Fund managers should not get caught out thinking they are a low-priority target: here’s how to identify risks and build resilience, to protect investor data and assets
By Roland Thomas, Corporate Development Manager, Thomas Murray
Conventional wisdom tells us that investment risk depends solely on the success or failure of a financial instrument. A higher risk appetite can reap higher rewards, but the value of an investment can be wiped out. This is true, but how many investors are aware of the huge array of other risks faced by their chosen funds? And how many investment management companies consider cyber risk to be an investment risk? In this article, we explain why cyber risk is an area of acute vulnerability for investment companies, and the steps firms can take to build security.
Banks are a harder target for threat actors
Asset management companies, like any other firm, and more than most, face unprecedented challenges to protect themselves from cyber criminals. The sector is under particular scrutiny because the banks – historically a greater focus for hackers – have invested so heavily in security that they are generally well-protected against threats and are prepared to respond when attacks inevitably occur.
Most large global and regional banks now have dedicated Security Operations Centres, responsible for detecting, quantifying and responding to cyber threats and incidents. Even in spite of all this, according to analysis by Thomas Murray, 20% of banks still suffered cyber attacks in the last 12 months, with 8% refusing to disclose. Banks are still a target, especially via vulnerable supply chains, but it logically follows that cyber-criminals will increasingly pursue targets that are asset-rich but have weaker security.
Investment companies are vulnerable
With significant Assets Under Management (AUM) but often limited operational budgets, asset management companies are acutely vulnerable. Financial firms are 300 x more likely than other institutions to experience attacks, and the average cost of a data breach in 2021 was $4.23 million. While banks have the balance sheets to absorb these costs, few but the largest asset managers do. Companies are being targeted with a higher volume of attacks, by threat actors who are becoming more sophisticated, and asset managers are making themselves vulnerable by underinvesting in IT infrastructure, as well as by exposing themselves to a huge range of service providers.
Attack surfaces are growing
As asset managers responded to Covid by innovating with new digital services, they unwittingly grew their attack surfaces. The result has been that security has often not kept pace with digitisation, and performance has taken precedence over resilience. At the same time, investment firms have taken advantage of the efficiencies and expertise offered by outsourcing their middle and back office, exposing themselves – and their clients – to a larger number of third parties than ever before. These investment institutions should be bastions of security, safeguarding investors’ and savers’ assets as a minimum requirement, but they are faced with a perfect storm of growing attack surfaces, vulnerable supply chains, rising cyber criminality and complex regulation. Acknowledging the problem is the first step, but how can they respond to the challenge?
What can asset managers do?
There are three ways by which asset management companies can reduce cyber risk in the front, middle and back office – making security a C-Suite priority.
- Learn who their third- and fourth- parties are
51% of organisations have experienced a data breach caused by a third party, according to the Ponemon Institute (2021). For investment firms, these third parties can include software providers, fund administrators, transfer agents, third-party management companies, distributors and a bewildering array of other firms – many of whom pose a risk of client data breaches and spillover cyber attacks. On top of that, a fourth party is any provider to your providers, and is an often-neglected area of risk. Companies should maintain inventories of their providers and indirect exposures, and should seek to monitor all of them.
- Include cyber risk in investment due diligence
Cyber due diligence is becoming a critical area of investment due diligence. Initial checks and ongoing monitoring of investment portfolio companies should be treated like AML and KYC checks: you would never work with sanctioned individuals or indirectly facilitate terrorist financing, so why would you expose your clients to unnecessary cyber risk?
This is a particularly pertinent point when it comes to Venture Capital and Private Equity firms with a small number of tech-enabled companies in their portfolios. Security is a potentially existential risk for such companies, particularly in their early stages, and a combination of due diligence and continuous threat intelligence can help a fund measure and mitigate these risks.
- Invest in IT Security teams & solutions
A certain kind of asset manager has long considered IT to be a back-office function, neither seen nor heard. Today, IT Security needs to be recognised as a front, middle and back office investment. Without well-funded, competent teams, an investment company’s IT infrastructure, staff awareness and third party exposure will suffer.
About the Author
Roland Thomas is the Corporate Development Manager at Thomas Murray. He is responsible for strategy and innovation. Roland is responsible for bringing to market Thomas Murray’s award-winning AI Threat Intelligence and Cyber Security Ratings Platform, which launched in 2021. He and the Cyber Risk team at Thomas Murray have engaged with 100s of banks, funds, market infrastructures, government agencies and other organisations to help them build long-term security.
Roland can be reached on LinkedIn at https://www.linkedin.com/in/roland-thomas-60a6a3125 and on Thomas Murray’s website https://thomasmurray.com