The growth of cyber crime increasingly imperils the financial services sector, risking assets and reputations. Banks are investing millions in security systems, but are funds keeping up? Kit Klarenberg investigates.
In the 1950s, prolific bank robber Willie Sutton was asked why he targeted banks. “That’s where the money is,” Sutton said.
If Sutton were alive today, he’d have little interest in banks – at least, not their physical manifestations. In 2016, client assets are overwhelmingly held in digital storage devices and the ‘cloud’ ether – not vaults. A would-be raider was recently sent scurrying from a Stockholm bank empty-handed, as there was literally no cash on site.
While digitisation may remove the risks traditionally associated with the storage and transfer of hard currency, the threat of robbery persists; tech-savvy villains have formulated new methods of plundering the financial services sector.
Given the developing nature of cyber crime – new methods of infiltration are relentlessly cultivated, and existing means grow more sophisticated almost daily – it’s difficult to identify the threats facing asset managers with absolute precision.
In general terms, threats include malicious extraction of client data, theft of trading and buying intelligence, and hijacking of portfolio management systems. Firms have even found websites emulating their own, aiming to ensnare inexperienced investors.
The potential losses related to a successful cyber attack are substantial. In October 2014, 13 financial institutions (including asset manager Fidelity) were targeted simultaneously – one victim lost more than €1 billion.
The damage transcends the purely financial, too, as the reputational implications of an attack are immeasurably severe.
“If your firm ends up in the papers due to a cyber attack, and is perceived as failing to safeguard client information as a result, your clients will understandably move their money elsewhere,” says John Skipper, cyber security expert at PA Consulting Group.
“Once that perception is established, it can be extremely difficult – if not impossible – to recover. If your own information was stolen from another company’s servers, would you keep doing business with them?”
There can also be legal consequences from losing sensitive data. In jurisdictions such as Singapore, individuals and organisations can face criminal charges. Legislation is travelling through the European Parliament that will impose mandatory penalties of 4% of annual global income on negligent firms. For the biggest asset managers, that could mean a cripplingly vast bill.
So, what are funds doing to address their vulnerabilities?
TOO LITTLE, TOO LATE
For Skipper, the answer is clear – not enough. The reason for this inaction is manifold.
“For one, many simply don’t know enough about the threat to be doing enough. Even when the will is there, the necessary understanding often isn’t,” he says.
Ernest Hilbert, director of cyber security at consultancy PwC, believes the associated expense can be a disincentive, too.
“It’s a specialist field, and getting protected against every possible eventuality requires significant investment. Many boards and executives are unwilling to make that outlay, especially those that have never experienced a cyber attack before,” he says.
“Fund managers themselves are understandably focused on maximising their own assets and client returns, not security considerations.”
Furthermore, some asset managers – particularly smaller, independent operators – believe they’re too insignificant to warrant the attention of cyber criminals. Skipper responds that no fund is immune. After all, all funds hold sensitive client information (including names, dates of birth, addresses, passwords and account details), all of which can be sold many times over to eager cyber-criminal clientele. In some cases, this data may be far more valuable than the capital in a fund’s coffers. Altogether, Hilbert estimates a cyber breach costs even small companies more than €2.5 million.
Regulators not being overly quick on the draw may well abet the industry’s inertia. While authorities in North America and Europe have made nascent efforts to deal with the issue, there’s still some way to go. In a way, they can’t be blamed. Due to cyber crime’s ever-evolving nature, combating it is inherently reactive, rather than preventative.
“It’s difficult to know how and where cyber criminals will strike, so security systems are typically only reviewed in response to attacks that have already happened,” Skipper says.
“Firms can only hope they’re able to learn from a competitor’s weaknesses, not their own.”
OVERCOMING THE ODDS
The problem of cyber crime is certainly not insurmountable, however. Peter Salmon, senior director of operations and technology at industry association ICI Global, believes change comes from above. In short, management teams must be educated about the dangers, and be proactive in adopting and promoting best practices.
While this means investing in the most current protective software, robust internal protocols are also of paramount significance. Codifying clear, effective incident response procedures, strict policies in respect of access data such as passwords (the longer and more complex a password the better, Salmon says) and regular, practical training programmes for employees are just as important as technological fortifications.
Skipper likewise believes it isn’t enough just to rely on technology, and urges managers to take the lead in ensuring organisational best practice. “Many asset management firms are driven by powerful and successful personalities, so it makes sense for these individuals to be at the forefront of an organisation’s cyber-security push,” he says.
In short – if the head of an organisation frequently stresses the need for employees to be extremely careful, they will be.
The days of regulatory heel-dragging may be over, too. PA Consulting Group is working with regulators in key jurisdictions to help them introduce minimum cyber-crime protection standards, which will enable organisations to easily assess whether their safeguards are up to the challenge. If not, firms will know how they’re exposed, and what they should do about it.
What’s more, the perceived failure of asset managers to tackle the issue may be exaggerated. Some daren’t openly advertise their efforts to thwart cyber criminals, as they fear doing so would make them a target.
“We don’t want to set hackers the challenge of testing our defences – and we don’t want to give them an idea of what we’re doing,” says one firm that declined to be named, out of concern that speaking publicly would be a red rag to a bull.
Such concerns are not without foundation. Another firm, which likewise wishes to remain anonymous, stated a competitor had seen cyber attacks more than triple in volume after making its security measures public. In the world of cyber crime, being overtly proactive can be provocative. Even those willing to go on the record are reticent to delve into specifics. BlackRock merely confirmed it takes the issue very seriously, and has invested “significantly” in safeguards.
Still, firms may be taking measures, but is it enough? PwC’s 2016 ‘Global State of Information Security’ report found a 14% year-on-year average increase in cyber-security spending by the sector, but noted “a lack of progress” in vulnerability examinations, threat-monitoring and employee awareness training. Much of the increase in spend was, in any event, spurred by firms installing rudimentary protection systems and detection software for the first time.
This simply isn’t acceptable in 2016. Whether a comprehensive cyber-security framework is adopted electively, or imposed from on high, not having one isn’t an option any longer.
Asset managers need to get one, fast – it’s not a matter of whether they’ll be targeted, but when. After all, criminals go wherever the money is.
©2016 funds europe