June 03, 2024 

Money managers racing against new cybersecurity threats

For the largest money managers, keeping up with existing and emerging cybersecurity threats means approaching those threats comprehensively. But technologies such as artificial intelligence continue to aid bad actors, sources said, and addressing the ever-changing landscape can be a challenge.


“It’s a cat and mouse game,” in which there’s constantly new technology to catch up with, said T. Williams Roberts III, partner and co-CEO of GW&K Investment Management, which managed $50.7 billion in assets as of Dec. 31.


“It's a challenge that all firms have to address and it is constantly evolving,” Roberts added. “And you have to stay on the forefront of these changes.”


According to Roberts, there are three categories of new cybersecurity threats that asset managers face today: social engineering, imposters and zero-day events, and he’s seen a “massive uptick” in all of these.

John Quan, Chief Technology Officer - Aristotle

Social engineering is when a bad actor uses certain tactics, often through email, to get an employee to give up their credentials or click on something so the actor can gain access to the system, Roberts said.


GW&K uses outside software to prevent these types of emails, but some do get through, so “we do an immense amount of training from the day an employee starts all the way through to the last day as to what to be on the lookout for,” he added.


In general, addressing cybersecurity effectively requires working collaboratively, sources emphasized.


One way in which GW&K does that is through its cybersecurity committee, which Roberts is a member of along with employees from the information technology, legal and compliance, and client services departments.


The committee, which started more than 10 or 15 years ago, meets on a regular basis and covers “all aspects of trying to prevent bad actors and nation-states from doing things that would harm our business,” Roberts said.


According to John Quan, chief technology officer at Aristotle, “it really is a team effort when we think about how to best approach cybersecurity,” which means working on cyber issues across departments and utilizing third-party experts and system providers. Aristotle’s six affiliates had $90 billion in combined AUM as of March 31.


“We believe that having a comprehensive program is really our best defense,” Quan said, emphasizing things like governance, engineering and understanding the threat landscape. He added that the company believes “cyber is everyone’s responsibility.”


Santhosh Keshavan, executive vice president and chief information officer at Voya Financial, had a similar view.


“Everybody has a role to play in this,” Keshavan said. “It will take a village to stop because all you need is one weak entry point and your security can be compromised.”


Keshavan added that the “most important thing” that Voya does to address cybersecurity threats is employee education and training, which includes conducting simulated attacks. Voya Investment Management had $321.7 billion in AUM as of Dec. 31.


New threats


Besides social engineering, GW&K's Roberts highlighted imposters and zero-day events as the next big threats in cyber.

Imposters are “someone (who) buys a domain name that is very similar to your domain name,” like including an extra vowel, and then uses that domain to try and gain money or credentials, according to Roberts.


While GW&K utilizes software to alert them whenever a similar domain name is registered, “the problem is these domain names are usually registered in foreign countries and they’re very, very difficult to shut down,” Roberts said.


Zero-day events occur when a software company realizes a vulnerability in their system, posts a patch to fix that vulnerability, and “before (they) have time to put that patch on … somebody in the dark web will reverse engineer that patch, figure out what the vulnerability is, and then go ahead and sell that on the dark web,” Roberts said. The event gets its name from the speed in which a patch is exploited, before companies even get the chance to use it.


To try and prevent those events, GW&K is “in tune with every vendor and as soon as the patch comes out, we are installing it (that) moment,” he said.


Keshavan also acknowledged zero-day events as a major threat and said Voya works to quickly institute patches as well.


Technological vulnerabilities are not new, Keshavan contended, “but the intensity of it has increased and the threat actors are getting very sophisticated, so it’s becoming harder to sort of identify what’s malicious vs. not.”


AI and cybersecurity


Aristotle’s Quan said he believes the “primary driver” of new cybersecurity threats is generative AI.


“We can be certain that nation-states, organized crime, opportunistic types of adversaries … they're (all) utilizing generative AI for more tailored, more specific types of phishing attacks,” Quan said.


Phishing is a type of social engineering in which an attacker pretends to be a trusted source to trick victims into clicking on links, sharing personal information, sending money or a different action that benefits the attacker.


Generative AI allows for the use of voice and video when phishing, in addition to more traditional texting and emailing tactics, according to Quan.


Voya’s Keshavan acknowledged that bad actors can utilize AI in malicious ways, which means ramping up protection is important. But on the other hand, “AI has given a lot of benefits to customers and employees when it's done right,” Keshavan said, and Voya’s investment management business has been using it for the past 10 years or so.


At Aristotle, “we are taking a measured approach to how we adopt generative AI,” Quan said, which includes establishing a strong AI policy.


Specifically, Aristotle is focusing on the data sources that AI utilizes, and ensuring the company has a closed-off environment, as AI has a “publicly available nature” through things like ChatGPT, according to Quan.


The company is also training its employees on how to properly use AI, as well as using AI for its cybersecurity defense, Quan said.

Todd Conklin, chief AI officer and deputy assistant secretary for cybersecurity and critical infrastructure protection at the Treasury Department, has emphasized the importance of AI for cybersecurity defense.


“You really can't have a modern cybersecurity defense posture without leveraging AI,” Conklin said at the Investment Company Institute’s 2024 Leadership Summit on May 22.


But using AI for cybersecurity defense still requires the help of humans, Quan contended.


“AI can streamline a lot of stuff (and) can make things much more efficient, but we feel that it's not a replacement for a human,” Quan said, explaining that they still need cyber engineers to “apply the right context” to each situation.


Managing the risks


On March 27, the Treasury Department released a report warning that financial institutions are increasingly vulnerable to cybersecurity attacks fueled by AI.


The department created the report in response to President Joe Biden’s executive order, issued in October, which called on the Treasury secretary to lay out best practices for financial institutions to manage AI-related cybersecurity risks.


According to the report, “financial institutions should expand and strengthen their risk management and cybersecurity practices to account for AI systems’ advanced and novel capabilities, consider greater integration of AI solutions into their cybersecurity practices, and enhance collaboration, particularly threat information sharing.”


Aristotle’s Quan noted that “cybersecurity starts at the top,” as it’s up to board executives to decide how to allocate resources.


“We're fortunate here at Aristotle to have a board that is focused on technology and is focused on protecting the firm and our clients,” he said.


2023 survey from Deloitte found that cybersecurity budgets as a share of total revenue in the investment management sector make up less than 1%, only slightly increasing to 0.49% in 2023 from 0.4% in 2021.


In the retirement world, some plan sponsors are now turning to external cybersecurity firms to supplement their own cyber programs, which Quan said seems to be a trend for money managers, as well.


“I think firms of all sizes are recognizing that they can't do this alone (and) that they have to leverage this network of third parties that are out there,” Quan said.

Reprinted with permission from Pensions & Investments. © 2024 Crain Communications Inc. All rights reserved. 
Further duplication without permission is prohibited. Visit PI24036