Cybersecurity Risk Management From An Asset Manager’s Perspective
While attending a recent compliance conference, I asked a fellow compliance officer what issue his firm felt was at the top of their priority list. His response – Cybersecurity.
He shared a story of how his firm recently received an eMail from a client requesting a transfer of a large amount of cash into another investment opportunity. On the surface, the eMail appeared legitimate. However, this was not the first time the firm had encountered such a situation. As a precaution, he called the client to inquire about the eMail. The client confirmed his suspicions. The investment opportunity was fictitious and the client had not requested that money be withdrawn from his account.
The client’s eMail account had been hacked. In both instances, the firm and its employees had been aware and informed enough on cybersecurity to prevent any damage to their client or the firm from this type of cyberattack.
Cybersecurity has become one of the most important areas of focus in compliance and risk management and is gaining momentum at a tremendous speed. As recently as April 2014, regulators in the United States released a cybersecurity initiative risk alert. This alert announced that they would be assessing the cybersecurity preparedness of registered investment advisors and broker-dealers.1 Similarly, Canadian regulators are just as concerned regarding the vigilance of asset management firms in Canada when it comes to protecting their clients from a cybersecurity threat.2
For asset managers, this unappreciated threat is a minefield in terms of the damage that could occur to their clients and their own firms. Left unaddressed, cyberthreats have the potential to create huge financial, brand and reputational damage, loss of competitive advantage as well as create legal and regulatory non-compliance issues. This paper will discuss cybersecurity issues for asset managers and questions a client should ask their asset manager regarding cybersecurity.
The majority of asset managers are inadequately prepared to guard against cyberattacks.3 This stems from the fact that many asset managers are under the misguided assumption that their firms are not an appealing target for cyber criminals, unlike big retail banks.4 Cyber criminals are capitalizing on this complacency. Many asset managers are being targeted as they are unprepared and lack the cyber cleverness and security measures to ward off cyberattacks. These attacks are increasing in complexity, volume, and detriment. Cybersecurity is not a threat restricted to governments regarding national security or infrastructure or large established lucrative organizations, such as the banks. It is not a problem for just the United States or Europe. Cybersecurity is a global concern and an area of great importance for Canadian organizations large and small, public and private.
A survey of small, medium and large Canadian businesses found that 69 per cent of those surveyed had experienced some type of cyberattack, including computer viruses, online website content, phishing, and social engineering attacks.5 In October 2014, Drupal, an open source web development software used to manage website content and images was attacked by cybercriminals. This attack has left up to 12 million websites compromised as cybercriminals could potentially have copied all the data out of a website without leaving any trace of the attack.6
The general consensus is that cyberthreats will never be completely eliminated and therefore the question is no longer simply how an organization protects itself from a cyberattack. Due to the sheer volume of cyberattacks occurring around the globe, the question also now includes how best to respond to and mitigate any damage from a cyberattack.7
Questions For Asset Managers
The unfortunate reality is that no defence will eliminate the threat to cybersecurity and data protection. Asset managers need to focus on prevention, detection, and rapid response. The following are questions that clients should ask their asset manager in order to determine how those firms are protecting themselves and their clients’ assets from a cyberattack:
Does the asset management firm promote a culture of teamwork in combatting cybersecurity attacks?
The most critical step in the fight against cyberattacks is ensuring that the right tone and culture is established within the firm, starting at the top. This culture needs to promote the idea of teamwork and an understanding that every individual in the firm has a very important part to play in the fight against cyberattacks. Cybersecurity has to be a corporate-wide endeavour and everyone at the firm needs to support this reality. The executive team, board of directors, managers, supervisors, IT department, all lines of business within the organization, and all staff must understand and appreciate the different types of cyberthreats. Everyone within the firm must understand where the threats are coming from, how the firm is vulnerable, how to protect the firm from these threats, and the damage that can ensue from a business, financial, reputational, legal and regulatory perspective due to such cyberthreats.
This culture can be encouraged with regular, robust training of all firm members by subject matter experts. Training will allow staff to become aware of where the organization is vulnerable and the crucial part they play in protecting the organization from these threats. The untrained team member could be an organization’s weakest link in the fight against cyberthreats due to their access to the internet as well as the organization’s network. By simply opening an infected email attachment or being deceived into providing login information through a phishing email, staff could be putting their firms at risk. Phishing emails are the most prevalent internet and email threat existing today.8
Employees working from home also introduce the risk of a cyberattack if they have insufficient security measures on their home computers. Lacking the latest anti-virus software, firewall settings, and other security measures on their home computers, staff can put their organization’s network at risk when either working on files at home or transferring files to work via email or infected USB flash drives.
Has the firm appointed a chief information security officer (CISO) and what is their role?
Asset managers should appoint a CISO to be in charge of addressing and overseeing cybersecurity issues. It is important for asset managers to identify an individual who makes cybersecurity a priority, takes ownership and has overall responsibility for the cybersecurity program. In a large firm, it could be an individual with the necessary skills and qualifications to handle this role. In a smaller firm, it could be an individual who already has a compliance, IT or risk assessment role, and access to the proper resources to ensure cybersecurity is being addressed with the importance and priority it commands.
The CISO would also be responsible for developing, overseeing, and implementing firm-wide policies and procedures regarding cybersecurity. These policies should include individuals responsible for administering the cybersecurity program; acceptable uses for work computers and the internet; training programs; restrictions on access to data and networks to authorized individuals; guidance on updating operating systems and software; security practices regarding consultants, temporary workers, suppliers and third party service providers; direction on the firm’s eCommerce activity; security practices regarding employees bringing their own smartphone devices to work and connecting to the firm’s network through the corporate WiFi; and security measures regarding the use of cloud based services and third-party data storage and management systems.
A cyber incident response procedure should be developed which would include identifying the cyberthreat; diagnosing its effect on the organization; terminating the threat as soon as possible; containment of the threat; assessment of damage or harm of any unauthorized activity; escalation to management; and notifying all relevant parties, including affected clients, brokers, custodians, fund administrators, and third-party service providers.
They need to conduct a detailed audit of the firm’s cybersecurity program. This assessment should review all cybersecurity policies and procedures; network and data security measures; the firm’s cyber risk insurance that would specifically cover expenses and losses due to cybersecurity incidents; business continuity and disaster recovery plans for the firm and key business partners that the firm has online connections with and depends on to carry out its
Organizations need to take a risk-based approach and identify what information at their firm cybercriminals would want the most. Asset managers need to devise a plan to identify, prioritize and protect the areas of their business that are most important and most vulnerable as well as a response plan in case of a security breach.
By fostering a team-focused culture and administering a robust cybersecurity program, asset managers are on the right track to protecting their clients and their firm from cyberattacks.
Sunny Mann (LLB) is legal counsel and compliance officer 18 Asset Management.
1. Office of Compliance Inspections and Examinations, OCIE Cybersecurity Initiative, http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++ per cent2526+Appendix+-+4.15.14.pdf (November 12, 2014).
2. Canadian Securities Administrators, CSA Staff Notice 11-326 Cybersecurity, http://www.osc.gov.on.ca/documents/en/Securities-Category1/csa_20130926_11-326_cyber-security.pdf (September 26, 2013).
3. Price Waterhouse Cooper, Safeguarding Asset Managers Against Mounting Cybersecurity Threats, http://www.pwc.com/gx/en/asset-management/asset-management-insights/cyber-security-threats.jhtml (November 14, 2014).
4. CBC News, 5 Ways Small Businesses Can Boost Cyber-Security, http://www.cbc.ca/news/business/5-ways-small-businesses-can-boost-cyber-security-1.1007144 (November 12, 2014).
5. CTV News, Nearly 70 per cent of Canadian businesses Hit by Cyberattacks, says Year-Long Survey, http://www.ctvnews.ca/sci-tech/nearly-70-of-canadian-businesses-hit-by-cyber-attacks-says-year-long-survey-1.1272687 (October 27, 2014).
6. BBC News, Millions of Websites Hit by Drupal Hack Attack, http://www.bbc.com/news/technology-29846539 (October 31, 2014).
7. Shane Dingman, Sean Silcoff and Rachel Greenspan, “Hacked - A Rising Threat,” The Globe and Mail, (October 25, 2014).
8. Chris Matthews, “Gone Phishing,” HFM Technology, (November 2014).
FORMS OF CYBERATTACKS
There are various forms of cyberattacks that are employed to steal essential personal information such as banking information, passwords, login IDs’ and client data. The following is a list of the most prevalent forms of cyberattacks:
APT – an attack on a network in which an unauthorized individual obtains access and remains there for a lengthy duration undetected.
Botnet – a system of private computers infected with malicious software and then controlled as a group without the knowledge of the owners to generate spam, spread viruses or conduct attacks on other systems.
Distributed Denial of Service (DDoS) – Botnets used to attack a server or network causing the targeted system to shut down due to the surge of incoming messages. This in turn, denies service for legitimate users of the targeted system.
Malware – any computer code that has a malicious intent and is often used to destroy something on a computer or to steal private information such as viruses, spyware and worms.
Phishing – a high-tech scam that uses eMail that looks as if it is from a legitimate source but contains a link to a fake website that replicates the real one, to deceive individuals into disclosing personal and financial information.
Ransomware – a type of malicious software designed to block access to a computer system until a sum of money is paid.
Social Engineering – the art of manipulating people in order to obtain (a) personal information such as passwords, social insurance numbers, birthdates, banking information, or (b) access to one’s computer to install malicious software to obtain personal information and control one’s computer.
Spear Phishing – type of phishing attack that focuses on a specific individual or group of individuals within an organization, addressed from someone within the organization in a position of trust and requesting information such as passwords and login IDs.
Zero-day Attack – an attack that takes advantage of a vulnerability in security on the same day that the vulnerability becomes largely known and that a patch for the vulnerability is unavailable on the day of discovery. Therefore, there are zero days between the time the vulnerability is detected and the first attack since the programmer has had zero days to fix the security vulnerability.