<!-- Swiftype Variables -->

Special report: CYBERSECURITY

Lack of guidance putting institutions at end of line

oseph Carson, chief security scientist at Thycotic
Security analyst Joseph Carson says most institutions often take ‘a reactive approach to cybersecurity.’

The institutional investment industry is somewhat lagging other financial service firms in the cybersecurity arena, mainly because it lacks standard regulatory guidance on the topic and there's no clear path forward.

But with cyberattacks on the rise, executives of retirement plans and money managers are beginning to catch up. They are beefing up internal security measures and working with external financial technology companies to create unique ways to keep assets and data safe.

Most institutions are only doing "the very basics" to keep data secure, said Joseph Carson, chief security scientist at Thycotic, a Washington-based cybersecurity firm. With "institutions that are heavily regulated, regulation forces them to do something about security," Mr. Carson said. However, because it's not their primary business, most institutions often take "a reactive approach to cybersecurity," focusing on ​ their online security features only after a data breach or regulations force them to look at their security controls.

In other words, not until it's too late.

Timothy Francis, vice president business insurance, management and professional liability and enterprise lead for cyber insurance at Travelers Cos. Inc., Hartford, Conn., agreed "asset managers may be a little bit behind some of their other peer groups in terms of infrastructure" to fight cyberattacks, although he is seeing improvement.

"There's much more rigor now, but it's still not at the level it ought to be. And it's not at the level of other financial organizations," such as depositories, banks and insurance companies, he said.

Although cyberattacks are both increasing in number and intensity, many businesses are still unprepared to prevent and combat security breaches. The Global Economic Crime Survey, published by PricewaterhouseCoopers in February 2016, found at least 54% of respondents from U.S. companies experienced some type of cybercrime vs. 32% of organizations globally. Those incidents have risen since 2014, when 44% in the U.S. reported being victims of cybercrime vs. 24% globally.

However, Ernst & Young's 19th Global Information Security Survey 2016-2017, released Jan. 11, found only 22% of the 1,735 global executives, information security managers and senior information technology executives surveyed fully consider information security in their strategy and planning.

And as cyberattacks grow, so do the costs of preventing them.

Global spending up

Global spending on information-security products and services is expected to reach $86.4 billion in 2017, up 7% from 2016, according to data from Stamford, Conn.-based research firm Gartner Inc. In 2018, $93 billion is anticipated to be spent on information security.

Several sources said the data breach at Atlanta-based credit services firm Equifax Inc., announced Sept. 7, is illustrating not only how imperative it is for money managers to have safeguards in place to protect data, but also how ill-prepared even the largest financial firms can be to prevent security breaches.

Prior to the data breach, MSCI ESG Research in August 2016 had downgraded Equifax to its lowest possible rating, CCC. Equifax later was excluded from the MSCI ESG Leaders index in December.

MSCI ESG Research cited "Equifax's data security and privacy measures … insufficient in mitigating data breach events" as the reason for the downgrade.

Steven M. Bellovin, a professor in Columbia University's computer science department, New York, said: "There are players, such as Equifax, who should understand" the importance of cybersecurity "but don't. Some of their response to this has been very careless and below acceptable standards."

"We're talking pensions, so we're talking a lot of money," added Mr. Bellovin. "I've seen a lot of things done poorly."

One of the biggest challenges in fighting cybercrime in the institutional investment industry is the lack of an industry standard on keeping assets safe from hackers, said a lawyer specializing in situations concerning pension plans.

"There's a lack of consistency with state laws, and there's no federal statute," said Maria P. Rasmussen, senior counsel at the law firm McGuireWoods LLP, Richmond, Va., representing plan sponsors.

She also noted that whatever security breaches have taken place haven't resulted in serious legal action, which has emboldened hackers — or at least hasn't deterred them. "There have been breaches, but they haven't resulted in litigation. That framework sets the tone." she said.

Ms. Rasmussen added that institutional investors "are more focused" on the issue of cybersecurity, but "they're not exactly where they need to be."

Tough to quantify

Another challenge is that cybersecurity has historically been tough to quantify. "It's difficult to calculate the risk and therefore difficult to budget against it," said Mark Nicholson, a principal in Deloitte & Touche LLP's cyber risk services division, New York. "There isn't always a clear science to" what a money manager is buying with its risk-mitigation efforts, he added.

Mr. Nicholson noted the risk against hacking and scams is difficult to quantify because "the threat landscape is so dynamic." With industry innovation — new investment products, new services, new technology innovations — comes new vulnerabilities.

Added to that, he said, "the adversary is continually evolving and looking for new targets and new way to accomplish their goals."

But despite the challenges, things appear to be moving in the right direction. Most managers with whom Mr. Nicholson has spoken "are doing everything in their means to address" the challenge of cybersecurity. This includes assessing their own readiness by testing their security measures both internally and externally via third parties.

Alan Kosan, senior vice president, head of alpha investment research at Segal Marco Advisors, Darien, Conn., said cyberprotection protocols have become standard operating procedure for how managers are reviewed by his consulting firm — and he's seeing managers improve those protocols.

While managers are augmenting their security features, Mr. Kosan added institutional investors, particularly larger ones, "are budgeting up" and allocating more money to cybersecurity "than ever before," although he was unable to quantify as a percentage of budget.

One plan looking to enhance its security controls is New Hampshire Retirement System, Concord. As reported last month, (Pensions & Investments, Aug. 21), a hacker unsuccessfully tried in July to steal pension payments from retirees in the $8.1 billion pension fund. NHRS managed to foil the attack.

"Even before this incident, NHRS was engaged in an ongoing effort to continuously improve our cybersecurity infrastructure and controls," said spokesman Marty Karlon in an email. "NHRS has been working, and will continue to work, with outside legal and technology experts and vendors to strengthen the security of internal and external systems."

Over the past few years, NHRS has deployed email encryption, implemented enhanced firewall technology, engaged with third parties for 24/7/365 network security monitoring and protection, held ongoing security awareness training for staff and hired a cybersecurity vendor for testing external servers and hardware.

New Hampshire also plan is working with its vendor, LRS Retirement Solutions, Springfield, Ill., to go live with a two-step account setup process by the end of September requiring a personal identification number mailed to a home address.

Segal Marco's Mr. Kosan is seeing more training on how to be more sensitive and alert about cybersecurity risk and to better identify and respond to incidents. "There has been a corporate cultural shift well underway that has resulted in increased training."

Shelly Heier, president and chief operating officer of Seattle-based consulting firm Verus, also said she's seen increased attention to this issue within the industry.

The U.S. Securities and Exchange Commission is now "including cybersecurity in all of their reviews," and Verus explores the topic in its operational due diligence of investment managers as well, Ms. Heier said. "Many of our larger clients have started to adopt increased cybersecurity measures, but the midsized and small entities may not have the resources yet."

Mandated controls

State regulatory agencies also are beginning to issue mandated cybersecurity controls for financial firms. In February, the New York State Department of Financial Services announced a regulation requiring financial services firms overseen by the department to have cybersecurity programs and policies in place as of March 1.

Colorado's Division of Securities issued similar guidelines affecting all firms licensed by the state division; those guidelines took effect on July 15.

Vermont's Department of Financial Regulation also issued a similar cybersecurity regulation in July 2016 that applies to state investment advisers and broker-dealers.