The costs vary because of the kinds of things that need to be protected at an institutional manager, said a security executive at another large firm, who also spoke on condition of anonymity. “There are a number of things to go after depending on the intent,” he said. “A manager like us, with the large volume of data we have, that would make us a target. But some of these (cyberattackers) are very smart. If they hacked into a (corporate) treasury account, let's say, they could steal a large amount of money from that. They could set up a false vendor billing and get themselves paid for quite some time. As a money manager, we also have a large amount of information on potential mergers and acquisitions. That could be very valuable.”
Recent breaches at health insurer Anthem Inc. and retailer Home Depot U.S.A. Inc. “showed there was a disturbing lack of encryption instituted at those firms,” said Alan Kosan, senior vice president and head of alpha investment research at consultant Segal Rogerscasey, Darien, Conn. “It means an overall increase in cyberprotection capabilities” is needed. “This costs money to do. Those costs will be passed on to customers via higherRogerscasey, Darien, Conn. “It means an overall increase in cyberprotection capabilities” is needed. “This costs money to do. Those costs will be passed on to customers via higher fees.”
Mr. Kosan said it's too early to estimate how much fees would increase.
Institutional money managers might not face the same specific threats as retail managers and banks, which have more Internet-based personal client information that hackers can target.
Still, “the stakes are greater” for institutional managers, said Eric Hess, managing partner at New York-based Hess Legal Counsel LLC, which advises broker-dealers and money management firms. “It's intriguing in that as you move up the scale of investor sophistication, the vectors of attacks are reduced, but the consequences of success of attacks are worse. In retail, the clients are more exposed. In institutional, the managers themselves are more exposed.”
“The real threat would be in front-running trading,” said one of the cybersecurity executives. “That's where the value (of hacking a money manager) would be. You hear about the noisy stuff, like hacking at banks, but if a hacker were to be able to find out, let's say, that an asset manager is about to unload a million shares of IBM, that information could be huge to them, and it would be hacking that wouldn't be as obvious. If the market plunges 400 points because of front-running, it'd be hard to see the cause of the decline for a while.”
A cyberattack on an institutional manager would create questions of liability for the losses. Unlike the theft of personal data, which is covered by privacy laws in 47 states, no similar laws exist for data-breach liability, Mr. Hess said.
That's why negotiations between money managers and asset owners over contracts are specifying manager responsibility in cybertheft-related losses. “If an organization has access to personal identifiable information, their responsibility increases substantially vs. institutions that don't have this underlying information,” Mr. Hess said. “That's not covered under the state laws. But even without that underlying information, (vendors) will be subject to the expectations of their clients. They don't have the same kind of regulatory overhang, but clients do have rising expectations.”
Cybercriminals can access individuals' data from retail firms and retirement plan service providers with web-based access for participants. But institutional investment management firms' data and information are less accessible because most are kept on closed systems. Mr. Hess said that makes entry into institutional managers' systems more likely to come via phishing and “spoofing” — mimicking the actions of a money manager executive and then lulling others at the firm into believing they're being asked by the executive to access the company computer system or an actual account.
“The attacker must have a lot of information to break into a money manager,” Mr. Hess said. “The hacker must know the company. The danger is social engineering; at the organization, knowing who deals with whom and what.”
And once in — usually through viruses or code downloaded through e-mails inadvertently opened by employees at money managers — cybercriminals can have full access with no tip-off that a hack occurred.