and expectations - Team must manage differentiated client communication
Victory Conditions (Advanced)
Technical Excellence: - Complete RAT removal with verified persistence elimination - Client account security independently validated - Trading platform access controls enhanced - Portfolio management system comprehensive hardening - Incident documentation suitable for regulatory examination
Business Sophistication: - Client notification strategy fulfills fiduciary duty - SEC compliance demonstrated through timely reporting - Client retention strategy minimizes defection - Firm reputation recovery demonstrates commitment to security - Business continuity maintained despite major incident
Learning Mastery: - Team demonstrates expert understanding of financial services regulations - Sophisticated analysis of fiduciary duty during cybersecurity incidents - Expert-level stakeholder management across clients, regulators, partners - Nuanced appreciation of business survival vs. ethical transparency trade-offs - Recognition that perfect compliance may conflict with firm survival
Extended Debrief Topics
- SEC Regulatory Framework: Regulation S-P, Form ADV, examination process
- Fiduciary Duty Evolution: How cybersecurity has become fiduciary obligation
- Financial Fraud Mechanics: Wealth management targeting and monetization strategies
- Client Trust Economics: Quantifying cost of privacy breach in advisory relationships
- Regulatory Interpretation: Balancing legal minimums with ethical maximums
- Business Continuity Ethics: When firm survival conflicts with full transparency
- Advisory Industry Reputation: How individual firm incidents affect industry trust
- Identity Theft Liability: Investment advisor responsibility for client personal information
- Partnership Dynamics: How collective liability affects incident response decisions
- Competition During Crisis: How competitors exploit security incidents for market share
Modernization Discussion
Contemporary Parallels: - Morgan Stanley data breach affecting millions of clients - Robinhood security incidents and regulatory response - Cryptocurrency exchange surveillance and theft - Fintech wealth management security challenges
Evolution Questions: - How do modern cloud-based portfolio management platforms change attack surface? - What role does AI play in detecting financial fraud patterns? - How has mobile wealth management affected security requirements? - What new regulatory frameworks address modern financial technology risks?