The money management sector needs to work together to detect, respond to and recover from cyberattacks, said the Investment Association and KPMG.
The IA launched a report with KPMG Tuesday at the industry representative body's inaugural Cyber Security Conference for Asset Management.
The IA has also launched a cybersecurity committee, which will work with firms, regulators and public authorities to develop cybersecurity guidance.
The report addressed four areas: the cybersecurity threat landscape; building a cyber-resilient business; collaborative action; and future technology disruptors.
Cyberattacks are most likely to come from organized crime groups "or from a malicious insider," said the report. It warned that risks can materialize from across the entire value chain on a money manager, highlighting particular risks around theft of client data and payment. The report also warned of risks to client data processed by third parties, such as custodian banks, and said the use of cloud computing providers needs to be "carefully managed."
Money managers can take a number of key actions to help build a cyber-resilient business, including full engagement and understanding from a firm's board of directors, and the establishment of clear accountability for action. "It is vital to map the cybersecurity risks facing the business, (and) check whether the current cybersecurity capabilities deal with those risks and agree (with) the organization's cybersecurity risk appetite and tolerance levels," said the report. Firms should have the technical ability and processes in place to detect, respond to and recover from incidents. "But most importantly of all, employees should be educated around cybersecurity risks and good behaviors," it said.
The IA and KPMG also called for collaborative action among money management firms, working as a community to benefit from economies of scale and the sharing of expertise. "By sharing threat intelligence, collaborating to create solutions and working together on response and recovery best practices, we can help everyone improve," said the report.
The final area of focus in the report, future technology disruptors, addressed the speed at which technology is transforming money management, which is in turn adding "an interesting new dimension to the cybersecurity-risk landscape." The report highlighted artificial intelligence and blockchain as examples of how "the industry is becoming increasingly dependent on technology at the core of its business. This creates fantastic ways for asset managers to differentiate their business, grow revenues and increase profits but also creates opportunities for cybercriminals."
Chris Cummings, CEO of the IA, said in a statement: "The asset management sector is prioritizing cyberdefense, mitigation and resilience to develop a corporate culture that embraces cybersecurity at its heart. Technology is transforming our industry at a speed and scale never seen before, with criminals also becoming more creative in how they attack financial systems."
Added Matthew Martindale, partner and investment management cybersecurity lead at KPMG U.K.: "Asset managers exist to protect clients' assets and that no longer means just making a return. Protecting clients' money and data in a digital world is a challenge — more tech means more cybercrime — and the consequences of getting it wrong will be severe."
The IA represents managers with £6.9 trillion ($9.5 trillion) in assets under management.