Financially motivated cybercriminals are attracted to asset and wealth management companies (AWM) for obvious reasons. A recent report highlighted that the sector handles lucrative client financial data similarly to many banking institutions. But attackers know they often have smaller security budgets, security teams, and employees to protect their infrastructure.
As a result, asset and wealth management companies are becoming increasingly vulnerable to attacks. Data loss caused by ransomware variants such as Sodinokibi, SolarWinds, and NetWalker is sadly all-too-familiar to many fund managers. Impersonation threats also come in many forms, from payroll scams and invoice fraud to spear-phishing or even voice phishing. But these are just a few examples of the continuously expanding threat landscape.
The rise in threats across expanding attack surfaces
The global shift to hybrid working demands a proactive approach to protecting systems, devices, and data from an inevitable attack. A quick look at the world's biggest data breaches or ransomware attacks should be enough of a wake-up call that it's not if, but when an asset will be the target for an attack.
According to a 2014 study by Gartner, network downtime can cost an organization around $5,600 per minute or up to $300,000 per hour. But here in a digital age, closing the online shutters to your business could cost even more. For example, if a retailer suffers an outage during the Black Friday or Cyber Monday sales, it could cost around $250,000 per incident. But it would also increase the number of negative reviews, which would then cause a further 80% of potential prospects to desert your company.
Many businesses are also unwittingly helping the attack surface continuously grow with billions of new IoT devices coming online. Everything from baby heart monitors and cardiac devices to jeeps has fallen victim to embarrassing hacks. The Bombardier data breach also provided a timely reminder that vulnerabilities in software applications can also have devastating impacts on your business.
However, the threat landscape is much bigger than your own assets. Last year, Cyberpion released research that revealed 83% of the top U.S. retailers were connected to a vulnerable third-party asset, and 43% have vulnerabilities that pose an immediate security risk. Any internet-facing service that does not have the latest security updates represents a vulnerability for an attacker to exploit easily. But you cannot secure something if you don't know it exists.
The risks and challenges in asset management
There is no avoiding the fact that more cyber-attacks have hit the financial industry than any other sector. In a recent risk report, the European Banking Authority (EBA) and the European Supervisory Authorities (ESAs) revealed that cyber-criminals are developing new techniques to exploit vulnerabilities in the industry.
The asset management sector is becoming an increasingly attractive target for attackers, and authorities are sending out clear warnings for businesses to improve their cyber hygiene. In addition, recent fines suggest that the U.S. Securities and Exchange Commission (SEC) is getting serious about the cyber security vulnerabilities in firms. The agency advises companies to create a disclosure committee and disclose cybersecurity risks, incidents, and all business impacts when requested.
The SEC is also demanding greater transparency around processes, identifying weaknesses, forensic assessments of the company's cybersecurity systems, and the ability to disclose incidents before they're fully understood.
The Impact of an Attack
The commercial impact of a cyberattack can cripple a business financially and operationally. The reputational damage it can cause has also traditionally been underestimated and arguably ignored. But HSBC warned that, on average, it takes around two years for a business's reputation to fully recover after a data breach.
These impacts can be incredibly daunting for fund managers. However, with regulators wanting to see evidence of a level of security that is deemed sufficient to meet their obligations, we are beginning to see positive changes in the industry. In addition, asset and wealth managers recognize they cannot afford not to mitigate cyber security risks.
The dangers of future acquisitions can no longer be ignored in a digital world when Ransomware attacks aimed at private equity, venture capital, and retail fund managers are on the increase. The protection of assets from malicious threats can be made much easier with a combination of preventative technologies, policies, and procedures. Understanding your vulnerabilities and weaknesses is the first of many steps required to build and maintain a secure, resilient cybersecurity posture.
Fund managers are now challenged with facing up to the fact that they are working in an environment where cyber-attacks are rising in numbers and sophistication. Globally, regulators demand that companies take the necessary measures to protect against the reputational and financial risk of cyber-attacks. Risk and compliance are no longer IT's problem, but the boardroom needs to take it seriously too.