Because of the substantial value they hold, financial services organisations have always been a prime target for cyber criminals. We have seen many data breaches and targeted attacks against networks, applications, websites and, most importantly, data and information. In recent years, organised crime has shown increasing sophistication. This has meant that in addition to the more traditional hacks used to ultimately perpetrate fraud, we have seen a surge in attacks targeted at disrupting business operations in order to extract ransom.
Consequently, as large financial services institutions have increased their efforts to protect and secure their environments, cyber criminals have been forced to target smaller prey, which very often don’t have the time, resources or foresight either to manage, or understand this category of risk. Some of these smaller organisations would be seen as low hanging fruits not only because their security measures are easy to compromise, but also because they may have high value customers (this compensates for the smaller customer numbers these firms have) and/or attractive partners in their value chain (because they are seen as an easy to penetrate gateway that may lead them to an attractive target).
As has been evidenced many times, small and medium businesses often believe they are too small to attract the notice of cyber criminals. Asset management firms, including hedge funds, alternative investment, wealth management and other boutique firms fall into that category.
Investment firms have struggled with information security because they have historically focused on business continuity planning, often leaving information security at best as an afterthought and at worst when reacting to a data breach. Cultural differences may have played a part in this disconnect, where the inherent risk-taking culture of these businesses has clashed with the traditionally risk- averse approach of information security departments. Because of the media exposure of cyber-attacks over the last few years and the increasing focus on risk management, company boards and investors are now fortunately paying more attention. The steady move of the information security community to greater understanding of risk management is also playing a role in this shift.
I personally believe that organisations cannot truly assess their information risk if they haven’t clearly determined what their assets are. Asset management firms have a wealth of criminally attractive information assets, including:
- proprietary trading algorithms and other patented technologies
- client data
- trading/ market data
Whilst asset management companies may be subject to the type of fraudulent activities other market sectors experience (e.g. payment fraud, phishing, ID Theft, etc.), organised criminals can specifically target this sector in many ways, such as blackmailing clients, selling illegally obtained information on the black market, or placing fraudulent trading orders. In addition, fraudsters may also use these organisations as a springboard to infiltrate partner businesses, rendering them unwitting parties to the crime cycle because of weak security practices. Conversely, these organisations should look diligently at their supply chain, lest the reverse happen due to partner/ supplier potentially weak security practices – again here, due diligence is key.
With this in mind, more investors, trading partners and regulatory bodies are asking the hedge funds, alternative investment and other financial markets firms to provide proof of strong security programs and data privacy, covering their entire value chain.
Apparently, most investment management companies do not yet exhibit best in class (or even sector peer group average) data protection and information security practices. The realisation needs to come that they potentially face not only financially motivated cyber criminals, but also politically and socially motivated attackers (e.g. through system downtime, hijacking of public accounts or even defacement of websites). I am sure we’re all familiar with the Associated Press twitter account hijack which led to a spectacular, if short-lived, crash of the Dow Jones.
In addition, with the increasing convergence and cooperation between cybercrime and cyber espionage (and the Symantec Internet Security Threat Report 2013 revealed a 42% increase in cyber espionage, leading to IP Theft), these organisations are also potentially facing a double jeopardy. This can lead to potential fines and penalties related to standards such as the Payment Card Industry Data Security Standards (PCI DSS) and other compliance, client data and privacy regulations. On this last point, the EU data privacy regulations will affect all organisations already using or contemplating the use of cloud services which, with their very obvious benefits, must nevertheless be assessed within a clear risk management framework.
Finally, aside from the obvious financial damage, attacks leading to security breaches will damage a firm's reputation and expose it to losses due to system downtime, potential lawsuits and stolen intellectual property as well as impacting the trust their customers place in them. This therefore must be viewed as organisational change, taking into account not only the technologies, but also the processes and people dimensions. Some might think that their insurance covers them, think again...
Raising awareness is a good start.
Until next time,