Accessibility Links

KPMG: Assest Managers Must Close Cyber Security Gaps

13 / 03 / 2018

The asset management industry has remained relatively insulated from the headline-grabbing cyber security incidents befalling well-known organisations worldwide.

Financial services firms offer lucrative opportunities for hackers, but asset managers have few public-facing IT infrastructures, providing them with a level of protection that banks, insurers and other businesses don't possess.

Nevertheless, a recent report from KPMG has warned asset managers that their time in the sun could soon be over. As other financial institutions invest ever-growing sums of money into protecting their systems, cyber criminals may shift their attention to the weaker defences of asset managers.

Are asset managers prepared?

The simple answer appears to be 'no'. KPMG's CEO Outlook survey revealed that only 39 per cent of asset managers believed they were fully prepared for an adverse cyber event.

Crucially, this figure was seven percentage points lower than the cross-industry average. According to KPMG, asset managers show a "worryingly low level of confidence" for a sector that routinely handles massive financial transactions.

Asset managers are right to be worried. Last year's WannaCry and Petya viruses highlighted the vulnerability of many organisations worldwide, especially when the ransomware used in these attacks was fairly rudimentary.

As hackers begin honing their skills, they will begin to repurpose attacks used against banks and insurers to target asset management firms.

How common are cyber attacks in financial services?

Firms within the industry typically face 85 data breaches per year, according to a 2016 Accenture study. Of these, around one-third are successful, which means financial services companies are compromised two or three times a month.

One statistic that may concern asset managers is that 48 per cent of security experts believe the biggest threat to financial services firms comes from insiders.

This means that while asset management companies don't have comprehensive front-facing technologies, they could find themselves vulnerable to both malicious and unintentional breaches from employees.

"In light of the frequency and complexity of cyber risks, asset managers should operate on the assumption that breaches will occur," Accenture stated.

"It's unlikely that firms can prevent cyber menaces from infiltrating barriers all of the time. Attacks will crop up."

What threats do asset managers face?

KPMG notes that asset managers don't interface with the public as much as other financial services firms, but they do possess valuable information to hackers.

This includes:

1. Client financial data;
2. Intellectual property, such as algorithms and investment strategies; and
3. Information that could be used to front-run trades for profit.

Any businesses that utilise the internet, including asset managers, can also have systems brought down by distributed denial of service (DDoS) events.

These attacks can be very cheap and simple to launch but incredibly expensive to combat. A BT and KPMG report revealed that cyber criminals can carry out DDoS attacks costing just $5 (£3.50) per hour, while businesses could spend a staggering $40,000 an hour to defend themselves.

How can asset managers shore up their defences?

According to KPMG, there are five key areas of cyber security that asset managers should address to tackle increasingly sophisticated attacks.

Ownership: Many asset managers don't have a chief information security officer (CISO) or similarly senior professional in charge of cyber issues. Appointing someone to this position will ensure there is an individual with clear responsibility for cyber security, who should then report directly to a chief operations officer or CEO.

Capabilities: Asset managers will likely need to improve their cyber security capabilities, whether through new recruits, IT systems or other investments. However, they shouldn't forget to assess their current capabilities to identify pockets of excellence and ensure they are adequately utilised.

Awareness: Top-down awareness of cyber security problems is crucial. Asset managers should particularly focus on their third-party supplier risk, which includes fund administrators, custodians and platform providers.

Organisation: Senior management must collaborate effectively to understand which cyber security measures to centralise and which ones to decentralise. Each area of the asset management market has different needs, so it's important to formulate a tailored strategy to overcome specific challenges.

Preparedness: An effective response and recovery programme is essential to tackling breaches and highlighting cyber security weaknesses. KPMG noted that simulations are proving a useful tool for asset managers to better prepare staff for worst-case scenarios.

Strengthening asset management teams

The KPMG and Accenture reports show that asset managers are approaching a crossroads with their cyber security approach.

Many firms haven't needed extensive investment in this area up until now, but they are likely to face an increasing number of attacks that could cause significant financial and reputational damage.

As such, asset managers may need to recruit experienced cyber security experts to prepare their business for the challenges ahead. However, finding the right candidates is difficult, particularly as the UK is facing a skills shortage.

Please contact Barclay Simpson to discuss your cyber security needs with a specialist consultant.
Add new comment