Asset managers at risk from cyber-attacks

Asset managers at risk from cyber-attacks

Want to be a cyber-criminal? All it takes is a laptop. Don't have a degree in computer programming? For a small sum a firm will launch an attack on your behalf. First time? There is a handy e-guidebook to take you through the process. What if the attack doesn't work? Not to worry, it comes with a warranty. 

Facetious as it would be to suggest that anyone could become a criminal, there is no doubt that it is easier than ever for invisible and malicious attackers to breach the digital infrastructures of firms. The biggest attacks now consist of multi-layered approaches and they can last for weeks rather than days. A Radware survey found that 19% of major attacks were “constant” and the most common attack length was a month. Industrialised, outsourced and efficient in delivery, a new generation of threats from cyber-space has arrived. 

“You can rent an attack for as little as $500,” says Adrian Crawley, UK and Ireland regional director for Radware. “These are well organised and sophisticated operations. They even offer telephone support lines.” 

Phil Huggins, vice-president, security science, at Stroz Friedberg agrees. “Hard attacks still need intelligent and considered attackers but most of the lowhanging fruit can be bought or rented by anyone. Some of the simpler but effective attacks can be easily downloaded for free.” 

With high-profile attacks frequently hitting the headlines, breaching firms including JPMorgan Chase, Target and Google, it seems no industry is untouchable. A PwC survey found that attacks on financial firms rose 8% in the past year and appear to be becoming more severe. The costs of such security incidents jumped 24% and the number of financial firms reporting losses of $10m to $19.9m increased by a hefty 141% from 2013 to 2014. 

Compared with other financial firms, asset managers have stayed relatively clear of the firing line. But with large assets under management, valuable client data and prized intellectual property, it is not difficult to imagine why asset managers could increasingly be targeted. Growing concern among both regulators and firms means asset managers are waking up to the threats. They remain, however, behind other financials in terms of self-defence. 

Asset managers have had a relatively sheltered existence compared with other financial institutions such as banks. Operating and trading on private rather than online networks, and often handling a lot of processes manually, asset managers do not present the same opportunities to thieves looking to infiltrate financial firms. 

As technology develops, though, this protection is being eroded. Bring your- own device, cloud technology and vulnerabilities in third parties have all created entry points to asset management systems. HP recently revealed that 70% of the most commonly used devices contained serious vulnerabilities. On average, an eye-watering 25 vulnerabilities were found per device. 

“Bring-your-own device is a big challenge. If the device is infected, you have a problem,” says Radware’s Crawley. “The cloud environment is definitely faster and cheaper, but if something goes wrong you do not own the asset or the infrastructure.” 

Asset managers are not immune to denial-of-service attacks and could easily find themselves compromised. These attacks, which overload a network to the point of unavailability to genuine users, are on the rise across many industries. Sometimes attackers will ask for a ransom in order to restore service. Others just have a desire to cause disruption. 

Crawley says a clearinghouse firm with which he worked was targeted with an enormous service-availability attack. This attack, coupled with a ransom demand to restore service, not only put the clearinghouse offline, affecting all members that traded with them, but also affected all companies hosted with that service provider, many of which were financials. Crawley did not disclose which clearinghouse was affected, but this type of attempt is unfortunately not farfetched. Iosco and the World Federation of Exchanges Office found more than half of 46 global securities exchanges surveyed had experienced a cyber-attack. 

As if the financial and reputational risk from data loss and service unavailability were not enough, the technology and the understanding of back-end systems required to carry out monetary theft might be becoming more sophistcated. Joram Borenstein, vice-president in marketing at Nice Actmize, says there is a possibility that asset managers’ own infrastructures could be used directly or indirectly for a type of pump-and-dump scheme. 

“It is not that difficult, if you are dealing with stocks that trade with small margins, to imagine how one false trade could make a number spike and for someone to profit from it,” he says. “The potential for gangs to come in and manipulate wires that asset managers use to send money to banks or other parties remains a real concern.” 

Stealing money from an asset manager is significantly more complicated than stealing data because an in-depth understanding of its structure and processes is needed. But, says Stroz Friedberg’s Huggins, there is no reason this could not be discovered at some point. 

“Just in the past year-and-a-half we are starting to see a trend towards attacking treasury systems and back-ends. Financial firms generally are more of a target because you can count on them having a treasury system. This is one of the places where asset managers could get stung – end-of-day reconciliation. It has not happened yet, but it is definitely got potential to be a problem.”

Securing supply chains 

In 2013 the Associated Press Twitter account was infiltrated and a tweet saying the White House had been hit by two explosions and Barack Obama was injured sent the Dow Jones plummeting by 143 points. Hacker group Syrian Electronic Army claimed responsibility. Increasingly cyber-criminals are not focusing just on data theft, but also on capital market supply chains. 

Huggins says: “If some key sources of market information had been tampered with, what would you do? Would you reconcile immediately? That could be incredibly disruptive. It is a real risk in the system and something for asset managers to take seriously.” 

The problem has regulators fretting. They have started showing that they are serious about shoring up financial market defences, and have recently had a particular focus on asset managers. The Obama administration has expressed its fear that hedge funds could be particularly susceptible to attack. The US Department of Justice urged investors to pressure fund managers to improve cyber-security, and US regulator the Securities and Exchange Commission recently examined 57 broker- dealers and 49 financial advisers in its continuing assessment of cyber-security preparedness in the securities industry. 

The Bank of England has launched CBest, a programme that simulates attacks on financial firms that make up the core of the UK financial system, including asset managers, so they can understand both their vulnerabilities and what they are doing correctly. The Central Bank of Ireland has also launched a thematic review for 2015 that addresses cyber-security and operational risk in investment firms and fund service providers. 

The US is far ahead of the EU in terms of data breach disclosure laws – there are already stringent standards that require US public companies to disclose details of attacks. This could explain why more of the high-profile cyber-attacks have been located stateside. But the EU may catch up this year. Its new Data Protection Regulation, due to be finalised in 2015, will have far-reaching consequences for many businesses. 

“Some companies have had their heads in the sand regarding the changes in data protection laws,” says Sarah Stephens, head of cyber and technology at JLT. “The EU data directive will include an element of mandatory disclosure and potential maximum fine for non-compliant entities of ¤100m.” 

Michael Soppitt a director within Parker Fitzgerald’s digital risk and information security practice, emphasises that positive action enforced by regulatory scrutiny might take asset managers only so far in dealing with an external and evolving threat: “You cannot fix the problem with static regulation. Doing a number of things on a checklist does not really work. You need to take an outsidein approach. As an organisation you need to understand how cyber-criminals view you.” 

Simple solutions 

The range of problems might seem overwhelming but there are also plenty of practical and realistic measures that firms can take. Experts agree that the best defence is not necessarily the most expensive, or even the most comprehensive. To paraphrase GCHQ’s director general for cybersecurity, building walls so high that you alienate your customers is, in a word, inappropriate. The focus instead should be on education and getting the right people and processes in place. A long-term commitment to the cause that runs through the organisation from the intern to the board member and beyond is the foundation of an effective programme. 

“You do not need the greatest whizzbang security to stay protected,” says Alex Tabb, partner at Tabb Group. “We have been engineering secure environments for some time now and the layering up of multiple checks and balances are tried and true. What asset managers should do, though, is ensure that their existing processes are working and stay up to date.” 

Tier-one firms have their own idiosyncratic problems, with well-known brands more likely to be targeted directly. They might also have enormous networks spread across the world that are more difficult to police. 

The plight of the smaller firm is trickier to resolve. Smaller firms might not have the infrastructure, personnel or resources to fund a highly sophisticated programme. But while the right technology and partners play a role, some of the smallest controls can have the most profound effect. A tightening of social media policy, a better email policy or taking precautions when engaging in conversations with third parties are all examples of such simple measures. 

“I do see small firms struggling,” says Tabb. “The level of security you have is often inversely correlated to the amount of work you can do effectively. There is a tricky balance to strike when resources are limited.” 

Cyber-security is certainly a larger burden on the smaller firm. Large and medium-sized financial firms (revenue above $100m) spend around 3.5% of their IT budget on security. This figure rises to 14.7% for firms with revenue of less than $100m. Interestingly, insurers, which have seen large increases in pay-outs for cyber-security breaches, have acknowledged that demands should be scalable, despite a shift back to due diligence in the underwriting process. 

“It could be as basic as the UK cyber-essentials checklist for smaller firms, which just sets out basic cyberhygiene,” says JLT’s Stephens. “For larger asset managers a more sophisticated set of standards such as ISO 27001 or NIST might be more appropriate. The most important factor is having an agile and evolving programme with the right team.” 

Asserting that firms will create better protection with better information, Cary Stier, global investment management leader at Deloitte, urges firms to consider sharing information about attacks with relevant parties. He says the advantages for firms experiencing an attack of working closely with regulators and law enforcement outweigh the concern of losing credibility. 

“It is hard for managers to think and operate that way though – no one likes to air dirty laundry,” he says. “But it is better to talk about it on your own terms rather than having law enforcement find out about the issue later because you have lost your entire business.” 

Inside job 

Perhaps the threat that is most difficult to guard against, and potentially most devastating, is the one from the inside. PwC found that 44% of financial services respondents attributed breaches to existing staff. Potentially even more worrying, 28% attributed attacks to former employees. These two groups outstripped both hackers (26%) and competitors (20%). One simple approach would be to keep very strict operational controls based on a need-to-know principle, according to Tabb. 

“Just because someone is a good employee and a nice guy does not mean he or she needs access to the innermost workings of the company. Access should be audited routinely and people should be assigned and kept to their network access designation.”

But Stephens adds that firms need to think more widely when it comes to threats from inside. “When businesses think of rogue employees, they often assume this only applies to the disgruntled IT guy, but criminal groups target people with access to systems. It could be an executive floor receptionist, someone from a call centre, or the person responsible for transporting files to offsite storage. Perhaps someone not particularly well paid or without particular loyalty to the company would be tempted to put an infected USB into a laptop or let a box of files fall off the back of the truck, for the right price.” 

Bringing a human dimension back to what can seem an intangible issue, she suggests promoting a “we are in this together” personal approach. If companies educate employees on what a data breach and subsequent identity theft could mean to them, workers might be encouraged to look out for one another, as well as the firm.

Cyber-hydra 

A fiend in many guises, the cyber-attacks that have hit headlines in the past five years have come in all shapes and sizes. Here are some examples. 

The data theft attack 

The 2014 JPMorgan data breach was reported to have involved personal data associated with more than 83 million accounts, giving rise to fears over phishing attempts. Account data was not stolen. The New York Times reported the source of the breach was a simple failure to upgrade an overlooked network and a stolen password. The origin of the attack is still unknown. Fidelity Investments is thought to have been affected by the same campaign, to a lesser extent. 

The denial-of-service attack 

A group calling itself the Cyber-fighters of Izz ad-Din al-Qassam, claimed responsibility for taking down the websites of around 50 financial institutions with denial-of-service attacks, including, reportedly, the New York Stock Exchange, Wells Fargo, Citigroup, JPMorgan Chase and American Express. The three waves of so-called Operation Ababil started in September 2012. In the third phase of the attack alone, 15 major US bank sites were offline for a total of 249 hours, according to Radware. 

Back-of-house attack 

BAE Systems Applied Intelligences’ global product director, said in June 2014 that hackers successfully inserted malicious software that delayed by several hundred microseconds a large, unnamed hedge fund’s order-entry system. The hackers also rerouted data that might be used to make money in rogue stock market transactions. BAE Systems later said that this attack had not happened but was rather a “scenario” used by the firm – but not before it had caused a media and industry storm. 

The third-party vulnerability attack 

The source of the infamous Target attack has been traced back to credentials stolen from Fazio Mechanical Services, a refrigeration, heating and air conditioning company hired by Target. These passwords were used to upload the card-stealing malware cash registers. It is also a good example of a breach that created significant collateral damage in the finance sector. The attack cost banks $200m to replace cards and money lost by Target’s customers. 

The all-consuming attack 

The GameOver Zeus conspiracy did not discriminate in terms of targets and caused $100m worth of financial losses to businesses and individuals in the US alone according to the FBI. The malware was able to steal financial details and also contained Cryptolocker, a ransomware programme that encrypted all files until a fee was paid. It is estimated that this malware infected more than 500,000 users worldwide.