Taking the lead from the mainstream and commercial buzz around Cyber Security and Cyber Risk, the asset management industry has embraced discussions on the concept of “Cyber” and what it means to us. For a good couple of years now, Cyber Risk has been a common place topic at asset management conferences and roundtables, and is almost as frequently alluded to or touched upon in trade press as prominent industry topics such as AIFMD and UCITS.
That said….are we any closer to truly understanding the threat? What do the terms Cyber Security and Cyber Risk mean to us? Do we know the full extent and impact a cyber breach could have on our businesses and what we can do to protect against it? Here’s a basic summary of the threats and what you can do to protect your business:
Who is behind the threat?
- Criminal organisations – money motivated
- Hacktivists – cause motivated
- Espionage – intelligence and politically motivated
Why is cyber security important to fund managers and their service providers?
Cyber threats pose a particular challenge to asset managers and their service providers due to the complex interactions that are undertaken across the investment management value chain. Cyber security and possible risks are now items that must be held as a priority by top level management and board members, not just the IT department or outsourced IT provider.
With ever evolving technologies and a broader interaction with these technologies across all levels of employee, the number of new ways to breach a firm’s security is inevitably increasing. In the asset management industry this is particularly important as fund managers or service providers can now be penalised or fined for negligence in some jurisdictions. The most obvious threat to the finance industry is the potential for huge financial impact and subsequent reputational damage if a breach is dealt with poorly. For this reason it’s essential that fund managers, as part of their due diligence, fully check a service provider’s cyber controls and procedures. The necessity of using multiple outsourced partners in the fund management business means that there are numerous routes for managers to be affected by a breach of one of their services providers. Measures must be taken to ensure that fund data is safe and assets are safe.
Top 3 Cyber threats and how to protect your firm:
Threat: Spear Phishing emails
Spear Phishing emails are generally the most successful tactic for exposing weaknesses and actually account for 91% of cyber attacks across all businesses. Most asset managers have basic email spam filters which can protect users to a certain degree, however there is no way to block 100% of spear phishing emails from getting into the users inbox.
Protection: Training staff
The first line of defence is certainly to utilise spam filters to block phishing emails, yet as it is impossible to block all of these it is essential that as a second line of defence, all staff are trained on how to identify and deal with this kind of email to protect the company.
Threat: Malware Attack
Malware attacks are infiltrations onto a PC, Laptop or mobile device by software specifically designed to access or damage the device without the knowledge of the user. There are various types of malware including viruses, worms, keyloggers, spyware or malicious code. This is perhaps the type of attack most of us first think of when we imagine cyber threats and is still a popular way to gain access and control to user PC’s.
Worryingly, all PC’s are being attacked by Malware on a daily basis however the anti virus software that is now common place in all businesses usually combats these attempts and users are none the wiser. If a virus does manage to avoid the anti-virus software and breaks the PC this can be costly and extremely inconvenient but more importantly, malware that can capture login credentials of the user is high risk to any company.
Protection: Regular Updates on anti-Virus
‘The best defence is a good offense’. Keeping all PC’s and IT products up to date with the latest anti-virus software from a top-end provider is critical to protecting the company. Continual review of the competencies of the software or an agreement with an outsourced IT provider to ensure this is the case is an important procedure for keeping data and equipment protected against attacks.
Threat: DDoS (Distributed-denial-of-service) attack
A DDoS attack (also known as a DoS attack) is an attempt deny access for legitimate users of an online service or network (i.e. blocking internet access). This is a popular way for cyber criminals to target a specific company by sending an overwhelming amount of traffic to a site to overwhelm the system and cause disruption. These attacks vary in both sophistication and size but can be a problem for any size asset manager or service provider.
Protection: Invest in a competent partner
It is important to allocate sufficient funds into working with a competent and robust IT provider with a strong network and boundaries. Real time traffic monitoring also helps identify early threats and alleviates some risk which is something that can be requested or undertaken in house. As our reliance on the internet continues to increase in the industry and wider world, the damage can be catastrophic therefore the investment in quality service provision is well worth it.
Leading by example
At Apex Group we aim to lead by example and share our own cyber security procedures with clients. Here are some of the processes we have in place internally to ensure we protect both ourselves and our clients to the highest level possible:
- We have put cyber security documentation and procedures in place to provide our fund managers with knowledge, transparency and comfort that we are protecting ourselves from every level of cyber threat.
- Cyber security is an important topic within the company and always discussed at board level.
- We now offer email encryption as a secure method of email communication to all our clients and fund managers.
- We have recently doubled up on data protection software; the group now uses two high end security vendors. The data protection software utilised provides real time intrusion detection systems, traffic monitoring, firewall protection, anti spam, anti-virus, detailed reporting and much more.
- We simulate a cyber attack twice a year to test our defences and processes. A third party security vendor attempts to hack our network (this is called penetration testing) to expose any weakness or gaps in the Apex environment. If any vulnerabilities are found as a result these are quickly secured.
- The IT team closely monitors and controls Apex staff. All employees are automatically forced to adhere to IT controls and procedures as it is important that internal staff do not unintentionally introduce an avoidable threat into the network.
- The Apex IT department attend cyber conferences and discussion groups to ensure that they maintain awareness of current and emerging threats at all times.
What does the future look like for cyber threats and firms in the asset management industry?
Unfortunately the future will only bring bigger and more sophisticated threats. Cyber crime is growing rapidly each year as it’s a lucrative business with limited laws which are difficult to apply due to lack of jurisdiction. What we need to do as asset managers, fund administrators, prime brokers etc. is be prepared and educated for it.
Next steps
It’s not simply about stopping the threat but it is equally as important, if not more so, to have a pragmatic response plan easily executed should there be a breach. Asset managers are used to risk, its part of the every day management of fund portfolio, therefore managers are well versed in mitigating potential exposures and can adapt procedures better than most to safeguard their firm.
It is important that we all take a holistic view of our structures and operations to truly understand cyber exposures. The most common assumption is that the threat and vulnerability lie within technology, however it is essential to take human error and physical processes into consideration when implementing a robust cyber security policy.
