The WannaCry ransomware attack, which struck hundreds of thousands of computers in more than 150 countries in mid-May, is the latest and most dramatic reminder of the cybersecurity threats that plague businesses, individuals and government/non-profit organizations with great regularity.
Investment managers are at particular risk of cybersecurity threats, not only because of their access to large pools of assets, but also because they often depend heavily on networks of third-party partners — including prime brokers, outsourced information technology firms, consultants, and providers of risk management research, cash management, portfolio optimization and fund administration services — over whose systems and processes they have no control. As the Securities and Exchange Commission noted in a 2015 Guidance Update: "Service providers may be given limited access to a fund's technology systems that may inadvertently enable unauthorized access to data held by the fund. Funds, as well as advisers, may wish to consider reviewing their contracts with their service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyberattack."
It is vital for investment managers to identify and avoid exposure to cybersecurity weaknesses within these "ecosystems" of outside service providers — and to have the assurance that all participants in the partner network are equally secure.