Skip to main content
MENU
Subscribe
  • Sign Up Free
  • LOGIN
  • Subscribe
  • Topics
    • Alternatives
    • Artificial Intelligence
    • Consultants
    • Defined Contribution
    • ESG
    • ETFs
    • Face to Face
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Regulation
    • SECURE 2.0
    • Special Reports
    • Washington
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • WPS Innovation Awards
    • Influential Women in Institutional Investing 2023
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • ESG Sustainability - Gaining Momentum
    • ESG Investing | Industry Brief
    • Innovation in ESG Investing
    • 2023 ESG Investing Conference
    • ESG Rated ETFs
    • Divestment Database
  • Defined Contribution
    • Latest DC News
    • The Plan Sponsor's Guide to Retirement Income
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2023 Defined Contribution East Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Research Center
    • The P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
Breadcrumb
  1. Home
  2. MONEY MANAGEMENT
February 23, 2015 12:00 AM

Money managers see costs escalating for cyberthreat protections

Constant changes make budgets hard to determine

Rick Baert
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Rohanna Mertens
    Alan Kosan said recent breaches at two companies illustrate how overall protection needs to be increased, with costs being passed on to customers.

    Cybersecurity is a growing cost for institutional money management firms.

    Protecting client assets, proprietary information, investment strategies, trading activities and systems has led to increased spending: The Ponemon Institute, an independent data protection research firm in Traverse City, Mich., said the average cyberprotection cost for financial services firms was $20.8 million in 2014 and is expected to be an annualized $17.6 million over the next five years.

    Only energy companies, utilities and defense firms are expected to pay higher annual cyber costs.

    Among global money managers surveyed by Cerulli Associates, Boston, 36% are spending $15 million each annually on cybersecurity. Another 36% are spending between $30 million and $38 million a year. Also, all respondents said they expect money manager cybersecurity spending to rise over the next few years.

    Money management officials contacted for this story said their spending on cybersecurity generally ranges from 5% to 6% of their total information-technology budget.

    A security executive at a large institutional money manager, who spoke on condition of anonymity, said the amount his company spent on cybersecurity in 2014 — about $10 million — was 20% higher than in 2013 because of investment in new security controls. He said the firm's cybersecurity costs are expected to go up in the next few years following the implementation of new projects now being considered, but determining exactly how much will need to be budgeted is difficult.

    “The challenge we have is that there are so many changes made in cybersecurity products, and you can build a two year-strategy based on their costs, but that projection isn't worth a damn if hackers get into your system,” he said. “Then the costs are anyone's guess.”

    Varying costs

    The costs vary because of the kinds of things that need to be protected at an institutional manager, said a security executive at another large firm, who also spoke on condition of anonymity. “There are a number of things to go after depending on the intent,” he said. “A manager like us, with the large volume of data we have, that would make us a target. But some of these (cyberattackers) are very smart. If they hacked into a (corporate) treasury account, let's say, they could steal a large amount of money from that. They could set up a false vendor billing and get themselves paid for quite some time. As a money manager, we also have a large amount of information on potential mergers and acquisitions. That could be very valuable.”

    Recent breaches at health insurer Anthem Inc. and retailer Home Depot U.S.A. Inc. “showed there was a disturbing lack of encryption instituted at those firms,” said Alan Kosan, senior vice president and head of alpha investment research at consultant Segal Rogerscasey, Darien, Conn. “It means an overall increase in cyberprotection capabilities” is needed. “This costs money to do. Those costs will be passed on to customers via higher fees.”

    Mr. Kosan said it's too early to estimate how much fees would increase.

    Institutional money managers might not face the same specific threats as retail managers and banks, which have more Internet-based personal client information that hackers can target.

    Still, “the stakes are greater” for institutional managers, said Eric Hess, managing partner at New York-based Hess Legal Counsel LLC, which advises broker-dealers and money management firms. “It's intriguing in that as you move up the scale of investor sophistication, the vectors of attacks are reduced, but the consequences of success of attacks are worse. In retail, the clients are more exposed. In institutional, the managers themselves are more exposed.”

    “The real threat would be in front-running trading,” said one of the cybersecurity executives. “That's where the value (of hacking a money manager) would be. You hear about the noisy stuff, like hacking at banks, but if a hacker were to be able to find out, let's say, that an asset manager is about to unload a million shares of IBM, that information could be huge to them, and it would be hacking that wouldn't be as obvious. If the market plunges 400 points because of front-running, it'd be hard to see the cause of the decline for a while.”

    A cyberattack on an institutional manager would create questions of liability for the losses. Unlike the theft of personal data, which is covered by privacy laws in 47 states, no similar laws exist for data-breach liability, Mr. Hess said.

    That's why negotiations between money managers and asset owners over contracts are specifying manager responsibility in cybertheft-related losses. “If an organization has access to personal identifiable information, their responsibility increases substantially vs. institutions that don't have this underlying information,” Mr. Hess said. “That's not covered under the state laws. But even without that underlying information, (vendors) will be subject to the expectations of their clients. They don't have the same kind of regulatory overhang, but clients do have rising expectations.”

    Cybercriminals can access individuals' data from retail firms and retirement plan service providers with web-based access for participants. But institutional investment management firms' data and information are less accessible because most are kept on closed systems. Mr. Hess said that makes entry into institutional managers' systems more likely to come via phishing and “spoofing” — mimicking the actions of a money manager executive and then lulling others at the firm into believing they're being asked by the executive to access the company computer system or an actual account.

    “The attacker must have a lot of information to break into a money manager,” Mr. Hess said. “The hacker must know the company. The danger is social engineering; at the organization, knowing who deals with whom and what.”

    And once in — usually through viruses or code downloaded through e-mails inadvertently opened by employees at money managers — cybercriminals can have full access with no tip-off that a hack occurred.

    Internal vigilance

    The need for internal vigilance was highlighted by a Feb. 3 report from the Securities and Exchange Commission that showed 43% of money managers and other registered investment advisers reported receiving fraudulent e-mails seeking to transfer client funds.

    Hackers also try to exploit other means of entry, putting money managers on alert:



    • the direct placement of malware into a manager's computer system to disrupt operations;

    • the creation of false billing accounts to draw assets;

    • ransomware, which can be used to infiltrate operating systems and later be used to extort money from a manager; and

    • the placement of hacking code into company computer systems by employees accessing news websites, blogs, industry group websites where hackers have inserted the code in “anything that accepts comments,” said one of the money manager security executives.

    Related Articles
    Joint effort with FBI targets cyberthreats
    SEC: Vast majority of managers, broker-dealers reported cyber-related incidents
    Asset owners demand info on cybersecurity processes
    Banks join technology chiefs to press Congress for cybersecurity bill
    SEC outlines cybersecurity guidance for money managers, advisers
    Deloitte: Most DC plans are confident in providers' cybersecurity policies
    State Street reports contractor took data from alternatives administration unit
    More firms buy insurance for cyberattacks
    G-7 countries establish elements to target cybersecurity in global finance indu…
    Plans face threats to crucial data
    Recommended for You
    First Eagle names CIO of new high-yield municipal credit team
    Business_Calculator_i.jpg
    Institutional clients moving to consolidate manager lineups
    handshake_5_1550-main_i.jpg
    Pacific Current to take minority stake in Avante Capital
    Multiple Tailwinds Propel Private Credit
    Sponsored Content: Multiple Tailwinds Propel Private Credit
    Sponsored
    White Papers
    2023 Hot Topics in Retirement and Financial Wellbeing
    Bonds: Shaken, but Not Stirred
    Today’s rate cycle and US equities in target date portfolios
    A Study of Allocations to Alternative Investments by Institutions and Financial…
    Unlocking Hidden Value in Japan
    The Art of the Possible in Data Automation for Institutional Investors
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    December 12, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Custom Content
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Artificial Intelligence
      • Consultants
      • Defined Contribution
      • ESG
      • ETFs
      • Face to Face
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Regulation
      • SECURE 2.0
      • Special Reports
      • Washington
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • WPS Innovation Awards
      • Influential Women in Institutional Investing 2023
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • ESG Sustainability - Gaining Momentum
      • ESG Investing | Industry Brief
      • Innovation in ESG Investing
      • 2023 ESG Investing Conference
      • ESG Rated ETFs
      • Divestment Database
    • Defined Contribution
      • Latest DC News
      • The Plan Sponsor's Guide to Retirement Income
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2023 Defined Contribution East Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Research Center
      • The P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
    • Careers
    • Events
      • View All Conferences
      • View All Webinars