Hacking Away at Cybercrime to Keep Investors, Funds Safe

The novelty of cybercrime has worn off. Headlines about the latest attacks seem routine. But the havoc they wreak are anything but, and they’re not being ignored. Financial industry leaders are pouring money and talent at hardening their defenses against criminals’ intent on disrupting business, compromising confidential data, and stealing.

A 2014 report estimated the annual cost of cybercrime and economic espionage to the world economy at more than $445 billion, or almost 1% of global income (Washington Post). Another report released this October found that hacking attacks cost the average American firm $15.4 million per year, and the average firm globally $7.7 million (CNNMoney).

The International Organization of Securities Commissions (IOSCO) is devoting special attention to emerging cyber risks with multiple workstreams underway, and has just joined with the Bank for International Settlements to publish a consultative report, Guidance For Cyber Resilience for Financial Market Infrastructures, to aid in development of strategies for resilience of the backbone of clearing and settlement systems that are essential to the functioning of the world’s capital markets.

The IOSCO Affiliate Member Consultative Committee is also focusing on cyber risks, and created a working group on asset manager cyber resilience. CFA Institute is a member of the working group, along with Investment Company Institute (ICI) Global, the European Fund and Asset Management Association, the Hedge Fund Standards Board (HFSB), ANBIMA (the Brazilian Capital Markets Association), and the Korean Financial Investment Association (KOFIA).

As a first step, the working group extended an ICI survey of US asset managers to non-US asset managers to determine general current levels of preparedness for addressing cyber risks. Future surveys will help identify gaps in the industry’s preparations and also help identify emerging best practices for cyber risk management in the investment management business. Initial findings of practices included:

• Almost three-quarters (74%) of firms responding already conduct periodic assessments of cyber risks.
• Almost two-thirds (61%) of survey respondents require their employees to take information-security training.
• Over 70% of firms responding have in place a detailed written incident-response plan.

Meanwhile, the Hedge Fund Standards Board has published an excellent “cyber security memo” in the Toolbox section of its website and has extended access beyond the HFSB membership in service to asset managers. Thomas Deinet, CFA, executive director of HFSB, spoke at the last IOSCO Affiliate Member Consultative Committee meeting in October on key elements of the memo, including a description of the various dimensions of cyber risks, regulatory requirements of asset managers to address these risks, and practical steps that asset managers can employ to mount defenses against attackers.

Despite these tremendous initial efforts to respond to cyber threats, effective risk management will almost certainly require a long-term commitment to resources and strategy to counter the growing sophistication of attackers and evolving technology that is relevant to the asset management space. Beyond the damaging effects of successful attacks, asset managers must plan for growing investments in staff and resources to protect the assets under their care, challenging the healthy margins of the past with ongoing expenditures to address the “new normal” of Internet-based crime.

If you liked this post, consider subscribing to Market Integrity Insights.

Image credit: iStockphoto.com/Matej Moderc