The scale of the damage being inflicted on the world economy by cyber-criminals should not be underestimated. According to data from Cybersecurity Ventures, a research company, the losses incurred by cyber-crime globally are forecast to reach $10.5 trillion by 2025, up from $3 trillion in 2015. In other words, the economic costs of cyber-crime by 2025 are projected to be larger than Japan’s entire GDP. With the volume and sophistication of cyber-attacks rising exponentially, asset managers need to ensure they have processes in place to protect both themselves and their clients from such attacks.
Asset managers remain acutely vulnerable
Experts argue asset and wealth management companies – owing to their healthy AuM (assets under management) growth over the last few years – are being targeted more aggressively by opportunistic cyber-criminals. The industry is also acutely vulnerable because traditional financial institutions – principally banks and market infrastructures - are ploughing industrial amounts of resources into propping up their cyber-defences - meaning they are broadly well-protected against most threats, forcing criminal groups to look for weaknesses elsewhere. In contrast to major banks, many asset managers simply do not have deep enough pockets to invest into best-in-class cyber-security systems. Consequentially this makes investment firms a ripe target for cyber-criminals.
Cyber-attacks adopt many different guises – including DDOS (distributed denial of service), malware, ransomware, trojans, spyware, viruses, worms, keyloggers, bots and crypto-jacking. In most cases, the majority of cyber-attacks can be prevented through the adoption of best technology practices (i.e. carrying out software updates in good time; installing malware and virus protection onto work devices; using VPNs when logged onto public Wi-Fi networks; prohibiting the use of personal devices for work purposes etc.).
However, successful hacks do and will happen and no manager – irrespective of AuM size or the capabilities of their cyber-defences – is immune. As such, it is critical investment firms purchase quality cyber-insurance as this can help mitigate some of the damage (both financial and physical) from hacks. It is also essential firms have internal policies and procedures in place on what to do should there be a serious hack, and ensure these are tested on a regular basis. And finally, managers must be totally transparent with their clients (and regulators) if they do fall victim to cyber-criminals.
Humans are often the biggest weakness
One of the most common types of attack nowadays is phishing, which is both low cost and low-tech, but highly effective. Phishing can be split into several buckets – namely spear or whale phishing (targeting specific C-suite executives), vishing (when fraudsters target victims on the phone) and email phishing (i.e. the use of scam emails). With the pandemic, phishing has become increasingly ubiquitous – especially as criminals are exploiting the COVID-19 uncertainty to lure victims into revealing sensitive or proprietary information.
Accordingly, fund managers need to have mechanisms in place to reduce the likelihood of employees succumbing to these sorts of scams. Education is therefore paramount. A number of financial institutions will routinely conduct mock phishing exercises to test employees’ cyber-awareness, with any shortcomings being subsequently remedied. Such policies are vital, especially as investors and regulators want more evidence from managers that they adopt proper cyber safeguards.
Most hacks are avoidable - assuming investment firms implement basic cyber-protections and teach their staff about how to ward off phishing attempts. Unfortunately, hacks will happen, and this is unavoidable. While it is important managers adopt preventative cyber-security measures, it is equally important that they have the tools to respond to breaches as and when they occur.