bfinance insight from:

Matt Siddick
Senior Director, Operational Risk Solutions

The profoundly altered work environment ushered in by COVID-19 has created new avenues for cyber-attacks—including collaboration tools, videoconferencing solutions, devices and cloud-based applications. Recent Operational Due Diligence (ODD) assessments show asset managers falling short on managing the risks.

While investment management firms rightly prioritised maintaining their services during the initial phase of the pandemic, investors must now scrutinise whether the infrastructure that enabled business continuity is sufficiently robust going forwards. ODD assessments through 2021 and beyond reveal managers—including well-established firms—whose cyber risk frameworks lack some of the most basic tenets of good practice, such as multi-factor authentication, penetration testing (simulated attacks) and restrictions on removeable media. Even where an asset manager’s own cyber defences are robust, vulnerabilities can be introduced through the myriad of suppliers that support middle and back-office processes, execution capabilities and IT infrastructure.

A series of notable breaches have produced eye-catching headlines over the past 18 months, such as the ‘Fake Zoom’ hack of Australian hedge fund Levitas Capital and the ransomware attack against a vendor of SEI Investments Co., which impacted PIMCO, Fortress and other clients. According to the Accenture State of Cybersecurity Resilience 2021 report, the number of cyber-attacks has increased by more than 30% in 2021, illustrating the fertile hunting ground that COVID-19 has created. Meanwhile, cyber threat actors are more prolific and sophisticated than ever: many of the traditional tools used by cyber criminals have now become commoditised and are openly offered for sale on the internet, and new methods of attack are continually emerging. Investment managers are particularly attractive targets for a range of cyber threats, given that they routinely transfer large sums of money during daily business activities.

What are the key issues that investors should scrutinise- especially in light of today's evolving business practices?

What are the key issues that investors should scrutinise—especially in light of today’s evolving business practices? This article highlights six crucial themes to consider during manager due diligence and monitoring for 2022 and beyond.

1: Elevated ‘remote access’ risks

Many asset managers have staff accessing networks remotely using Virtual Private Network (VPN) architectures. This is a relatively low-cost and effective solution, particularly when strengthened with multi-factor authentication (MFA). However, VPNs can expose manager to cyber vulnerabilities, particularly where an organisation does not or cannot ‘harden’ the endpoints being used to make the connection, for example by ensuring that all security patches and anti-virus updates have been applied to an employee-owned computer. Even where MFA is used, VPNs can still cause data security breaches in the absence of appropriate protocols; employees, for instance, may copy information locally to their devices.

A potentially safer approach—albeit one with more complexity and likely greater cost—is to implement a Virtual Desktop Infrastructure (VDI) architecture. With VDIs, employees connect directly to the manager’s corporate IT infrastructure via a virtual machine run from the firm’s data centres. This means that managers can enforce specific security requirements and prevent information from leaving the corporate network perimeter.

2: Broader universe of networked devices

Through recent years we have seen rapid growth in the number and variety of devices—aside from company computers—that connect with corporate networks. As well as printers (which have received significant attention recently after HP issued patches to shore up vulnerabilities in more than 150 printer models which were discovered by F-Secure) and phones, staff are now increasingly making use of cameras, collaboration tools and videoconferencing-related hardware. Z-Scaler recently reported a 700% year-on-year increase in malware specifically related to the ‘Internet of Things’ (IOT). If not properly secured and hardened through password changes and pro-active patch management, these devices represent potential attack vectors for cyber criminals to access sensitive data and applications. Yet many of these devices are not managed in the same way as a laptop or desktop: traditional endpoint protection tools do not provide transparency into their behaviour and actions, making it important for managers to employ sophisticated network analytic tools to provide visibility into vulnerabilities.

3: Growing network of service providers

There is an ongoing trend among asset managers towards using a larger network of third-party vendors for a range of services—including those providing middle and back-office processes and supporting execution capabilities. Yet vendors also represent a back door for cyber risk threats; asset managers should pay close attention to the cyber security practices of their service providers and carry out a thorough assessment of all supply chains created through outsourcing, both during the initial implementation and on an ongoing basis.

4. The shift towards cloud-based solutions

Continuing the subject of third-party service providers, the pandemic era has helped to drive the increasingly widespread adoption of cloud-based network services—an outsourcing decision which can increase the flexibility and efficiency of a manager’s operating environment, but which can also expose organisations to new cyber threat surfaces. Whilst cloud computing has revolutionised the way in which many asset managers design their IT infrastructure; it has also undermined conventional approaches to cyber defence based around a ‘network perimeter’.

The transition towards cloud computing is a particularly challenging step: misconfigured cloud server deployments, for instance, represent one of the most common initial compromise vectors in data breaches by cyber-criminals (IBM – Cost of a Data Breach Report 2020). Many asset managers, particularly smaller firms which lack dedicated IT security professionals, have not undertaken critical risk mitigation to reduce these vulnerabilities—such as engaging an independent specialist to conduct a security configuration assessment of their cloud implementation.

5: Business email compromise

Business email compromise has long been—and remains—one of the prevalent sources of cyber risk. The dangers are elevated in private markets strategies where transaction processes are typically manual in nature and thereby at greater risk of human error influenced by threat actors. Historically we have observed this threat in action in the case of a private markets manager where its finance team incorrectly wired more than a million dollars to the account of a fraudulent actor—an error which was traced back to the compromise of a legal firm involved in the transaction process. A strong cyber security training program and disciplined processes for authorising transactions can help to reduce the human errors generated by phishing and social engineering.

6: Cyber risk as investment risk

As the world evolves, portfolio managers must be able to understand cyber vulnerabilities of the underlying assets and companies in which they invest. This is particularly pressing for asset managers in private markets, where portfolios tend to be more concentrated and acquisition targets may be less mature. The value proposition of an apparently compelling investment opportunity can be completely eroded by the impact of a data breach—which can result in regulatory fines (including fines for GDPR breaches), theft of intellectual property, paralysis of business operations, reputational damage and reduction in asset valuation. It’s imperative that asset managers, and private markets managers in particular, conduct thorough cyber threat assessments to identify security weaknesses as part of their due diligence process and continue monitoring after acquisition. In many instances, managers outsource this type of assessment to a specialist third party.

Conclusion: demanding cyber hygiene ‘best practice’

It is of critical importance to investors that asset managers get the basics right, such as adopting attack surface reduction strategies (vulnerability scanning, pro-active patch management, security configuration assessments, penetration testing) and implementing effective programmes to reduce the potential for human error (ongoing cyber risk training, phishing simulations). Shortcomings on these basic points persist, and related risks have likely been exacerbated by the shifting threat landscape of the last two years.

Moreover, managers should go further in seeking to deliver best practice—and investors should come to expect best practice. Over time, we will increasingly expect managers to take a zero-trust approach to network security, extending the notion of ‘least privilege access’ (traditionally applied to human users of a network) to cover all devices, applications and end-points, and requiring continuous real-time identity verification. Further, we envisage more widespread implementation of automated threat detection and response systems; many firms are now employing tools driven by artificial intelligence and machine learning technologies for this purpose. We will also anticipate asset managers to make greater use of data loss prevention solutions, which have become increasingly widely recognised for their risk mitigation capabilities.

In today’s world, a robust cyber risk posture is not a formality to be glanced over—it is a necessity to be handled with care.

Important Notices

This commentary is for institutional investors classified as Professional Clients as per FCA handbook rules COBS 3.5R. It does not constitute investment research, a financial promotion or a recommendation of any instrument, strategy or provider. The accuracy of information obtained from third parties has not been independently verified. Opinions not guarantees: the findings and opinions expressed herein are the intellectual property of bfinance and are subject to change; they are not intended to convey any guarantees as to the future performance of the investment products, asset classes, or capital markets discussed. The value of investments can go down as well as up.