Asset managers in the region are increasingly aware of, and responding to, the growing danger of sophisticated cyberattacks. In a Global Information Security Survey, 89% of organisations said their cybersecurity function does not fully meet their needs, and only 12% felt it is very likely they would detect a sophisticated cyber-attack.
Regulators such as the Hong Kong Monetary Authority are also increasingly aware of the threat cybersecurity poses to the financial services industry and have increased requirements for industry players around cybersecurity risk management frameworks and controls. In addition, the recent China Cybersecurity Law has placed additional onus on asset managers and others to protect client confidential data as part of an overall compliance framework.
THREATS TO CONSIDER
Several trending cyber threat scenarios are most relevant to asset managers, but three require urgent attention: ransomware attacks; breach of client confidential data; and stealing of corporate secrets.
Ransomware attacks, such as that of WannaCry in May 2017, can lock up key business processes and client records. Data breaches have the potential to cause brand damage in the market and attract regulatory action. The stealing of corporate secrets via cyber means is also on the rise, whether it be proprietary asset valuation techniques or privileged financial information on companies held in the portfolio. Both may offer an illegal arbitrage advantage to criminals.
Wealth and asset management clients are also making themselves more vulnerable by increasingly demanding what is already widely accessible in the retail industry: full use of digital infrastructure capabilities. Although some aspects of interaction with clients will remain at a personal level and within the traditional advisory process, clients and advisors increasingly adopt technology-driven sales and support with an emphasis on mobile and web channels, such as robo-advisory.
MANAGING CYBER RISK
As a business opens up its perimeter to digital interactions, it needs to consider how to manage the associated cyber risk.
This includes identity and access management of users—ensuring users are who they say they are, and are not “imposters” with malintent, or hackers taking advantage of technical vulnerabilities in applications, or “data lakes” that become attractive sources of illicit client and other data for sale on the dark web.
While there is no simple answer for asset managers to address these cyber challenges, leading organisations are focusing on five priorities to develop a cyber-secure and aware culture that helps protect themselves.
1. Talent centricity
The organisation builds a culture that makes cybersecurity part of everyone’s job. It’s also important to create a chief information security officer role.
2. Strategy and innovation
Cybersecurity sits at the heart of the company’s business strategy, and it ensures that new digital innovation includes cybersecurity at the outset.
3. Risk focus
The fund manager understands how broad trends and new regulations will require its cyber-risk governance to evolve. It implements a three-lines-of-defense (3LoD) approach with clearly defined roles and responsibilities to manage cyber risk effectively.
4. Intelligence and agility
The firm develops internal knowledge capabilities to use contemporary insights and information to assess the greatest cybersecurity threats. This way it can deliver timely threat identification with a sharp focus on protecting the critical assets of the organisation.
5. Resilience and scalability
The company is prepared to recover rapidly from a cyber breach while holding its ecosystem to the same cybersecurity standards it follows as an organisation.
Establishing effective cybersecurity takes most asset managers several years, but even incremental steps can provide a big uplift in protection. Having a plan in place with clear timelines and objectives will help all stakeholders, including the regulators, understand how your company intends to manage the burgeoning cyber risk challenge.
Jeremy Pizzala is Asia-Pacific cybersecurity leader at EY.
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.