Skip to main content
MENU
Subscribe
  • Subscribe
  • Account
  • LOGIN
  • Topics
    • Alternatives
    • Consultants
    • Coronavirus
    • Courts
    • Defined Contribution
    • ESG
    • ETFs
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Opinion
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Russia-Ukraine War
    • SECURE Act 2.0
    • Special Reports
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • WPS Innovation Awards
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • ESG Sustainability - Gaining Momentum
    • Climate Change: The Inescapable Opportunity
    • Impact Investing
    • 2022 ESG Investing Conference
    • ESG Rated ETFs
  • Defined Contribution
    • Latest DC News
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2022 Defined Contribution East Conference
    • 2022 DC Investment Lineup Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Performance Data
    • P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
    • Future of Investments Research Series
    • Charts & Infographics
    • Polls
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
    • 2022 Retirement Income Conference
    • 2022 Managing Pension Risk & Liabilities
    • 2022 WorldPensionSummit
Breadcrumb
  1. Home
  2. ASSET SERVICING
March 20, 2017 01:00 AM

Latest hacking news heightens cybersecurity concerns

Rick Baert
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Dennis McCrary believes strict cybersecurity for third-party vendors is 'critical.'

    Third-party administrators for alternatives managers are double- and triple-checking their cyber defenses following revelations that two firms in the past six months have been hit by hackers.

    Sources would not name the firms that were subject to email phishing but said both attempts were thwarted before any information was accessed.

    Despite their lack of success, the attacks raised red flags for an industry that has worked behind the scenes in investment for years. With asset owners boosting their allocations to private equity, real estate and hedge funds, administrators have seen an increase in both business and in the information they hold.

    Fund administration is “pretty well known now with the shift over the last 15 years by private equity firms and hedge funds to outsource their back office,” said Chad Burhance, CEO of NewOak Credit Services, a New York fund administration firm targeting private credit. “People who know finance are aware of administrators. Plus, the countries where a lot of these hacks come from have sovereign wealth funds which use third-party administrators. So hackers know this market is there and what administrators have.”

    W. Reece Hirsch, who advises third-party fund administrators as partner and co-head of the privacy and cybersecurity practice at the law firm of Morgan, Lewis & Bockius LLP, San Francisco, said while cybersecurity concerns reflect a trend across all industries, “it's particularly true for financial vendors. They're handling large volumes of data, and often the legal responsibility for that data remains with the financial institution.”

    Hackers looking at fund administrators could be working alone, but sources said that, increasingly, many are in criminal rings or work as agents for countries that have their own motivations for cybercrime.

    “If you look at the transition in cybersecurity in the last five years, previously cybercriminals were interested in a specific target,” such as Social Security or credit card account numbers, said Ben Carr, technical director of security strategy, Americas, at Tenable Network Security Inc., a Columbia, Md.-based cybersecurity software developer. “Now it's the monetization of the data that was hacked. First it was ransomware, then it transitioned to criminal organizations that were looking to monetize. It's become a longer-term intellectual property play, both by criminal groups and by states like North Korea.”

    Earlier this month, cybersecurity company FireEye Inc., Milpitas, Calif., and the Securities and Exchange Commission warned of an email phishing campaign against employees tasked with filing 10-Ks and other documents with the SEC. FireEye said the scheme involved emails alleging to be from the SEC sent to filers whose names were on previous 10-Ks with a link to an updated 10-K form; the link instead would download malware that could obtain confidential information from the filer's employer.

    “For the fund business sector, if a system gets compromised and you can't execute trades or respond to margin calls, you may have some losses or, in the worst case, go out of business,” said Lisa McLaughlin, vice president, corporate security and data integrity, SS&C Technologies Holdings Inc., Windsor, Conn. SS&C provides software for third-party administration as well as operates its own fund administration business.

    SS&C takes a “risk-based approach” to cybersecurity, Ms. McLaughlin said, an approach echoed by others interviewed for this story. “To protect the client, any information held is in a risk-assessment structure. Any assets that are exposed to risk, we mitigate that risk.”

    Part of that risk assessment is to remain proactive rather than reactive to cyber threats, and Ms. McLaughlin said that includes monitoring media reports of cyber breaches in all kinds of industries, not just financial services.

    “Media reports are vital” to remain proactive in gauging the risk to security protocols in place, she said. “Prediction is part of assessing risk.”

    As hackers have targeted people as the weakest link in data security, Ms. McLaughlin said administrators have targeted the education of employees to avoid the inadvertent click on a link that could send information pouring out to criminals.

    Phishing 'school'

    SS&C's phishing education programs were launched more than 10 years ago, Ms. McLaughlin said. “We do a new program every year. We have an intelligent line of defense every day. It's a layered, defense-and-depth approach taken from the military, a deep defense that's several layers into our system.”

    She said it incorporates state-of-the-art cybersecurity approaches but also bases its framework on International Organization for Standardization guidelines “going back to the 1940s” as well as criteria from the 2002 Federal Information Security Management Act, a framework for protecting all U.S. government operations, information and assets; Payment Card Industry Security Standards, which sets rules and standards for all credit and debit card transactions; and the National Institute of Standards and Technology's voluntary cybersecurity framework to help organizations manage cybersecurity risk.

    “It's not just firewalls and software,” said Mr. Burhance of NewOak. “It's the human element, which is the single biggest threat in cybersecurity. Firms have taken on more secure email measures, with user registration and a second identity or password confirmation. ... It's no surprise managers are more aggressive in monitoring and requiring standards be set for their administrators.”

    From the perspective of an alternatives manager, the cybersecurity of its third-party vendors “is critical,” said Dennis McCrary, managing director at private equity manager Pantheon (US) LLC, Chicago. “Everyone's looking at both third-party administrators and our work in general. When we look for a third-party administrator, (cybersecurity) would be at the top of our list.” While Pantheon performs some of its back-office functions internally, it has outsourced some administration to State Street Alternative Investment Solutions.

    Added Morgan Lewis' Mr. Hirsch: “We're seeing more managers requiring incidence response plans from their vendors and will reject those administrators that don't have them. Some may be satisfied with basic due diligence. The level of rigor (by managers) varies, but the definite trend is to (have) more formal written programs and audits of cybersecurity procedures. In the financial services sector, you're dealing with sensitive information that can be exploited. They have Social Security numbers, account information.”

    More cyberinsurance

    Third-party administrators also have boosted use of cyberinsurance, said Mr. Burhance at NewOak, who also is on the board of CyberFortis, a cybersecurity firm. “Managers want administrators to have (cyber insurance),” Mr. Burhance said. “Also, managers absolutely have control of the review and testing of cybersecurity needs. Threats change on a daily, weekly, monthly basis. Administrators are required to have a cyber risk policy. ... There are all different points of vulnerability with complex operations.”

    While managers are concerned about third-party administrator security, Mr. Burhance doesn't think managers will decide to take more back-office functions in-house. “It would take a lot to bring these activities in-house,” he said. “That said, if they can't find suitable firms that can guard their operations, then sure, it might revert back. But using third-party administrators isn't just about saving money. You need that outside source for compliance and verification. Think back to what happened with Madoff. No one would want to manager to have all the data without having someone outside to monitor.”

    Related Articles
    Bridgewater making waves with dual-party valuation
    Plans face threats to crucial data
    Plans ask about cybersecurity insurance — but not for them
    SEC sets marketwide risks, money market funds and cybersecurity as top examinat…
    Technology drives Blackstone buy of Aon record keeper
    SWIFT rolls out new fraud, cybercrime prevention service
    Cybersecurity breaches cost companies billions in value; financial companies hi…
    Cyberinsurance purchases on the rise — PSCA panel discussion
    Increase transparency and remain vigilant
    Reducing cyberrisk exposure from outside service partners
    Jay Clayton said illicit trading possible from EDGAR breach
    Still more victims in cyber wars
    SS&C Technologies acquires CommonWealth Fund Services
    Recommended for You
    Krishna Prasad
    Apex Group appoints its first head of U.S.
    Jesse Cole
    State Street names global head of private markets in asset-servicing unit
    State Street's BBH acquisition puts it at top
    State Street's BBH acquisition puts it at top
    SPDR® ETF’s New Approach to Bond Liquidity
    Sponsored Content: SPDR® ETF’s New Approach to Bond Liquidity

    Reader Poll

    June 6, 2022
    SEE MORE POLLS >
    Sponsored
    White Papers
    Nearing the finish line: Ideas on end-state investing for corporate DB plans
    The Meaning of "Portfolio Intelligence"
    Credit Indices: Closing the Fixed Income Evolutionary Gap
    Forever in Style: Benchmarking with the Morningstar® Broad Style Indexes℠
    Crossroads: Politics, Inflation, & Bonds
    Is there a mid-cap gap in your DC plan?
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    June 20, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Content Solutions
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Consultants
      • Coronavirus
      • Courts
      • Defined Contribution
      • ESG
      • ETFs
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Opinion
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Russia-Ukraine War
      • SECURE Act 2.0
      • Special Reports
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • WPS Innovation Awards
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • ESG Sustainability - Gaining Momentum
      • Climate Change: The Inescapable Opportunity
      • Impact Investing
      • 2022 ESG Investing Conference
      • ESG Rated ETFs
    • Defined Contribution
      • Latest DC News
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2022 Defined Contribution East Conference
      • 2022 DC Investment Lineup Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Performance Data
      • P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
      • Future of Investments Research Series
      • Charts & Infographics
      • Polls
    • Careers
    • Events
      • View All Conferences
      • View All Webinars
      • 2022 Retirement Income Conference
      • 2022 Managing Pension Risk & Liabilities
      • 2022 WorldPensionSummit