Cybercriminals who target fund managers are becoming smarter, more aggressive and more ambitious.
Despite this, more than half of US investment managers don’t test their IT for weak spots, while a quarter do not regularly evaluate the effectiveness of their defense systems, according to a survey conducted by the US Securities Exchange Commission in May 2019
Back in 2016 cybercriminals managed to slip past the agency’s own defenses, but now hedge funds and asset managers are seen as the weakest link. In October, hackers successfully breached Arena Investors and the Kansas University Endowment and Community Foundation of Texas—executives at both companies were fooled by malevolent software in the guise of an email. Buy side firms are now rushing to install preventative controls, active monitoring, and safeguards against this flurry of bad actors.
Hackers have honed in on institutional investors for a number of reasons: the $78.7tn treasure trove of mandates they harbor, as well proprietary trading algorithms and sensitive data on client portfolios, fund assets, customers and counterparties. In today’s globally connected markets, asset managers (particular those with woeful cyber defenses) are an easy conduit through which cyber criminals can reach and disrupt the wider financial ecosystem.
There are a number of distinct groups of criminals: state-sponsored hackers are motivated by political agendas; hacktivists want to disrupt the system; and organized actors are interested in a big payday. The most frequent attacks on asset managers involve the manipulation or extraction of their data, which is easier if a company has weak defenses.
Another popular tactic is a Distributed Denial of Service (DDOS) attack in which nefarious actors infiltrate the asset manager’s IT systems.
Sometimes asset managers get burned even if they are not the main target of an attack. Last year, cybercriminals hacked into the systems of US credit scoring agency Equinix and made off with 143 million birth dates, driver’s license information, social security numbers, email addresses and phone numbers. As Equinix’s stock price fell, investors including BlackRock Vanguard and Fidelity Investments all reportedly lost money. But perhaps the most difficult thing to recover after such an attack is reputation.
The SEC has already begun to tighten the regulatory screw with its Cybersecurity Risk Alert and Reg S-ID, but asset managers are anticipating a slew of new rules that will herald in a more rigorous and systematic approach for protecting against attacks and minimizing contagion. Firms will be required to have a clear strategy in the event of a cyber-attack.
Asset managers are rushing to modernize their legacy systems to fight the new wave of hyper-sophisticated cybercriminal. The first step by many has been to hire a chief information security officer to detect attacks before they happen, keep abreast of the regulatory agenda and new attack protocols; and pacify investors' concerns.
Their task is simple: to stay one step ahead of the cybercriminal. But as hackers grow ever more sophisticated, it is likely to be a losing game.