The institutional investment industry is somewhat lagging other financial service firms in the cybersecurity arena, mainly because it lacks standard regulatory guidance on the topic and there's no clear path forward.
But with cyberattacks on the rise, executives of retirement plans and money managers are beginning to catch up. They are beefing up internal security measures and working with external financial technology companies to create unique ways to keep assets and data safe.
Most institutions are only doing "the very basics" to keep data secure, said Joseph Carson, chief security scientist at Thycotic, a Washington-based cybersecurity firm. With "institutions that are heavily regulated, regulation forces them to do something about security," Mr. Carson said. However, because it's not their primary business, most institutions often take "a reactive approach to cybersecurity," focusing on their online security features only after a data breach or regulations force them to look at their security controls.
In other words, not until it's too late.
Timothy Francis, vice president business insurance, management and professional liability and enterprise lead for cyber insurance at Travelers Cos. Inc., Hartford, Conn., agreed "asset managers may be a little bit behind some of their other peer groups in terms of infrastructure" to fight cyberattacks, although he is seeing improvement.
"There's much more rigor now, but it's still not at the level it ought to be. And it's not at the level of other financial organizations," such as depositories, banks and insurance companies, he said.
Although cyberattacks are both increasing in number and intensity, many businesses are still unprepared to prevent and combat security breaches. The Global Economic Crime Survey, published by PricewaterhouseCoopers in February 2016, found at least 54% of respondents from U.S. companies experienced some type of cybercrime vs. 32% of organizations globally. Those incidents have risen since 2014, when 44% in the U.S. reported being victims of cybercrime vs. 24% globally.
However, Ernst & Young's 19th Global Information Security Survey 2016-2017, released Jan. 11, found only 22% of the 1,735 global executives, information security managers and senior information technology executives surveyed fully consider information security in their strategy and planning.
And as cyberattacks grow, so do the costs of preventing them.