London Singapore Brussels Paris

Today New City Initiative is comprised of 43 leading independent asset management firms from the UK and the Continent, managing approximately £500 billion and employing several thousand people.

« Back to News

Cyber-threats: a huge risk for asset managers

Published by Charles Gubert

Cyber-crime is an issue that is rapidly gaining traction in financial services – among managers, investors and regulators. A survey of clients conducted by the Depository Trust & Clearing Corporation (DTCC) on their attitudes to systemic risk in May 2015 found 46 per-cent of respondents cited cyber-crime as the biggest risk to the world economy, while 80 per-cent identified it as one of their top five risks.  This is more than double the number who identified cyber-crime as the biggest systemic risk in DTCC’s 2014 survey.

This should not be surprising. In 2013, the then Committee on Payment and Settlement Systems (CPSS), the International Organisation for Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE) said 53 per-cent of 46 exchanges surveyed had been victim to cyber-crime over the preceding 12 months. Banks are not immune either. J.P. Morgan, for example, was revealed to have suffered a massive hack with accounts of approximately 75 million households being compromised.

The costs of cyber-breaches can be staggering. In 2014, the Director General of MI5 said one business in London had incurred £800 million in losses because of a single cyber-attack. Banks and market infrastructures such as exchanges, central security depositories (CSDs) and central counterparty clearing houses (CCPs) invest millions into cyber-protection and insurance. The same cannot be said for asset managers, many of whom believe they are too small or below the radar to warrant attention from cyber-criminals.  Such complacency is dangerous. Some argue that smaller to mid-sized firms are actually more vulnerable to cyber-breaches as cyber-criminals are cognizant these organisations often lack the infrastructure and personnel to adequately deal with such threats.

Falling victim to a cyber-breach can result in substantial reputational damage. A KPMG study of institutional investors managing more than $3 trillion in assets found 79 per-cent would be discouraged from investing their capital into a business that had been victim to a cyber-crime.  

Regulators are honing their sights on cyber-risks too. The US has been the most active with the Securities and Exchange Commission’s (SEC) Division of Investment Management publishing guidance in April 2015 following examinations of asset managers by the SEC’s Office of Compliance Inspections and Examinations.  The SEC advised firms routinely assess threats and vulnerabilities, initiate a strategy to mitigate and respond to a cyber-threat, document policies and procedures and ensure staff are properly trained. 

The overwhelming majority of cyber-threats can be mitigated through basic initiatives and procedures. The SEC highlighted firms should ensure they have password-protected access to sensitive files, data encryption, firewalls, restrictions on the use of USBs and technology systems to prevent cyber-breaches. Cyber-policies should be rigorously tested and any data or information must be backed up, ideally in a wholly separate data centre. It is also advised that fund managers which have outsourced huge swathes of their technology operations review the measures and procedures to guard against cyber-crime at their external vendors. Adhering to these best practices will help prevent most cyber-attacks.  

Nonetheless, any cyber-breaches or attempted hackings must be reported to national authorities immediately. This comes as John Carlin, assistant attorney general for national security at the US Department of Justice, told hedge fund managers in May 2015 at the annual SALT Conference in Las Vegas that they should notify authorities if there is an attempted or successful cyber-breach at their organisations.

Regulators in the UK are also scrutinising cyber-crime. In 2014, the Bank of England announced at a summit held by the British Bankers Association a new initiative – CBEST – which would stress test financial institutions’ security systems utilising real-threat intelligence obtained from Internet monitoring. The Central Bank of Ireland (CBI) was reported to be scrutinising cyber-security policies and procedures at asset managers in May 2015 amid concerns that they have been found wanting.

But what are the threats facing managers? The most common cyber-attack normally involves a Distributed Denial of Service (DDOS), something which British Telecom (BT) estimates has impacted 41 per-cent of businesses globally. Increasingly firms have found sensitive, non-public material information being leaked. For fund managers, one of the biggest risks would be to have trading strategies disseminated into the public domain. A sophisticated hacker could even gain control of a firm’s portfolio management systems and start entering erroneous trades. One cyber-expert said fake websites had proliferated, prompting unsophisticated investors to allocate capital into entities that were not the manager. It is suspected that some of these funds have gone into the pockets of terrorists.

As such, fund managers do need to invest more time and effort into mitigating the risks of falling victim to cyber-criminals by ensuring their management teams are educated about the dangers, and adopt best practices.  Managers are also strongly advised to purchase insurance against cyber-crime (a growing market), and check the coverage is sufficient against liability for any data breaches, damage to technology, losses and regulatory sanctions. It is also recommended the insurance policy provides coverage across all countries. Different US states, for example, have different rules and some coverage may not protect firms against losses in certain states.

Regulators and enforcement agencies must also adopt a harmonised approach to helping industries safeguard against cyber-crime. An article published by Slaughter & May in April 2014 said different jurisdictions apply different rules towards security techniques by which corporates can protect themselves against cyber-breaches. The Slaughter & May article highlighted some jurisdictions, for example, prohibit data encryption unless the encryption codes and keys are supplied to the national competent authorities.  Such conflicting rules hinder the ability of firms with global footprints to deal with cyber-threats. As such, a more consistent approach needs to be taken by national authorities towards cyber-protection.

Aside from following best practices and educating their staff, asset managers should look to work closer with their peers on how to mitigate the risks of cyber-crime. The WFE created a cyber-security committee in 2013 with the sole objective of enabling industry participants to share information on cyber-breaches. In 2014, the DTCC urged regulators and financial institutions to work more closely to mitigate the risks of cyber-crime, and to help develop sensible regulations. Fund managers should certainly be a part of this collaborative effort as they are not immune from cyber-crime.