In early 2019, an email began circulating among fund firms that appeared to be from a legitimate researcher.

It referred to rumors that the European Securities and Market Authority (ESMA) was considering suspending short selling under Brexit, and offered a briefing document on the topic. When recipients clicked on the link to obtain the briefing they were greeted with a blank page, raising suspicions that the email was planting malware in the firms’ systems. Those fears were further exacerbated when the purported attacker boasted about having compromised several firms in an online forum, and threatened more.

Whether this “phishing” attempt was an actual cyber attack or an elaborate hoax, as some suspect, it nonetheless underscored the vulnerability of funds to cyber threats. The financial services industry is the primary target of cyber thieves, and as a growing industry sector, funds can no longer assume they are too small or too far under the radar to be victims.

What is at risk?

What makes funds attractive targets for malicious actors? The most valuable commodity on the dark web is sensitive, confidential client data, what security experts call personally identifiable information or PII. In the PwC 2018 Global State of Information Security survey for Mainland China and Hong Kong, customer records were the most commonly acknowledged target of security infractions. Fund firms also hold valuable trade secrets, such as proprietary research or trading algorithms, which could cause serious financial and reputational damage if compromised. And of course, there are the fund assets themselves – sophisticated thieves are not simply after data, but are employing nefarious means to steal money from funds, financial gain being among the top motivators for a cyber attack.

Apart from these direct risks, funds also face regulatory pressure to make sure they have security controls and incident response plans in place. Under the EU’s GDPR, fund firms have a fiduciary duty to protect their clients’ data and assets. In the US, the SEC has made cybersecurity a priority in exams. The UK’s FCA outlines several cyber-resilience principles that firms are expected to follow, and firms are required to notify the authority of any actual or suspected breach or incident. Other global regulators such as ASIC (Australia); CIMA (Cayman); CSSF (Luxembourg); CBI (Ireland); and the SEC (USA), amongst others, have all published guidelines. Weak controls put firms at risk for regulatory sanctions.

Types of attacks

Given these risks and responsibilities, it is vital to be aware of the types of attacks to which your firm is most likely to be subjected.

Business email compromise (BEC) or “phishing” attacks, like the one cited earlier, are the most common type of attack, reportedly the starting point for 90% of data breaches. These attacks prey on human negligence and naivete, duping employees into divulging sensitive information, or clicking on links or attachments that unleash malware giving attackers entrée to a firm’s network and the data and applications residing within.

Employee device compromise similarly exploits human mistakes. As employees increasingly use their personal laptops or mobile devices for work, a stolen device can give attackers easy access to their firm’s systems and data.

Funds are also likely targets of ransomware attacks, in which the attacker shuts down critical operations in demand for payment. Ransomware attackers are clever. They purposely keep their ransom demands comparatively low so that victims will be inclined to pay, knowing the cost of lost business or client lawsuits would be much higher. Similarly, a bad actor may launch a distributed denial of service (DDoS) attack that can disrupt critical business activity, such as trading, or target a client portal, making it impossible for investors to get information or communicate with the firm.

The reasons for targeting funds also vary widely. Theft of data and financial gain, as noted earlier, are the most common. Competitive espionage, sometimes abetted by state actors, is another motivation. Firms may also be targeted by disgruntled current or former employees, or by “hacktivists” who want nothing more than to make a statement by sowing disruption.

Assessing the costs

Data on the costs of cyber attacks is widely inconsistent and can be misleading, in part because breaches have become so pervasive that it’s hard to keep up, but also because there are many different cost components. First, there is the actual direct financial losses to the fund and its investors, if thieves succeed in gaining access to fund accounts. Even if there are no direct losses, there are costs associated with repairing the damage, including attack investigation and remediation, hardware and software replacement, crisis management and client notifications.

A compromised firm will likely be subject to regulatory fines and sanctions, as well as investor lawsuits and legal fees.

Add all these components up and you can see how the cost can quickly escalate beyond the initial damage or financial loss. Less easily quantified is the lasting reputational damage and loss of investor confidence, which will likely result in client defections and raise hurdles to future fundraising efforts.

Basic internal security measures

Unfortunately, there is no cybersecurity silver bullet. There are, however, a combination of measures firms can and should take to minimize the risk of a breach, and to mitigate the impact when (not if) a breach occurs.

Understanding that a firm’s most glaring vulnerability is often the human element, employees need to be trained, educated and equipped to recognize phishing emails and beware of clicking on or responding to an email from an unknown source. Firms should also have polices restricting or governing the use of personal and portable devices for business purposes. Devices should be secured with access controls and password protection.

Conduct an independent threat assessment with a cybersecurity consultant to identify gaps and vulnerabilities. Invest in a robust security infrastructure. This investment includes firewalls and intrusion prevention systems, but also includes automated breach detection and response capabilities to mitigate the impact of threats that succeed in penetrating perimeter defenses. Firms should also have an offsite business continuity and disaster recovery backup. Regulators will expect firms to have written incident response plans delineating roles and responsibilities and actions to be taken. Moreover, they will expect you to be performing due diligence on technology and service providers, vendors and other third parties whose systems interact with your firm’s – not just at the outset of a relationship, but continuously.

SS&C: What we’re doing

“We’ve invested heavily in security measures,” says Chief Technology Officer Anthony Caiafa, “including the deployment of a global Security Information and Event Management (SIEM) system to gather threat intelligence from a variety of sources and correlate it with our systems internally to ensure we have a secured environment, we have also partnered with an industry-leading provider of email protection solutions to flag and block suspicious emails and spam.”

UNDERSTANDING THAT A FIRM'S MOST GLARING VULNERABILITY IS OFTEN THE HUMAN ELEMENT, EMPLOYEES NEED TO BE TRAINED, EDUCATED AND EQUIPPED TO RECOGNIZE PHISHING EMAILS AND BEWARE OF CLICKING ON OR RESPONDING TO AN EMAIL FROM AN UNKNOWN SOURCE.