Funds Europe – How much have specialist fund administrators been able to consolidate their systems and providers, or are they still using specialists for each asset class?

Heinen – The trend will be towards having a variety of specialised systems, with scale playing an important role. So, a company can continue to invest and then scale up. A critical point is how you can evolve those systems by connecting them. It is about creating a layer where you can connect the dots and let different data sets speak to one another. This you can make available to the client, securely, as Data as a Service, for example.

Fessey – If you have a variety of systems, you would certainly want to create a degree of coherence in the data layer that you then present to your client. But the phrase that I use is, ‘not to commit the sin of putting a saddle on a cow’; in other words, choose the appropriate tool for the purpose at hand. So, don’t try to force the client’s service model into an operating model based on your vision on PowerPoint of how things should work. Make the right choice, and if your business is not large enough to support multiple engines, you’ll have to make the compromises necessary and try to support your clients on the engines available.

Mas – It depends on the organisation and how you built things from the beginning. I don’t think that one platform can literally do everything, so it’s about using a variety and adapting them to your clients’ needs. Our main focus has been to automate our processes by connecting dedicated internal tools with our core fund administration systems. This covers a broad range of tasks like complex waterfall calculations, flexible and real-time reporting of granular data at the level of the portfolio to assets/fund managers and investors, payments and currency overlay.

Smith – It’s good that we’ve got specialised systems for the different asset classes and for the different client groups, and it’ll be interesting to see whether the asset owners start to pressurise the fund administrators to provide performance-measurement tools. For us, the entity management system is key to bring the information relating to each client group together and tee up automation.

Funds Europe – Cyber crime is becoming increasingly sophisticated, as was shown at the end of last year when high-level US government departments were breached by hackers. What kinds of conversations do fund administrators need to be having to make sure all safeguards are in check? Where might the main vulnerabilities lie?

Fessey – Twenty years ago, I was the global head of IT security for Schroders, so my background is in this field, and I also have a technology degree. The Sunburst attack was very interesting. I don’t think state resources were directly employed, but it was probably state-funded and state-backed through a sophisticated cyber-attack ‘house’.

Apart from intelligence-gathering, you really have to get back to the basics of understanding what your layered defensive arrangements should be. These will depend on three pillars, one of which is technological, another is procedural and the final one relates to personnel. It’s the last which is perhaps the greatest vulnerability, because humans make mistakes. So, if you want to implement a truly effective defensive strategy, you need to make sure that you’ve got good people, and that you empower and support them. You can have all the technology in the world in terms of firewalls, end-point protection, virus detection, intrusion detection and scanning equipment, but if the people that are installing it, operating it and maintaining it don’t do a good job, then it will fail.

Mas – Nowadays technology is quite evolved. You have firewalls and lots of quite sophisticated things, but at the same time, you also have sophisticated attacks.

When you look into cyber attacks, you often discover that they found an entry point through people by creating trust. Then people download or click on something. Staff training is therefore key – but more than just training that you do once a year. There needs to be a culture of awareness that these things do happen ‘for real’ and that you really should take care.

The simple things that you’ve always been told by your IT teams, such as to always work in a secure environment, do not forward emails or use a private email address and so on – that’s all very important. So is having a good vendor-approval system. By undertaking due diligence at the beginning and being very careful at that point − that’s also how you can protect your organisation.

Smith – We saw an example of that in Luxembourg, where another PSF [professional of the finance sector] had a disgruntled employee. I can’t bring the same level of technology awareness of cyber security that someone like Noel or Lee can, but what I do have is the natural caution that a banker has about everybody. In retail banking, for instance, where you’ve got the simple matter of the cash in the till, you have to watch the people.

We launched an internal campaign last year − ‘Play your part, be cybersmart’. You just have to keep repeating the message, and you have to be vigilant around your people − the people who’ve got control of the keys to the ‘safe’ and control of the ‘keys’ as such.

Heinen – We have grown significantly in recent years, organically and inorganically, but the bigger you become, the more exposed you become because you are a more interesting target.

You need to be realistic. You can of course put in place the best IT team and we are also working with partners who simulate attacks and such like, but there are things that we cannot necessarily influence, such as the attack on SolarWinds in 2020.

The thing that we can influence is creating awareness via training and backing this up with relevant tools and processes. They key is changing behaviours. Training will communicate the right messages, but when staff go back to their day-to-day routine, if you do not provide them with specific processes and tools to support a secure way of working, you may not achieve the best outcome. So, it is about training together with the right processes and tools.

Brimeyer – The way I look at cyber crime is that the reason people are doing this is because it’s very easy to get access to money. Either they want to steal information to monetise it, or they just want to steal money. In our private markets industry, money flows in very big amounts and it’s easy to divert it if you use the weakness of people.

Pesch – If the vulnerable point is people, you respond to that problem by educating and training them. You also watch out for behaviours and have the right systems on board, but certainly take external elements into account too.