This article is sponsored by Sanne Group.
How have the events of the past 12 months impacted cyber risk for fund managers and their portfolios?
Marie Measures: The pandemic has not necessarily introduced new risks, but it has changed the dynamics for different risk types. Criminals have been taking advantage of the fact that people round the globe have been working from home during the pandemic, which has shifted the primary means of communication and interaction to be electronic for most businesses. With so many instructions being sent over email, for example, it is now much more likely that advanced phishing attacks will be aimed at staff. We have seen those attacks grow significantly in the last 12 months. We have also seen a higher number of account takeovers, where we are able to use our tools to let people in our supply chain know we think their accounts have been compromised.
Jason Bingham: From a fund manager perspective, the focus is on reputational risk – the concern is that if they are exposed to cyber issues their clients will take their business elsewhere. Large investors are very conscious of this and are keen to understand our ability to handle their data responsibly.
Fund managers have a lot of high-value intellectual property, or intellectual property owned by their portfolio companies, so they are prime targets for things like ransomware. They are also exposed to risk around access to personal investor details, where we are seeing an increase in cyber threats such as social engineering, trying to get access by what appears to be a straightforward email.
MM: Like us, we have seen fund managers take cyber threats seriously. We have seen an increase in client due diligence questionnaires which are focusing more on cyber controls – the volume has gone up tenfold in the last 12 months. There is a much greater focus on cybersecurity, data privacy and protection, setting out their new requirements, which with our existing cyber governance we are able to meet.
JB: It really does depend on the sophistication of the fund manager. Some of the smaller managers we are having conversations with are looking to us to support them as opposed to talking to us about what they would like us to be doing.
How can cyber risks be mitigated and what investments should firms be making in talent to support this?
MM: One of the most dangerous things you can do is focus on technology and tooling exclusively. It is easier in other industries where you have defined parameters around data, such as in banking where you use a 16-digit account number. That is not how we work; we are sharing data with clients all the time, so have to look at the human layer as being as important as the tools.
We have invested heavily in this area – we are spending four times the amount of money on technology today than we were four years ago, with lots of focus on rearchitecting what we do from a resilience and operational efficiency perspective. We are moving into the next generation of tooling, using machine learning, artificial intelligence and predictive analytics to stay ahead of the threats. We have also invested in upskilling staff. All our staff have been trained to recognise phishing emails and signs of social engineering, and they understand the rules around data and what they can and cannot do. It is about taking a holistic approach and using everybody in the organisation to stay safe.
JB: The training has had a profound impact on staff, to the point where they are overly cautious on certain things, which is great. With so much email interaction, the hackers know we are busy and target investment firms where they know there is a lot going on. We see evidence of increased criminal activity at month-end and quarter-end when we are under the most pressure.
It is about culture and making sure that when people get it wrong you identify the gaps in learning. This is an evolving beast, and you need to continue to train staff to raise awareness of the threats.
What additional reporting and governance requirements should firms be aware of in this area?
MM: Regulators are focusing more on cyber and operational resilience – we have over 20 jurisdictions each with regulators that we deal with across the whole group, and most of them now have a position on cloud computing, which is seen as outsourcing, and what they would expect. We are seeing regular audits from our regulators, as well as our own external audits, focusing on controls we have in place to keep data safe. There is also increasing guidance coming out, most recently in Guernsey, Luxembourg and Singapore.
There are slight differences across jurisdictions when it comes to data and data privacy, though most organisations are using the General Data Protection Regulation as guidance even if they are not in Europe, with more stringent application of those guidelines in some markets. Ireland takes a particularly strong stance on GDPR, having administered a few fines.
What are you seeing in terms of fintech solutions to aid cyber risk mitigation, and what are the latest trends and developments that PE firms need to watch?
MM: It is about the adaptability of the toolkit. Criminals are getting to know the tools as fast as businesses are adopting them. For example, recently in the news there have been attacks against SolarWinds, a popular monitoring solution used across the industry, which had vulnerabilities, and MS Exchange, which most companies use for email. Criminals are learning those vulnerabilities and quickly exploiting them. Whereas before, the discovery of a vulnerability usually required a patch of systems within 30 days, now that must be done immediately. It is about having the capability to scan your landscape and understand where there are risks so that you can address them, because you cannot assume you can prevent everything. You must assume you will be exploited and be able to respond as quickly as possible.
That is why we are looking at tooling that employs machine learning and artificial intelligence, so that it is constantly learning and adapting. For instance, our staff are training the tool we use for phishing detection all the time, highlighting whether something is a phishing email or not, so it is getting better and better at filtering them.
JB: We expect the security services segment to see increased M&A activity going forward, and it will be of growing interest to private equity. We will probably see big surges in cybersecurity venture capital investing. When you think about the growth in technology adoption during the pandemic, it is easy to see that the focus on cybersecurity will now intensify, creating a huge opportunity for investors.
What additional risks are created as a result of Big Data, cloud-based operations and the move to remote working?
MM: Big Data means you are bringing data together in one location, which makes it easier to manage, but also increases the threat from cyber criminals as they could access large volumes of data. The fact that all the data is in one location makes it easier for cyber criminals as they do not have to identify and overcome individual components in siloed infrastructure as was the case in the past. That said, taking such a high volume of data is much more difficult – it can take days and weeks to transmit over network links so it is not something somebody can just log in and take easily, undetected in one go.
Big Data also opens up internal risks, because all the data is in one location and staff want access to help them do their jobs. You need to focus heavily on user access controls. The value of data goes up enormously once
you bring it together, as does the risk. Ransomware attacks become more viable because attackers can access the data in one location and block it.
Cloud presents both risk and opportunity when it comes to cybersecurity. You are putting data and assets into somebody else’s data centre, so you need to think about the shared responsibility model, that is who is accountable for what controls. However, the scalability and pay-as-you-go model of cloud-based operations means smaller businesses now have access to security solutions that they would not have been able to afford otherwise in their own data centres.
Finally, working from home means you need to think about a different security model. In an office, you can protect data and assets like a fortress, putting security around it like you would around a castle, with outer walls,
a moat and inner walls. As we move to working from home and introduce the cloud, we are breaking holes in the walls and weakening the fortress, so we must think differently about how we prevent people getting access to or
downloading data onto their own devices.
JB: Big Data requires controls around user access. The risk is that you do not get that right and you potentially inhibit some of the commercial spirit of the organisation when people that you want to be able to use data to make quick decisions, cannot access it. It is a trade-off that you must get right by understanding your decision-makers and what they need, without opening yourself up to risk.