Cyber security: are fund managers keeping up with regulators?
By Ben Watford
An arms race — unseen, digital and all too little understood — is raging. The UK’s chief of the defence staff, Nick Carter, recently stated that “the risk of cyber warfare with Russia is now a greater threat than terrorism”. Companies are fighting to adapt to a reality where “hacktivists”, organised crime syndicates and state-sponsored groups attack IT infrastructure, raid databases and meddle in democratic elections.
The internet was never designed to be secure, it was designed to be open. And while this open exchange, together with its network of web-enabled devices, has brought huge benefits, it has dramatically increased the attack surface. The hedge fund industry is particularly vulnerable. It is no secret that there is money in asset management and corresponding incentives for those willing to test an institution’s cyber defences.
This fact is not lost on the industry’s participants, including traders who paid for access to a hacked Bank of England audio feed, presumably hoping it would give them a competitive edge in the moments before a press conference on interest rates was broadcast. We know that this vulnerability cuts both ways, but the attacker’s motives may not always be discernible. Hacktivists driven by political or ethical causes are not necessarily interested in financial gain.
Last year’s attack on Cayman National Bank by “Phineas Fisher”, the pseudonymous figure claiming credit for the hack and publication of more than two terabytes of documents containing the details of 3,800 wealthy individuals, trusts and offshore companies, is a clear case in point. What is more, while cyber attacks have historically been associated with the theft of sensitive data, high-profile digital heists — like the theft of $81m from the Bank of Bangladesh — should alarm anyone feeling complacent about our digitised economy.
A new generation of attacks is anticipated to have a fundamental and systemic impact on financial markets and their infrastructure. Leaving aside the risk of financial loss or system failure, fund managers can ill-afford the press coverage that comes with a breach of their control systems. Managers trade on their reputation for competence and an ability to inspire trust in investors — poor cyber security calls both into question. These risks have been apparent for some time, but as financial institutions struggle to keep up with the pace of change, regulators are stepping in. In the UK, the Financial Conduct Authority covers its requirements in its principles for businesses, with further information set out in the Senior Management Arrangements, Systems and Controls Sourcebook.
The key takeaway from these documents is that basic cyber security measures are now in the rule book. There has been a particular focus on fundamental controls, because while the figures making attacks are increasingly sophisticated, many of their methods are not. Phishing emails requesting sensitive data remain one of the most effective means of breaching systems, with hacking software widely available online. Not every manager needs to be a software engineer, but good digital hygiene is a necessity: employ practical systems, make sure they are understood by their users and regularly review controls. These steps should become habitual, like brushing your teeth (or flossing).
The same close attention is vital for those outsourcing key functions. In May 2019, a UK retail bank was fined nearly £2m owing to perceived lax oversight of its outsourcing arrangements. There is no reason to expect that investment managers won’t be liable for the same harsh treatment. Of course, risk cannot be eliminated entirely and, when preventive measures fail, a real-time response is essential. In the UK the recurrence of IT failures, perceived risk to consumers and the threat both pose to the viability and stability of the financial system, triggered a joint review by the FCA, the Prudential Regulation Authority and Bank of England in 2018.
The signals coming from these bodies is clear: firms are expected to continue operating even if they become the target of a cyber attack. Force majeure clauses often make clients feel safer, but when it comes to cyber security, it is not enough to say that the attack was unanticipated. Cyber attacks are part of the furniture and the fund manager’s policies must reflect that. Cyber security is not something that can be fixed once and continual improvement is fast evolving from best practice, to minimum requirement. Fund managers have long been fighting to keep pace with the cyber attackers. They now need to do so under an increasingly watchful regulatory eye.