Our Insights

Confronting cyber threats in the asset management industry

A cultural shift needed to help mitigate the dangers of cyber crime

The threat of a data breach is a significant concern for many financial institutions. Cyber criminals are becoming increasingly adept at performing sophisticated attacks that can jeopardize client financial data or result in the unauthorized disclosure of investment strategies and algorithms. What actions can firms in the asset management industry take to protect themselves from potential cyber attacks?

Key insights

  • Asset management firms are not immune from cyber attacks — hackers are increasingly exploring the potential for manipulating markets by stealing intellectual property such as trading algorithms
  • Broader education about the sophisticated tools used by cyber criminals is required in the fund industry, and portfolio managers must be aware that social engineering is the basis of most attacks
  • Many firms continue to view cyber security as a technical issue, but creating a team-focused culture is key to mitigating threats

Fund managers are investing to increase cyber resilience

A 2018 survey by Osney Media and BackBay Communications found that two-thirds of asset managers believe cyber crime is becoming a greater threat to their business than it was the previous year.1 The Trends in Asset Management survey polled 88 respondents across all areas of asset management operations and found that 50 percent of firms plan to increase expenditure on cyber security. One of the key drivers for this trend was the introduction of the General Data Protection Regulation (GDPR) in May 2018, which allows regulators to assess significant fines for privacy breaches, including failure to report breaches resulting from cyber attacks within 72 hours.

Flying under the radar is not an option

Many fund managers may underestimate their potential exposure to cyber criminals. According to projections by PwC, assets under management globally are expected to exceed USD 145 trillion by 2025,2 which translates into a significant surge in the volume of financial data. The intellectual property asset managers use to shape and manage investment strategies is highly valuable to cyber criminals. Confidential trading algorithms, illegally obtained, could be used to front-run trades and result in illicit profits.

The intellectual property
asset managers use to
shape and manage
investment strategies is
highly valuable to
cyber criminals

Regulators have grown concerned that asset managers are not taking sufficient precautions to safeguard computer systems and mitigate the threat of cyber crime. In 2017, the Securities and Exchange Commission warned that 26 percent of advisors and investment management firms they had examined did not conduct periodic risk assessments of critical systems to identify cyber security threats, vulnerabilities, and the potential business consequences.3

In September 2018, the Monetary Authority of Singapore (MAS) published a consultation paper with proposals to strengthen the cyber resilience of financial institutions.4 The report offered the following six recommendations:

  • Address system security flaws in a timely manner
  • Establish and implement robust security for systems
  • Deploy security devices to secure system connections
  • Install antivirus software to mitigate the risk of malware infection
  • Restrict the use of system administrator accounts that can modify system configurations
  • Strengthen user authentication for system administrator accounts on critical systems

More recently, in December 2018, the European Banking Authority (EBA) published its consultation paper on draft Guidelines on Information and Communication Technology (ICT) and security risk management, which provide detailed and practical steps that firms should take to enhance their cyber resilience capabilities. The EBA's guidelines will apply equally to payment service providers, credit institutions and investment firms, and address ways in which firms can aim to prevent cyber attacks and enhance their resilience.5

Technical fixes alone are not sufficient to boost cyber resilience. A cultural shift within the industry is also required.

Cyber threats defined

  • Botnet: The use of a group of internet-connected devices to coordinate attacks, leveraging the combined computing power of the network to access data and disrupt the delivery of services
  • Malware: An umbrella term that includes computer viruses, worms, and Trojan horses, these programs are used by hackers to control computers and provide access to sensitive data without a user's permission
  • Ransomware: A subset of malware, ransomware takes over a computer and can deny access to data, contingent on the receipt of some form of payment
  • Phishing: Using a mix of social engineering, phishing is typically a technique used to access data by either disguising a website or email as a credible source, or through the delivery of malware

Creating a team culture around cyber security

To mitigate the growing threat of cyber crime, asset managers should also focus on prevention, detection, and rapid responses to suspicious activity. According to global technology consultancy Accenture, asset managers need to establish a culture that promotes teamwork, including an understanding and awareness by every individual as to where threats may come from, and how to protect against those potential vulnerabilities.6 By fostering a team-focused culture and administering a robust cyber security program, asset managers can help protect both their clients and their firm from cyber attacks.

Within firms, corporate-wide initiatives must be established across every department to counter the growing range of digital threats. The sophisticated use of botnets, malware, and ransomware each present unique security challenges that need to be understood. Teams must also be aware that social engineering is the basis of most cyber crimes. Phishing in particular is increasingly prevalent, with cyber criminals commonly deceiving portfolio managers with spoofed email addresses that appear to be sent from individuals in positions of trust within their organization. Greater awareness of these techniques within teams is necessary in order to minimize and thwart their effectiveness.

New roles need to be adopted to safeguard fintech innovation

The asset management sector is undergoing a period of rapid innovation and technological development, which provides a platform for business growth but also opens up new risks. Professional services firm KPMG reports that most investment management firms are yet to appoint a Chief Information Security Officer (CISO) to take ownership of cyber security.7 The CISO role is responsible for developing a cyber incident response procedure, implementing firm-wide policies and procedures regarding cyber security as well as conducting regular and detailed audits of the firm's cyber security program.

Technical fixes alone are not
sufficient to boost cyber
resilience

Asset management firms should also adopt a risk-based approach, and identify the types of data and information they hold that might be desirable to cyber criminals. Management consultancy McKinsey & Company recommends that organizations consult internal leaders as part of efforts to catalogue and prioritize potential threats to their critical assets.8 Asset managers are increasingly relying on third-party vendors for the provision of fintech services, and these should be a key consideration in supplier risk reviews that aim to evaluate whether adequate security controls are in place.

If left unaddressed, cyber threats have the potential to create considerable financial, brand, and reputational damage, as well as the loss of competitive advantage. Regulators worldwide are cracking down on negligence in cyber security and asset managers should initiate measures to minimize their exposure to data breaches.

You may also like

Sources

  1. Osney Media and BackBay Communications (March 13, 2018) Trends in Asset Management
  2. PwC (October 30, 2017) Asset & Wealth Management Revolution: Embracing Exponential Change
  3. Securities and Exchange Commission Office of Compliance Inspections and Examinations (May 17, 2017) Cybersecurity: Ransomware Alert
  4. Monetary Authority of Singapore (September 6, 2018) Consultation Paper on Notice on Cyber Hygiene
  5. European Banking Authority (December 13, 2018) EBA Draft Guidelines on ICT and Security Risk Management
  6. Accenture (2017) Cybersecurity for Asset Managers
  7. KPMG (January 2018) Closing the gap: Cyber Security and the asset management sector
  8. McKinsey & Company (January 2017) Protecting your critical digital assets: Not all systems and data are created equal