Following news this month that fund manager Fidelity had recently been hacked in the US alongside 13 other firms, consultants have highlighted the vulnerabilities financial institutions face in Asia.
The question is when, not if, a similar cyber-attack will happen in Asia, as the region lags both Europe and the US in terms of its readiness to combat cyber-crime, said Ernest Hilbert, Emea head of cyber investigations at risk consultant Kroll. Asia is some seven to 10 years behind the US on this front, while Europe lags by three to five years, he noted.
That a high-profile cybercrime case involving a financial firm has yet to surface in Asia could either be the result of fund managers not being aware their computer systems have been compromised, or because they are unwilling to publicise cyber-attacks, sources said.
“Investment firms [in Asia] do not take cybersecurity [seriously]. They don’t understand how their stuff is valuable in somebody’s hands,” said Hilbert.
A major concern for firms is industrial espionage, noted Thio Tse Gan, technology risk consultant at Deloitte. A fund house wanting to tap a potential client may be interested in information on how their assets are already invested, for example.
Equally, hackers could use data gained illicitly for front-running, with information on the investment strategies of large fund houses or institutional investors, such as sovereign wealth funds, seen as particularly sensitive.
The number of attacks on asset managers – successful or not – is unknown, but a report released in October by consultant PwC noted that cyber-crime in Asia is more common than in other regions.
It found that 40% of financial firms in Asia had reported between one and nine security incidents over the previous 12 months, compared with the global average of 35%.
A common tactic is 'phishing', whereby sensitive information is stolen often through email spoofing, with the message pertaining to come from a trusted source, but infecting the recipient’s computer with malware.
“If you went to a senior partner or director at any investment firm in Asia, their contact list is going to be chock-full of highly successful, highly valuable people,” Hilbert said.
Such access could reveal information about business deals, and enable a hacker to send out emails to the recipient’s contact list, who in turn could be infected.
In another attack reported last month, the details of 76 million JP Morgan Chase customers were reportedly collected by hackers.
Moreover, firms that conduct algorithmic – or automated – trading are seen as increasingly vulnerable to attack. For example, hackers could infect a fund manager's computer system with malware that disrupts its order-entry system.
“There have been discussions in the cyber underground for years [about hacking trading systems],” said Hilbert. "People have gotten to the point where they have gotten into systems, but they don’t understand how they work, so they weren’t able to profit."
He noted that hackers are now analysing trading systems to determine how to attack them successfully.
In a sign of the growing threat of hackers, international police organisation Interpol opened an office covering cyber-security this month in Singapore. The move was done partly because the city is a banking centre, but also to raise awareness of the issue of cyber-crime in Asia.
“You are not going to hear about any cases because nobody is actually looking and seeing what is happening,” said Hilbert. "I can guarantee that the bad guys know the information is in Asia, and they are stealing from there knowing that the companies are not prepared."