Are Your Asset Managers Equipped to Face Today’s Cyber Threats?
Investment management firms rightly prioritised maintaining their services during the initial phase of the pandemic, but investors must now scrutinise whether the infrastructure that enabled business continuity is sufficiently robust going forwards. ODD assessments throughout 2021 and beyond reveal managers—including well-established firms—whose cyber risk frameworks lack some of the most basic tenets of good practice, such as multi-factor authentication, penetration testing (simulated attacks) and restrictions on removeable media. Even if an asset manager’s own cyber defences are robust, vulnerabilities can be introduced through the myriad of suppliers that support middle and back-office processes, execution capabilities and IT infrastructure.
A series of notable breaches have produced eye-catching headlines over the past 18 months, such as the ‘Fake Zoom’ hack of Australian hedge fund Levitas Capital and the ransomware attack against a vendor of SEI Investments Co., which impacted PIMCO, Fortress and other clients. According to the Accenture State of Cybersecurity Resilience 2021 report, the number of cyber-attacks increased by more than 30% in 2021, illustrating the fertile hunting ground that COVID-19 has created. Meanwhile, cyber threat actors are more prolific and sophisticated than ever: many of the traditional tools used by cyber criminals have now become commoditised and are openly offered for sale on the internet, and new methods of attack are continually emerging. Investment managers are particularly attractive targets for a range of cyber threats, given that they routinely transfer large sums of money during daily business activities.
What are the key issues that investors should scrutinise—especially in light of today’s evolving business practices? This article highlights six crucial themes to consider during manager due diligence and monitoring for 2022 and beyond.
1: Elevated ‘remote access’ risks
Many asset managers have staff accessing networks remotely using Virtual Private Network (VPN) architectures. This is a relatively low-cost and effective solution, particularly when strengthened with multi-factor authentication (MFA) protocols. However, VPNs can expose managers to cyber vulnerabilities, particularly when an organisation does not or cannot ‘harden’ the endpoints being used to make the connection, for example by ensuring that all security patches and anti-virus updates have been applied to an employee-owned computer. Even if MFA is used, VPNs can still cause data security breaches in the absence of appropriate protocols; employees, for instance, may copy information locally to their devices.
A potentially safer approach—albeit one with more complexity and likely greater cost—is to implement a Virtual Desktop Infrastructure (VDI) architecture. With VDIs, employees connect directly to the manager’s corporate IT infrastructure via a virtual machine run from the firm’s data centres. This means that managers can enforce specific security requirements and prevent information from leaving the corporate network perimeter.
2: Broader universe of networked devices
In recent years, we have seen rapid growth in the number and variety of devices—aside from company computers—that connect with corporate networks. As well as printers (which have received significant attention recently after HP issued patches to shore up vulnerabilities in more than 150 printer models which were discovered by F-Secure) and mobile phones, staff are now increasingly making use of cameras, collaboration tools and videoconferencing-related hardware. Z-Scaler recently reported a 700% year-on-year increase in malware specifically related to the ‘Internet of Things’ (IOT). If not properly secured and hardened through password changes and pro-active patch management, these devices represent potential attack vectors for cyber criminals to access sensitive data and applications. Yet many of these devices are not managed in the same way as a laptop or desktop: traditional endpoint protection tools do not provide transparency into their behaviour and actions, making it important for managers to employ sophisticated network analytic tools to provide visibility into vulnerabilities.
3: Growing network of service providers
There is an ongoing trend among asset managers towards using a larger network of third-party vendors for a range of services, including those providing middle and back-office processes and supporting execution capabilities. Yet vendors also represent a back door for cyber risk threats; asset managers should pay close attention to the cyber security practices of their service providers and carry out a thorough assessment of all supply chains created through outsourcing, both during the initial implementation and on an ongoing basis.
4. The shift towards cloud-based solutions
Continuing the subject of third-party service providers, the pandemic era has helped drive the increasingly widespread adoption of cloud-based network services—an outsourcing decision that can increase the flexibility and efficiency of a manager’s operating environment, but also expose organisations to new cyber threat surfaces. Whilst cloud computing has revolutionised the way in which many asset managers design their IT infrastructure; it has also undermined conventional approaches to cyber defence based around a ‘network perimeter’.
The transition towards cloud computing is a particularly challenging step: misconfigured cloud server deployments, for instance, represent one of the most common initial compromise vectors in data breaches by cyber-criminals (IBM – Cost of a Data Breach Report 2020). Many asset managers, particularly smaller firms that lack dedicated IT security professionals, have not undertaken critical risk mitigation to reduce these vulnerabilities, such as engaging an independent specialist to conduct a security configuration assessment of their cloud implementation.
5. Business email compromise
Business email compromise has long been—and remains—one of the prevalent sources of cyber risk. The dangers are elevated in private markets strategies where transaction processes are typically manual in nature and thereby at greater risk of human error influenced by threat actors. Historically we have observed this threat in action in the case of a private markets manager whose finance team incorrectly wired more than a million dollars to the account of a fraudulent actor—an error that was traced back to the compromise of a legal firm involved in the transaction process. A strong cyber security training program and disciplined processes for authorising transactions can help to reduce the human errors generated by phishing and social engineering.
6. Cyber risk as investment risk
As the world evolves, portfolio managers must be able to understand cyber vulnerabilities of the underlying assets and companies in which they invest. This need is particularly pressing for asset managers in private markets, where portfolios tend to be more concentrated and acquisition targets may be less mature. The value proposition of an apparently compelling investment opportunity can be completely eroded by the impact of a data breach—which can result in regulatory fines (including fines for GDPR breaches), theft of intellectual property, paralysis of business operations, reputational damage and reduction in asset valuation. It’s imperative that asset managers—and private markets managers in particular—conduct thorough cyber threat assessments to identify security weaknesses as part of their due diligence process and continue monitoring after acquisition. In many instances, managers outsource this type of assessment to a specialist third party.
Conclusion: demanding cyber hygiene 'best practice'
It is of critical importance to investors that asset managers get the basics right, such as adopting attack surface reduction strategies (vulnerability scanning, pro-active patch management, security configuration assessments, penetration testing) and implementing effective programmes to reduce the potential for human error (ongoing cyber risk training, phishing simulations). Shortcomings on these basic points persist, and related risks have likely been exacerbated by the shifting threat landscape over the past two years.
Moreover, managers should go further in seeking to deliver best practice—and investors should come to expect it. Over time, we will increasingly expect managers to take a zero-trust approach to network security, extending the notion of 'least privilege' access (traditionally applied to human users of a network) to cover all devices, applications and end-points, and requiring continuous real-time identity verification. Furthermore, we envisage widespread implementation of automated threat detection and response systems; many firms are now employing tools driven by artificial intelligence and machine learning technologies for this purpose. We also anticipate that asset managers will make greater use of data loss prevention solutions, which have become widely recognised for their risk mitigation capabilities.
In today’s world, a robust cyber risk posture is not a mere formality—it is a necessity to be handled with care.
This commentary is for institutional investors classified as Professional Clients as per FCA handbook rules COBS 3.5R. It does not constitute investment research, a financial promotion or a recommendation of any instrument, strategy or provider. The accuracy of information obtained from third parties has not been independently verified. Opinions not guarantees: the findings and opinions expressed herein are the intellectual property of bfinance and are subject to change; they are not intended to convey any guarantees as to the future performance of the investment products, asset classes, or capital markets discussed. The value of investments can go down as well as up.
You may also like...