Money managers see costs escalating for cyberthreat protections

Cybersecurity is a growing cost for institutional money management firms.

Protecting client assets, proprietary information, investment strategies, trading activities and systems has led to increased spending: The Ponemon Institute, an independent data protection research firm in Traverse City, Mich., said the average cyberprotection cost for financial services firms was $20.8 million in 2014 and is expected to be an annualized $17.6 million over the next five years.

Only energy companies, utilities and defense firms are expected to pay higher annual cyber costs.

Among global money managers surveyed by Cerulli Associates, Boston, 36% are spending $15 million each annually on cybersecurity. Another 36% are spending between $30 million and $38 million a year. Also, all respondents said they expect money manager cybersecurity spending to rise over the next few years.

Money management officials contacted for this story said their spending on cybersecurity generally ranges from 5% to 6% of their total information-technology budget.

A security executive at a large institutional money manager, who spoke on condition of anonymity, said the amount his company spent on cybersecurity in 2014 — about $10 million — was 20% higher than in 2013 because of investment in new security controls. He said the firm's cybersecurity costs are expected to go up in the next few years following the implementation of new projects now being considered, but determining exactly how much will need to be budgeted is difficult.

“The challenge we have is that there are so many changes made in cybersecurity products, and you can build a two year-strategy based on their costs, but that projection isn't worth a damn if hackers get into your system,” he said. “Then the costs are anyone's guess.”

The costs vary because of the kinds of things that need to be protected at an institutional manager, said a security executive at another large firm, who also spoke on condition of anonymity. “There are a number of things to go after depending on the intent,” he said. “A manager like us, with the large volume of data we have, that would make us a target. But some of these (cyberattackers) are very smart. If they hacked into a (corporate) treasury account, let's say, they could steal a large amount of money from that. They could set up a false vendor billing and get themselves paid for quite some time. As a money manager, we also have a large amount of information on potential mergers and acquisitions. That could be very valuable.”

Recent breaches at health insurer Anthem Inc. and retailer Home Depot U.S.A. Inc. “showed there was a disturbing lack of encryption instituted at those firms,” said Alan Kosan, senior vice president and head of alpha investment research at consultant Segal Rogerscasey, Darien, Conn. “It means an overall increase in cyberprotection capabilities” is needed. “This costs money to do. Those costs will be passed on to customers via higherRogerscasey, Darien, Conn. “It means an overall increase in cyberprotection capabilities” is needed. “This costs money to do. Those costs will be passed on to customers via higher fees.”

Mr. Kosan said it's too early to estimate how much fees would increase.

Institutional money managers might not face the same specific threats as retail managers and banks, which have more Internet-based personal client information that hackers can target.

Still, “the stakes are greater” for institutional managers, said Eric Hess, managing partner at New York-based Hess Legal Counsel LLC, which advises broker-dealers and money management firms. “It's intriguing in that as you move up the scale of investor sophistication, the vectors of attacks are reduced, but the consequences of success of attacks are worse. In retail, the clients are more exposed. In institutional, the managers themselves are more exposed.”

“The real threat would be in front-running trading,” said one of the cybersecurity executives. “That's where the value (of hacking a money manager) would be. You hear about the noisy stuff, like hacking at banks, but if a hacker were to be able to find out, let's say, that an asset manager is about to unload a million shares of IBM, that information could be huge to them, and it would be hacking that wouldn't be as obvious. If the market plunges 400 points because of front-running, it'd be hard to see the cause of the decline for a while.”

A cyberattack on an institutional manager would create questions of liability for the losses. Unlike the theft of personal data, which is covered by privacy laws in 47 states, no similar laws exist for data-breach liability, Mr. Hess said.

That's why negotiations between money managers and asset owners over contracts are specifying manager responsibility in cybertheft-related losses. “If an organization has access to personal identifiable information, their responsibility increases substantially vs. institutions that don't have this underlying information,” Mr. Hess said. “That's not covered under the state laws. But even without that underlying information, (vendors) will be subject to the expectations of their clients. They don't have the same kind of regulatory overhang, but clients do have rising expectations.”

Cybercriminals can access individuals' data from retail firms and retirement plan service providers with web-based access for participants. But institutional investment management firms' data and information are less accessible because most are kept on closed systems. Mr. Hess said that makes entry into institutional managers' systems more likely to come via phishing and “spoofing” — mimicking the actions of a money manager executive and then lulling others at the firm into believing they're being asked by the executive to access the company computer system or an actual account.

“The attacker must have a lot of information to break into a money manager,” Mr. Hess said. “The hacker must know the company. The danger is social engineering; at the organization, knowing who deals with whom and what.”

And once in — usually through viruses or code downloaded through e-mails inadvertently opened by employees at money managers — cybercriminals can have full access with no tip-off that a hack occurred.

The need for internal vigilance was highlighted by a Feb. 3 report from the Securities and Exchange Commission that showed 43% of money managers and other registered investment advisers reported receiving fraudulent e-mails seeking to transfer client funds.

Hackers also try to exploit other means of entry, putting money managers on alert:

• the direct placement of malware into a manager's computer system to disrupt operations;
• the creation of false billing accounts to draw assets;
• ransomware, which can be used to infiltrate operating systems and later be used to extort money from a manager; and
• the placement of hacking code into company computer systems by employees accessing news websites, blogs, industry group websites where hackers have inserted the code in “anything that accepts comments,” said one of the money manager security executives.