It’s not often that police address an asset management conference, but Sergeant Charlie Morrison of the City of London police did so this month at the Investment Association’s (IA) first cyber security conference for asset management.
Just as the industry has been slow to adopt new technologies, it has also been slow to recognise the threat that cyber criminals present. While banking customers have been bombarded with security information, the same has typically not been true for asset management customers.
Now the worm has turned. It looks like 2018 will be the year when the industry fully wakes up to the cyber-security threat.
At the conference, Sergeant Morrison introduced Cyber Griffin, a new police initiative to make the City of London more secure from cyber attacks. This involves actions that the asset industry is perhaps not terribly used to, such as community briefings, intelligence-sharing and incident response training.
“Cyber-security issues are not going to go away, and businesses need to understand, manage and mitigate potential cyber security risks,” IA chief executive Chris Cummings told the conference. His remarks are part of a drive in the asset management industry to address this pressing issue. The IA has produced a report in conjunction with KPMG on building cyber resilience in asset management, while in New York, Deloitte has written a paper that seeks to answer the question: ‘How can asset managers assess cyber security threats?’
Firms are concerned. A survey conducted by Osney Media and BackBay Communications found that two-thirds of asset managers believe cyber crime presents a greater threat to their business this year than it did in 2017.
And they should be concerned. The potential damage that could be caused by a breach is vast – and the risks are increasing all the time, with asset management firms digitalising most parts of their businesses. As Cummings puts it, “More tech means more cyber crime.” As the attack on Equifax last year showed, asset managers can be burnt by cyber-security breaches as investors and corporate stewards. Questions were asked then about why the asset management firms invested in Equifax had not probed more deeply into its security systems, particularly as it had suffered security breaches in the past.
But the risks are much wider than that. Deloitte suggests that cyber risk should be a key component of supplier risk reviews, as asset managers expand their network of third-party providers; and KPMG has produced a risk radar that includes the prospect of insider cyber crime perpetrated by employees or contractors.
KPMG also highlights the areas where cyber-security threats exist in asset management, from distribution platforms through trading applications to marketing and social media.
To protect themselves, firms must not only invest in relevant protections, but also develop an understanding of how to manage cyber-security risks. As Deloitte puts it: “Cyber risk management should run throughout an organisation to include the active involvement of the CEO and board.”
With regulators poised to punish firms that don’t have proper processes and policies in place to deal with cyber-security risks, the need for such an enterprise-wide approach is urgent. Listening carefully to any policemen who pitch up at asset management conferences is therefore a sound investment for the future. Better to chat there than at the police station.
Fiona Rintoul is editorial director at Funds Europe
©2018 funds europe