When asked what was the asset management industry’s greatest unappreciated threat, a senior US hedge fund executive recently told one of our partners that it was cyber criminals hacking into computer systems. Asset managers and their service providers didn’t have sufficient security in place, he said, and this could result in significant financial losses and seriously damage the organisation’s reputation.
This conversation took place in early 2012 and we still have not seen any evidence since that the situation has improved. In our view, many asset management firms aren’t sufficiently prepared to guard against cyber criminals – even though they’re now becoming more active.
Often, asset management’s risk-taking culture clashes with the information security function’s security-first and risk-averse approach. Asset managers dislike being told what they cannot do. What’s more, they naturally assume that cyber criminals are focusing on higher profile targets such as retail banks. But cyber criminals are actively seeking out unprepared soft targets, and asset managers’ lack of cyber sophistication makes them ideal targets.
In the Changing the Game, Key Findings From the Global State of Information Security® 2013 Survey, published by PwC, CIO magazine and CSO magazine in September 2012, we found worrying complacency about the threat from cyber security across businesses generally. While tight budgets have forestalled updates to security programmes, many businesses were confident they were winning the game.
Nearly half (42%) of the 9,300 executives from 128 countries across almost every sector responding to the survey viewed their organisation as a ‘front runner’ in terms of information security strategy and execution. We regard this as showing excessive confidence at a time when cyber criminals are becoming more sophisticated, and the number of security incidents is rising.
The growing threat reflects the explosion of online services in all sectors. Some 10% of consumer spending in the UK is conducted via the internet, and 115 million Europeans will be using mobile banking services by 2015. As usage of online services increases, so do the scale, scope and sophistication of cyber attacks, directed against targets ranging from countries’ national infrastructure and the global financial system, to less obvious targets that could well include asset managers and their service providers.
The financial criminals making these attacks are increasingly well-organised and funded. They use technology as a tool to steal money and other assets – and might sometimes use the stolen information as a tool to extort a ransom from the target organisation.
We believe that asset managers and their service providers should urgently review the information security threat, taking six steps to reshape themselves for the cyber world. These steps are:
The internet’s threats represent a massive challenge to asset managers and their service providers that is currently being under-estimated. Given the complex interactions within the asset management value chain, it’s a challenge that none in the sector can tackle independently.
To adapt to the cyber era, asset managers and their administrators, brokers and custodians will have to adopt new structures, roles and governance, while also engaging in close collaboration around the cyber agenda.