The WannaCry cyber-attack that struck Britain’s National Health Service, Telefónica and Renault, among others, was billed by many around the world as a “wake-up call”. For too long, commentators said, the business community and investors had been overly complacent about cybersecurity warnings, despite many listing the threat as one of their main concerns in recent years.
The threat, or at least awareness of the threat and its consequences, has certainly been growing in recent years. In the UK alone, the country’s Financial Conduct Authority documented how in 2014 it received just five reports of cyber-attacks from the 56,000 firms it regulates. This figure increased to 27 in 2015 and to 89 last year, indicating a rise in reporting and in attacks.
Attacks have also become more large-scale and ambitious. If malicious hackers were to gain control of power stations, telecoms units and airports, lives could be put at risk as operators scramble to remedy the situation. But what are the risks at fund level? A wealth of information can be accessed in the event of a cyber-attack, but what would be at stake for both managers and their investors?
Data not assets
While ‘assets’ and ‘funds under management’ are the terms most often used when measuring the size of a fund manager, perhaps a more accurate description in this sense would focus on ‘data under management’. Secure and sensitive information in a personal and a commercial sense about LPs is often held by funds, while performance information, specific asset data and either ongoing or planned company moves will also be at risk in the event of a cyber-attack.
“[At stake is] the loss of commercially sensitive information. For instance, M&A activity, information around portfolio companies or their strategy,” says Peter Johnson, senior vice-president and UK cyber-advisory lead at insurance and risk management firm Marsh. “If that was to get out, it could not only have a financial impact on the value of the assets themselves, but also have reputational damage for the fund itself.”
The risks and the outcomes will largely depend on the motives of the attacker, which range from those looking to extort, those seeking information for personal gain and disgruntled employees or former employees. Recent examples seen elsewhere of state-sponsored attacks also cannot be discounted at fund level.
“An attack effectively enables somebody to have an insider trading position,” Johnson continues. “There are many different permutations.”
The loss, or just the unauthorized access of such data, is high among the worries of global institutional investors. In a survey last year, conducted by the US-based investment association CFA Institute, 45 percent of the 502 institutional investors surveyed highlighted a data or confidentiality breach as among the top five reasons they would withdraw from an investment firm. This ranked only below concerns over underperformance and an increase in fees but above issues such as a lack of communication and regulatory sanctions. In other words, investors will not tolerate those that are – or even perceived as – lax with their cybersecurity efforts. For fund managers, the threat is real.
Face the consequences
While issues surrounding data losses and confidentiality should not be treated lightly, the name of the game remains a financial one. So, when US-listed fund administration company SS&C Technologies last year released $6 million from the accounts of its commodities fund client Tillage Fund to what appeared to be representatives of Tillage, but were actually hackers from China, the fund was understandably furious and had to suspend its business. It launched legal action seeking $10 million in damages and accused the fund administrator of failing “to exercise even a modicum of care and responsibility in connection with known and obvious cybersecurity threats”, an allegation SS&C denied.
“One thing we have definitely seen and would encourage other fund administrators to do is to enforce call-back procedures,” says Samantha Rule, information security officer at fund administration firm Maitland. “If they receive a request for payment and perform the call-back, make sure the request is a valid one and confirm the entire transaction before making the payment.” She adds that she sees a lot more attacks from email than anywhere else, with cyber-attackers aware “the weakest part [of the system] is the human part.”
While cases such as Tillage do not always result in expensive court cases, financial authorities are beginning to add an extra layer of risk to ineffective cybersecurity measures with hefty punishments. While the US Securities Exchange Commission’s first cybersecurity ruling in 2015 only resulted in a $75,000 fine, it hit Morgan Stanley with a $1 million sanction following a data breach last year.
This pales in comparison with measures set to reach Europe in 2018 after they were approved by the European Commission. The General Data Protection Regulation will seek to impose penalties of up to €20 million for a data breach or up to 4 percent of turnover of the preceding financial year, whichever is higher. Those with their eyes off the ball when it comes to cybersecurity are now playing a high-risk game.
“If we have a look at how companies are generally looking at cybersecurity, we’re seeing their thoughts mature from ‘it’s not a problem I need to deal with’ to ‘I need to spend more money on cybersecurity’ and now they think they need to buy insurance,” says Johnson.
His colleague Martin Bennett, the managing director of the Marsh infrastructure team, continues: “There are some who are very receptive to understanding their risk and others still at quite a preliminary stage in their journey in terms of recognising there is an issue but not necessarily having tackled it to the full level of depth.”
Building the wall
However, it appears this hasn’t quite hit home for some firms just yet. In the wake of the WannaCry attack, the SEC released some damning figures – 26 percent of 75 investment management firms surveyed did not conduct periodic risk assessments of cybersecurity threats, while 57 percent did not conduct penetration tests on critical systems.
“We do a lot of user awareness training, making sure users are able to identify what a phishing attack looks like, for example,” Maitland’s Rule explains. “There are new threats arising every day. We don’t rely on one layer of defence to protect client information.”
French fund manager Antin Infrastructure Partners created an IT directors’ club across its portfolio companies that meets every quarter to share best practice. Similarly, French counterpart Ardian organizes regular meetings with its company chief executives to share opportunities and risks.
“You need to have an incident response team, so that people are trained and prepared and know what plan to follow when responding to incidents as and when they occur,” Rule advises. “Back-ups, too, are important, but education means having knowledgeable first responders who know what steps to follow, rather than allowing ransomware to run riot across a network.”
Unpreparedness is no longer an option.