Cyber Security in Asset Management
In an increasingly mobile, cloud-based digital world, the old model of thick walls around a centralised information keep is out of date, writes Brian Bollen. Asset managers are just waking up to the fact
Security has traditionally been sold on a powerful combination of fear, uncertainty and doubt. With cyber security, that is no longer the case: the simple truth is so scary that there is no need to go over the top, and the emphasis today is on education, rather than exaggeration.
That, at least, is how Alastair Paterson sees it. Paterson is CEO of specialist monitoring and consultancy services provider Digital Shadows, which has developed monitoring systems covering 80m sources on social media in 26 languages. An extended conversation with him generates enough fear, uncertainty and doubt to leave one pining for the relative safety of the Middle Ages.
Indeed, the traditional approach to cyber security has been to build the equivalent of a medieval keep to house data, complete with ever deeper and thicker digital moats and walls. The arrival of social media, cloud computing, mobile workforces and the ‘bring your own device’ culture, and the lengthening of supply chains, makes that approach look as medieval as it sounds. While much of the leakage from companies into the free internet is of little consequence, confidential data and documents such as building blueprints, details of a bank’s ATM network installation and unpublished board minutes have been known to break free from apparently secure surroundings.
Much of this is happening not because of hackers or mischief makers, but because of a combination of negligence on the part of hard drive manufacturers, their desire to make their products as easy to use as possible, and simple old-fashioned user error.
“We are seeing new types of devices leaking data, and what we are seeing is slightly scary,” says Paterson.
“We have been seeing real growth in this area over the past three to four years and that growth will continue,” says Matthew Martindale, director of cyber security at KPMG, whose 270-strong team of consultants expects to be advising more than 500 asset and wealth-management clients within a couple of years as the industry embraces new technologies. “Banks have been favourite targets in the past but asset managers are now taking the threat of major attacks more seriously,” he says.
“Banks have been favourite targets in the past, but asset managers are now taking the threat of major attacks more seriously”
Cyber security is ranked as the top priority for 2015 by asset managers, according to a February 2015 report from Cerulli Associates Europe.
“Nearly 60% of the global asset servicing companies that responded to our survey said that cyber security was seen by asset managers as the leading issue this year,” says Barbara Wall, Europe research director at Cerulli. “However, Cerulli’s analysis also identifies weaknesses, which we believe will require a change of mindset by some organisations. For example, there is an alarming degree of complacency among some asset managers as to the dangers employees can pose.”
Thirty-six percent of the respondents in Cerulli’s survey said that asset managers are spending around $15m a year on preventing cyber incidents, with some budgeting more than twice that sum. The firms polled expect that spending on cyber security by asset managers will rise steadily over the next few years.
Probing questions to get clients thinking…
- Do you have the right level of protection for your crown jewel assets?
- What would the impact be on your business if you suffered a cyber security breach?
- How do you know you haven’t already suffered one?
- How are you managing your suppliers to ensure they are not a weak point in your security?
- How do your cyber security capabilities compare with your peers?
… and real-world examples from third-party security questionnaires
- Who has accountability for information/IT/cyber security at a senior level in the organisation and who has responsibility for managing information/IT/cyber security?
- Can you describe the threat and risk management process you have in place to identify, mitigate and monitor information/IT/cyber security risks?
- Can you describe the information/IT/cyber security governance framework, policies and standards you have in place?
- Have you experienced any information/IT/security incidents in relation to the provision of service in the past 12 months? If so, please provide details of the any.
- Can you describe the ongoing information/IT/cyber security testing and assurance activities you perform?
Organisations can today offer a range of new channels to access products and services and as digital footprints grow they have simultaneously become easier for hackers – from criminals through hacktivists to nation states – to access private databases. One threat that Martindale identifies is the possibility that criminals might be able to gain access to inside information and front-run legitimate trades being initiated by an asset manager.
Keeping up with wrongdoers is increasingly difficult because, as Tim Thornton, chief data officer at fund administrator Mitsubishi UFJ Fund Services, points out, the IT refresh cycle in his industry has shrunk to barely 18 months, from around three years.
“Client RFPs contain a growing number of questions related to cyber security, asking what procedures are in place and whether they are regularly audited,” he says. “We make the same demands of our external third-party service partners who handle client data. We need to know that their environment is as secure as ours. In turn, they want to know about our own security procedures. We’d rather spend money adding value and functionality but security needs to be in place and constantly enhanced.”
However, that refreshment cycle is not as thorough as it might be, according to Prof Julian Williams, chair in accounting and finance at Durham Business School. “It tends to keep the corporate front end state of the art, while leaving the background infrastructure untouched,” he notes.
Martindale emphasises that good security is as much about hiring the right people with the right skills and knowledge of the right processes as it is about buying technology. Companies also need individual employees to act as their own first line of defence, he adds. Staff working together to common standards and within common frameworks might, at the very least, persuade opportunistic wrongdoers to go elsewhere.
“The bad guys have a significant advantage, in that they need to find only one way in, and companies need to work on the assumption that they will get in,” he says.
“Criminals only need to succeed one time in a hundred,” says Wilbert Hofstede, head of cyber security at Euroclear, the Brussels-based international central securities depository, picking up on this theme. “In such a dynamic cyber environment, we need to be secure 100 times out of a hundred. That means we need to do more than just focus on prevention to do our job properly; we need to be extremely vigilant for all signs that might indicate potential concerns.”