Investors, SEC want details on cybersecurity protections

Institutional investors' due diligence of money managers, in particular, has evolved to include more specific questions about firms' cybersecurity practices and controls, said Andrew Borowiec, executive director of the Investment Management Due Diligence Association, New York.

The Securities and Exchange Commission also is making cybersecurity one of its examination priorities for 2019, the agency announced in late December.

Asset owners want to know specifics, such as who has access to sensitive data and the controls in place for security at managers, Mr. Borowiec said in a December phone interview.

"One of the things we're seeing is institutional investors are asking money managers more about how they are training their people because you can have the best technology in the world, but if someone clicks on the wrong link, it's tough to guard against that."

The SEC's exams will specifically focus on information security governance generally, among other areas. And its office of compliance inspections and examinations will continue to focus on the cybersecurity practices, governance and risk assessments, access rights and controls, data loss prevention, training and incident response efforts of investment advisers, which include asset managers, the agency said in a report on its 2019 exam priorities.

In September, Voya Financial Advisors Inc., Des Moines, agreed to pay $1 million to settle SEC claims related to its failures in cybersecurity policies and procedures. Intruders allegedly "impersonated VFA contractors over a six-day period in 2016 by calling VFA's support line and requesting that the contractors' passwords be reset," the SEC said in an announcement at the time.

The intruders allegedly used the new passwords to gain access to the personal information of 5,600 VFA customers. With access to customers' information, scammers then used the data to create new online customer profiles, and, in turn, gained unauthorized access to account documents for three customers, the SEC announcement stated.

Voya did not admit to or deny the SEC's findings.

Business email compromise and social engineering attacks "continue to be one of the leading methods used to target the asset and wealth management industry," Ertem Osmanoglu, a New York-based principal in the cybersecurity and privacy practice at PricewaterhouseCoopers, said in an email.

Social engineering attacks entail manipulating targets in order to leverage human error or human interactions for access, such as what occurred in the alleged VFA incident.

Citing PwC's 2018 Digital Trust Insights survey, Mr. Osmanoglu added that "among investment management respondents, concerns about phishing and social engineering increased 40% and concerns about cybercriminals increased 52% during the last year."

"The human element and the high-touch and high-trust nature of these businesses create process gaps. Many of these attacks can be prevented by training personnel and establishing layers of defense through well-coordinated authentication, verification and monitoring processes.

"Companies should perform an end-to-end review of their critical business processes to make sure these layers of controls embedded in and employees are trained to detect the deviations in processes," Mr. Osmanoglu wrote.