Workplace fluidity leads to growing cyber vulnerabilities
By A Paris – Hedge funds and alternative asset managers are responsible for over USD3 trillion in assets under management – many bright shiny diamonds for cyber criminals to pursue. Increased levels of remote access propelled by the Covid-19 pandemic are making these organisations even riper targets. So, in this environment, the cost of inaction or complacency around cybersecurity continues to mount.
According to IBM Security, the average cost of a breach within financial services is of USD5.85 million – this is well above the overall average of USD3.86 million per breach across all industries reviewed. Although the crisis has put many managers under pressure in terms of budgets, continuous review of cybersecurity systems should not be left by the wayside.
A heartening argument in these belt-tightening times is that the amount of money firms dedicate to cybersecurity is not necessarily a measure of a system’s success. In fact, a study by Deloitte concludes that the way a programme is organised and governed can be equally, if not more, impactful than how much a firm spends on cybersecurity.
Infrastructure and investment
The study discusses firms’ cybersecurity programmes according to their maturity level. Within adaptive firms, leadership drives the cybersecurity agenda. The report finds: “Almost all board and management committee members at responding companies were keenly interested in their company’s overall cybersecurity strategy. However, those from adaptive companies suggest their boards are more likely to delve into the details of the cybersecurity budget, specific operational roles and responsibilities, as well as the programme’s general progress than are boards of less advanced peer companies.”
The consultancy also partnered with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to survey its members. This association is dedicated to reducing cyber-risk in the global financial system.
Survey respondents reported an increase in cybersecurity spending, with identity and access management, cyber monitoring and operations, and end-point and network security receiving bigger shares of the pie.
The Covid-19 pandemic accelerated digitisation and remote working arrangements across the financial services industry. Firms with strong technology architecture were arguably in a good place to make this transition. However, the FS-ISAC report notes: “This sudden shift has compounded problems for many chief information security officers (CISOs) and cybersecurity teams charged with securing the digital fortress at their firms. Hackers and cyber scammers are trying to take advantage of expanding technology footprints and new attack surfaces, with most employees working remotely.”
JP Morgan Asset Management warns clients: “Periods of crisis bring out the best in humanity, but the worst in online scammers. Now is the time for extra vigilance when accessing your investments online, responding to emails and managing personal data.” The firm says that in addition to employing the latest fraud prevention strategies and technologies internally, it is committed to providing useful information that empowers clients to take control of their own cybersecurity.
A report by PwC remarks: “As many organisations within the asset and wealth management sector have adapted to virtual working environments, there is a need to be more vigilant than ever when it comes to cybersecurity awareness. With so much capital at stake, in a sector that is guided fundamentally by risk appetite, it is vital that organisations within the sector maintain and uphold a robust, secure environment, as well as have the capability to detect and respond to attacks such that the business impact, if any, is minimised.”
The FS-ISAC report warns: “Financial institutions should be particularly judicious before making a reduction in cybersecurity budgets. Given the increased push toward digitisation and the challenges raised by new, often remote work environments, as well as an increase in insider threats, cyber risks confronting most organisations are intensifying.”
The increased levels of remote working have undoubtedly also led to rising vulnerabilities on behalf of manager organisations.
“When someone logs into their workplace from home, they’re using the same device – most likely their mobile – that controls access to their personal networks, including their digital assistant, smart television, smart refrigerator and even their connected car,” says Macquarie Capital managing director, Tej Shah. “Each of these devices is, in turn, connected to thousands, potentially millions, of additional devices through the apps and the software they use.
“When you couple that with machine learning, which can leverage phishing as an attack method more easily, especially at the individual level, you can see how the perimeter quickly becomes nebulous, making it easier for a hacker to get into a company’s system through a single point of weakness.”
PwC analysts note a rise in human operated ransomware and data exfiltration attacks. Although there is no data to directly attribute this increase to the Covid-19 pandemic, the correlation cannot be ignored. “The statistics support the hypothesis that the increase in publicly known threat actor activity is a direct result of the current economic downturn,” they say in a report.
In such attacks the malicious actor would have completed an in-depth reconnaissance exercise ahead of deploying ransomware on the target. The information collected is then used as leverage against the target firm, with threats to release any confidential files onto leak sites.
As of 20th May 2020, PwC observed over 150 organisations in the asset and wealth management sector around the world having had their data leaked in this manner by multiple threat actors. “With the sector being a lucrative target before individual countries began instigating their national lockdown policies, the abrupt adoption of remote working technologies alongside threat actors growing more emboldened, presents new cybersecurity challenges at this time,” the consultancy says.
Much has been said about the rising salaries cybersecurity and specialist IT executives command. This is partly driven by the fact that there aren’t many of these individuals around. The (ISC)² an international, nonprofit association for information security leaders estimates the current cybersecurity workforce at 2.8 million professionals. However, the association also identifies a significant shortage as it says the industry needs an additional 4 million trained professionals to close the skills gap.
According to a report by Allied Market Research, the managed security services market overall is expected to grow to USD40.97 billion by 2022. George Ralph, managing director at RFA comments: “We have definitely seen an uptick in demand for fully outsourced and managed cybersecurity services delivered via our Security Operations Centres (SOCs). I believe a combination of increasing regulatory and investor pressures, increasing velocity and ingenuity of attacks, a lack of available skills and the natural move to outsourced services has led to this.”
John-Thomas Gaietto, executive director of Cybersecurity Services at Richey May & Co highlights the importance of quality when considering external partners and enterprise tools: “If you’re looking at second or third tier provider, odds are they won’t have the sophistication or tools available to enable to you to protect your environment in a cost effective and efficient manner.”
The investment angle
Aside from managing the operational threat of cybersecurity concerns, managers are also looking at the sector as an investment opportunity. For example, Robeco began to involve a cyber expert in its investment process a few years ago. The “white hat hacker” was brought in to investigate the degree to which companies Robeco invests in might appeal to hackers and help identify which business units are at risk.
BlackRock, also considers cybersecurity in its investment process. In an insight piece Scott Thiel, BlackRock’s chief fixed income strategist says: “We see cybersecurity as an increasingly important risk for all investors to monitor, with implications that cut across sectors, from financials to utilities.”
A firm that has taken this a step further is ForgePoint Capital; it focuses on investing solely in emerging cybersecurity companies. In February this year the firm announced the close of its second fund with USD450 million in capital commitments. This is the industry’s largest fund focused exclusively on cybersecurity and will invest in early-stage and select growth companies.