Asset owners' concerns over providers' data security appear to be well founded.
According to a report released last week by the Securities and Exchange Commission, 74% of money managers and other registered investment advisers surveyed said they've been the subject of a cyber-related incident directly or through their external providers.
Also, while 79% of respondents conduct periodic risk assessments to identify cybersecurity threats and potential business consequences, only 32% apply those assessment requirements to their outside vendors.
Money managers and other service providers are responding to RFP requests for cybersecurity details, said Freeman Wood, principal at Mercer Sentinel in Chicago. They are, for example, detailing how they're proactively testing internal controls to fight cyberattacks. They're also vigorously scrutinizing their outsourced vendors, which Mercer Sentinel's Mr. Sommer said is a new phenomenon.
Managers' third-party providers under review include custodians, fund administrators and other middle- and back-office providers and “any organization that has a firm's confidential information — client information, portfolio information into possible trades — and actual access to money through any means, not just the ones you would think of,” Mr. Sommer said.
He cited the 2013 Target Corp. data breach, which eventually was discovered to have come from a computer of a heating and air-conditioning firm under contract to the retailer. “It's any vendor, providing any service, that has a link to that firm's data.”
A greater focus — and one often overlooked — is physical security, Mr. Sommer said. “With so much business activity now being done outside the office, it's encrypting laptops and personal devices, but it's also securing against access to a company's server. Outside office access is now integral in our reviews of provider security.”
Breaches can also be accidental but still risky, said John Barlament, partner, data privacy, at Quarles & Brady LLP, Milwaukee. Last month, a third-party administrator for DB and DC plans accidentally disclosed Social Security numbers, account balances and other information from participants in one company plan to another plan, which automatically downloaded the information into its database. “The vendor had one site where all clients could access via password,” Mr. Barlament said. “That was totally inadvertent, with no malicious intent. It wasn't a case of a disgruntled employee. But regardless, it was a data breach.” He would not name the parties involved.
William Stone, CEO of financial services software and fund administration service provider SS&C Technologies Inc., Windsor, Conn., said a big concern for providers “is from within. It's more likely that employees can get into systems. That's why you need strict monitoring ... to be able to spot suspicious activity.”
“You also need layers (of security). First the walls, then the moat, and then the people with the shotguns.”
Keith Overly, executive director of the $9.7 billion Ohio Public Employees Deferred Compensation Program, Columbus, has internal concerns over data security because record-keeping is done in-house. Among the program's internal security checks is an audit by an accounting firm every two years that looks at the plan's “physical and electronic security. They actually try to breach our system. The good news is that they haven't been able to.” n