Safeguarding asset managers against mounting cyber security threats

When asked what was the asset management industry’s greatest unappreciated threat, a senior US hedge fund executive recently told one of our partners that it was cyber criminals hacking into computer systems. Asset managers and their service providers didn’t have sufficient security in place, he said, and this could result in significant financial losses and seriously damage the organisation’s reputation.

This conversation took place in early 2012 and we still have not seen any evidence since that the situation has improved. In our view, many asset management firms aren’t sufficiently prepared to guard against cyber criminals – even though they’re now becoming more active.

Often, asset management’s risk-taking culture clashes with the information security function’s security-first and risk-averse approach. Asset managers dislike being told what they cannot do. What’s more, they naturally assume that cyber criminals are focusing on higher profile targets such as retail banks. But cyber criminals are actively seeking out unprepared soft targets, and asset managers’ lack of cyber sophistication makes them ideal targets.

Countering complacency

In the Changing the Game, Key Findings From the Global State of Information Security® 2013 Survey, published by PwC, CIO magazine and CSO magazine in September 2012, we found worrying complacency about the threat from cyber security across businesses generally. While tight budgets have forestalled updates to security programmes, many businesses were confident they were winning the game.

Nearly half (42%) of the 9,300 executives from 128 countries across almost every sector responding to the survey viewed their organisation as a ‘front runner’ in terms of information security strategy and execution. We regard this as showing excessive confidence at a time when cyber criminals are becoming more sophisticated, and the number of security incidents is rising.

The growing threat reflects the explosion of online services in all sectors. Some 10% of consumer spending in the UK is conducted via the internet, and 115 million Europeans will be using mobile banking services by 2015. As usage of online services increases, so do the scale, scope and sophistication of cyber attacks, directed against targets ranging from countries’ national infrastructure and the global financial system, to less obvious targets that could well include asset managers and their service providers.

The financial criminals making these attacks are increasingly well-organised and funded. They use technology as a tool to steal money and other assets – and might sometimes use the stolen information as a tool to extort a ransom from the target organisation.

Six steps to become cyber-ready

We believe that asset managers and their service providers should urgently review the information security threat, taking six steps to reshape themselves for the cyber world. These steps are:

  1. Clarify roles and responsibilities from the top down
    The CEO needs to get to grips with the threat from the Internet. Leadership by a cyber-savvy CEO will help asset managers to seize the internet’s opportunities and to realise them securely.

  2. Reassess the security function’s fitness and readiness for the cyber world
    Organisations already have information security functions that may be doing a good job in protecting against traditional threats. As new threats emerge, they need to focus on upgrading or transforming the existing capabilities to deal with them.

  3. Achieve 360-degree situational awareness
    To align its security function and priorities as closely as possible with the realities of the cyber world, asset managers also need a clear understanding of the current and emerging cyber environment. Situational awareness – a term drawn from military strategy – means knowing the landscape surrounding your own position, including actual and potential threats.

  4. Create a cyber-incident response team
    Traditional organisation structures may have the effect of hampering the quick and decisive responses needed in the cyber environment. Asset managers need effective cyber-incident response teams that can track, risk-assess and escalate incidents.

  5. Nurture and share skills
    Asset managers need to invest in cyber skills – especially as these are in short supply. Younger employees often have valuable technical skills and insights in areas such as social media and mobile environments.

  6. Take a more active and transparent stance towards threats
    The high-profile and defensive nature of cyber attacks tends to engender a defensive mindset. But a number of cyber-savvy organisations are now getting onto the front foot by adopting a more active stance towards attackers, pursuing them more actively through legal means, and communicating more publicly about their cyber threats, incidents and responses.

Rising to the challenge

The internet’s threats represent a massive challenge to asset managers and their service providers that is currently being under-estimated. Given the complex interactions within the asset management value chain, it’s a challenge that none in the sector can tackle independently.

To adapt to the cyber era, asset managers and their administrators, brokers and custodians will have to adopt new structures, roles and governance, while also engaging in close collaboration around the cyber agenda.