Regulators in Asia are starting to take action in the face of the growing threat from cyber-space, the latest example of which was the WannaCry global ransomware attack, which began on 12 May and hit organisations across Asia, including oil major Petrochina and several Chinese universities.

Yet asset management firms – and the institutional investors in their funds – need to buck their ideas up on this front, argue consultants.

Steven Craven of the cyber, data and risk assurance division at PwC in the Isle of Man, said both asset managers and asset owners were generally poorly prepared for a cyber attack.

Fund selectors at both institutional investors and product distributors take an asset manager's cyber-security into account “very little” when assessing them, he noted. There is very little scrutiny in respect of the risk of an external attack, crisis management or ensuring data does not leave the premises, added Craven.

Greater protection needed

But there should be, because asset managers' cyber-security provisions are generally weak, said Craven. “No one has differentiated themselves. Maybe they don’t feel the payback would be sufficient.” Either a big attack on an asset manager or a significantly increased focus on the part of investors would be needed to “shake them up”, he suggested.

Jack Jia, a partner in the fraud investigation and dispute services division at consultancy EY in Hong Kong, agreed that asset managers are not as well protected from cyber risks as they believe. In particular, he said, they underestimate the risks of internal attack. “[These firms] have not thought about the internal threats [from their] own employees or outsourced third-party service providers,” noted Jia.

In fact, this is the case broadly across financial services, he said. In a May survey by EY, 72% of respondents from financial services firms in Asia Pacific said their organisation was “fully prepared” to protect itself against cyber attacks, compared to 64% for respondents across all types of firm in the region. However, 39% of financial services organisations lack policies limiting the use of personal devices for work-related activities.

In respect of employee risk, Jia said there had been many examples of employees leaking details of trade information, confidential data about a company, login credentials or customer account information, much of which is then sold illegally on the dark web.

Regulatory action

What may spur fund houses into action is that regulators in Asia have started taking action on cyber security. On May 8, Hong Kong's Securities and Futures Commission started a two-month consultation on proposals to expand its regulation of electronic trading of securities on exchanges – which currently apply to brokers – to unit trusts and mutual funds. The watchdog also intends to broaden its definition of internet trading to include mobile devices.

“Hacking of internet trading accounts is the most serious cyber-security risk faced by internet brokers in Hong Kong,” said Ashley Alder, SFC chief executive. “Brokers must strengthen their resilience to hacking and other cyber-security risks by adopting robust preventive and detective controls.”

Look out for the second part of this series in the next couple of days, in which AsianInvestor ask asset managers what they are doing to counter cyber threats.