The WannaCry ransomware attack, which struck hundreds of thousands of computers in more than 150 countries in mid-May, is the latest and most dramatic reminder of the cybersecurity threats that plague businesses, individuals and government/non-profit organizations with great regularity.
Investment managers are at particular risk of cybersecurity threats, not only because of their access to large pools of assets, but also because they often depend heavily on networks of third-party partners — including prime brokers, outsourced information technology firms, consultants, and providers of risk management research, cash management, portfolio optimization and fund administration services — over whose systems and processes they have no control. As the Securities and Exchange Commission noted in a 2015 Guidance Update: "Service providers may be given limited access to a fund's technology systems that may inadvertently enable unauthorized access to data held by the fund. Funds, as well as advisers, may wish to consider reviewing their contracts with their service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyberattack."
It is vital for investment managers to identify and avoid exposure to cybersecurity weaknesses within these "ecosystems" of outside service providers — and to have the assurance that all participants in the partner network are equally secure.
Midsize managers at increased risk
While all investment managers are potentially at risk from cybersecurity threats, those with assets under management of $5 billion to $10 billion are especially vulnerable. Smaller managers might "fly under the radar" of cybercriminals and larger firms may have more resources to devote to cybersecurity. But midsized managers are visible enough to present tempting targets. They also are likely to have a relatively broad network of outside service providers, making their exposure to cybercrime exponentially greater. By our estimation, a typical investment manager in this asset-size range may have relationships with as many as 100 to 200 outside service providers. Not all of those vendors have access to systems or data that may be of concern, but unless the investment manager has a robust oversight process for these relationships, the exposure to cybercrime can't be ruled out.
Particular areas of exposure
The areas of exposure that are of particular concern for investment managers fall into several key categories.
- Theft of intellectual property: Investment managers' No. 1 cybersecurity concern is that someone may discover their positions and improperly benefit by trading on that information. In addition, proprietary trading algorithms, investment strategies and other forms of intellectual property also are at risk.
- Loss of investor information/identity theft: Investment managers maintain sensitive confidential data that is valuable to cybercriminals, most notably with respect to clients' names, Social Security numbers, bank accounts and other personally identifiable information.
- Business interruption: Hackers could potentially disrupt a manager's trading systems and interfere with the normal conduct of the business. For example, a criminal could hypothetically hack into a fund's trading system and slow down or otherwise interrupt trade executions.
- Fraudulent activity: Cybercriminals could introduce ransomware and force payment to regain access to key systems or could directly use those systems, such as executing illicit wire transfers, until such activity is detected.
- Non-compliance: With the increasing incidence of cyberthreats, regulators around the world are taking a stronger approach to investment firms that fail to implement proper cybersecurity policies and procedures.
- Reputation risk: Beyond any actual losses from fraud or business interruption, a highly visible cybersecurity breach would raise troubling questions about an investment manager's ability to protect its investors, and its commitment to doing so.
Investment managers must vet their provider ecosystem carefully to ensure that all participants have strong cybersecurity systems and processes in place.
Among the questions managers should ask of their outside providers are:
- What controls are in place?
- Are those controls based on industry standards?
- Are audits or reports on security controls from a public accounting firm or other third-party expert available, such as Service Organization Control (SOC1) reports?
- Have those controls been vetted by a third party? If so, what were the deficiencies? How often are controls reviewed?
- Do any practices not meet industry standards?
- What is the provider's incident response plan and how often is it reviewed and tested?
- Have incidents occurred and if so, how severe was the damage?
- Does the service provider have staff dedicated to information security? What are the qualifications of that staff?
- Is there a culture of information security?
Need for a rigorous DDQ process
Several areas of focus on assessing cybersecurity are are worth noting:
Strengthen the due diligence questionnaire process. Critical cybersecurity issues should be part of the due diligence questionnaire that investment managers require all outside service providers to complete. This process typically has been managed manually with checklists or spreadsheets, but new software products can organize and streamline the process.
For example, there should be one repository for all DDQs. All vendors should be required to conform to the same rigorous process and meet the manager's minimum standards for security systems and procedures. There should be an automatic calendar reminder of when a specific DDQ is due for routine review. And, there must be a process for tracking any interim cybersecurity issues that might arise between reviews, including documentation of any investigation and confirmation that the matter has been remediated.
Have an independent review of the DDQ. Rather than task the investment manager's staff with reviewing the DDQs, which can be a strain on internal resources, consider using an outside expert with demonstrated cybersecurity expertise to methodically review the service provider responses in line with best practices. While not mandatory, the Certified Information Systems Security Professional designation is an important credential to look for in consultants or advisers.
Among the other cybersecurity-related actions that investment managers should consider are: specifying the process to be followed in reporting security breaches; ensuring that open issues are remediated; and reviewing control reports or penetration tests from the vendors to identify possible concerns. It also is prudent to implement third-party monitoring of news related to cybersecurity issues, in order to learn of events that a vendor might not report itself.
New cybersecurity threats surface on a regular basis, and at an increasingly rapid pace. While investment managers can never fully immunize their operations against cyberfraud, key actions to mitigate this risk include creating a culture of cybersecurity awareness and compliance, establishing robust security systems and processes, vetting outside partners thoroughly, and identifying high-level cybersecurity expertise that can be called upon to prevent or respond to cybercrime exposure.
Doug Schwenk is founder and CEO of Advise Technologies LLC, New York. This article represents the views of the author. It was submitted and edited under Pensions & Investments guidelines, but is not a product of P&I's editorial team.