The UK’s asset management industry has been reprimanded by the FCA over its cyber-security standards. Nicholas Pratt look for its weaknesses.
Over the past two years, the UK’s Financial Conduct Authority (FCA) conducted a review of the cyber-security practices of 20 asset management and investment banking firms. The watchdog’s conclusions were damning.
The industry is failing to take cyber security seriously and is risking serious harm to its clients and the wider market, it warns. Furthermore, the report found that there is an overreliance on third-party suppliers and lack of understanding of cyber risk at board level.
The failings in the boardroom are a particular concern for the FCA. Despite a growing level of public and regulatory focus on cyber security across financial services and notwithstanding an increased sensitivity to the topic, most boards “continue to have limited familiarity with the specific cyber risks their organisations face”.
The board and management committee members were asked to describe their firm’s cyber-related risk profile and almost all of them told the FCA how challenging it was to fully understand and explain the specific risks that their firms face. Part of this difficulty may be down to how companies govern their cyber security, the report suggests.
“Firms that rely exclusively on their IT function to own cyber security may find this limits the extent to which their IT strategy is independently challenged,” it states. “Having an independent owner for cyber, or an ownership model that is not solely made up of IT staff, can enable challenge and deliver incident management and recovery plans which reflect the impact of cyber more widely than just that on systems and technology.”
This should not be new advice for asset managers’ senior management. The UK government produced a guide to cyber security back in 2012 that was specifically aimed at top-level executives in the UK’s largest companies. The government also invited top chairmen and chief executives to a number of events in which it outlined the gravity of cyber risk and how to safeguard valuable assets such as personal data, online services and intellectual property.
The FCA’s report has led a number of cyber-security specialists to weigh in on the issue. “The FCA report that asset managers lack fundamental understanding of cyber-security risk, while welcome, is simply not strong or good enough,” says Ryan Dodd, chief executive of Cyberhedge, a provider of cyber risk assessments and audits for hedge funds.
“Asset managers are the custodians of critical information, they make key investments in the interests of UK citizens and are paid to understand and assess risks, yet they appear unable to do so – even for their own businesses,” says Dodd.
Investors should be outraged, he adds, that those entrusted with managing corporations do not understand and are failing to properly audit what is a fundamental risk to the viability of organisations across all industries.
The FCA report mentions that many firms have failed to consider the risk that “they might be used as conduits to damage other firms or connected infrastructure” or that cyber attacks “may be motivated by attempts to commit market abuse”.
“IT infrastructure and data are now essential business assets,” says Dodd. “Asset managers would never get away with sidelining risk related to financial fraud, so why are they allowed to do so for cyber-related risk?”
The FCA has done well to point out this issue but it needs to go further, he says. “This is a governance issue and should be managed appropriately, with board-level accountability. The FCA, as the regulator, must demand that asset managers are as rigorous in their understanding and assessment of cyber risk as they are to other regulated areas. A requirement to risk-report on the companies they manage, that includes cyber, is essential in ensuring that proper governance and management is maintained, and that the British public are protected from poor cyber-management fallout.”
The FCA’s report also found failings beyond the senior management, not least within the risk and compliance functions where there was also “limited technical cyber expertise”. Consequently, a number of asset managers had become too reliant on third-party cyber-security providers to cover these technical deficiencies.
“External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber risks in a timely way,” stated the FCA.
In March 2018, the UK asset management’s representative body, the Investment Association (IA), highlighted the need for more education around cyber security when it launched IA Learning, an online portal providing a suite of courses on cyber-security awareness. This was certified by GCHQ, the British government security hub.
The industry is also seemingly prepared to spend more money on cyber security. A survey conducted around the same time by Osney Media and BackBay Communications found that 50% of respondents were expecting to increase their expenditure in 2018 to improve their cyber security.
It also found that one in four firms are using artificial intelligence, machine learning or big data as part of their investment decision-making and that 41% are already using or plan to use blockchain for at least one process.
However, each new technology brings new vulnerabilities as well as opportunities and if asset managers fail to heed the advice of the FCA and other regulatory and supervisory bodies, they run the risk of jeopardising the benefits that new technology can provide.
©2018 funds europe