How do asset managers and other financial services institutions fare in trying to protect their data and their customers from fraud, malware and other security breaches? Accenture’s High Performance Security Report 2016 looked into the state of cybersecurity in the sector. The survey revealed that financial services firms are suffering from an astounding number of security breaches. A typical organization faces an average of 85 targeted breaches every year. One third of these attempts will succeed. Do the math ─ that’s 2 to 3 per month!
The regulatory community concurs.
The SEC, in September 2015, said:
“We see an increasing barrage of cyber attacks on financial firms,” according to Marshall S. Sprung, Co-Chief of the Enforcement Division’s Asset Management Unit. There’s more. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
FINRA takes a position on this issue too:
“FINRA remains focused on firms’ cybersecurity preparedness given the persistence of threats and our observations on the continued need for firms to improve their cybersecurity defenses. Given the evolving nature of cyber threats, this issue requires firms’ ongoing attention.”
It’s not that firms have been remiss in their efforts. It’s more about the nature of the perpetrators and their tactics. Cybercrime is a dynamic and always evolving field bringing new threats nearly on a daily basis.
What’s an asset manager to do?
Develop a robust cybersecurity program designed to prevent attackers from achieving their objectives rather than simply preventing breaches. Just like the essence of cybercrimes themselves, a firm’s initiative needs to be multifaceted. Above all, “Think Resilient.”
Cyber resiliency ─ what’s that?
Caber resiliency is the ability to operate business processes in normal and difficult scenarios without adverse outcomes. Resiliency strengthens the firm’s ability to identify, thwart, detect and respond to process or technology failures. It also bolsters its ability to quickly return to business as usual if an attack occurs, while reducing financial loss, customer harm and reputational damage.
Businesses with cyber resiliency have several common characteristics:
- More secure processes and systems
- Strong controls with a strong control environment
- Digitized and automated processes
- An aggressive, proactive, enterprise-wide culture that prioritizes security
To become more cyber resilient, firms should not only incorporate perimeter security, but also business risk/reward decision making, cyber risk management and control techniques throughout the business processes. They should also secure buy-in from the top-down of the organization and both in and out of its walls. This will help them to mitigate the likelihood of an event effectively and reduce the impact if one occurs.
Creating cyber resiliency spans business processes and infrastructure. For example, it should include re-architecting business processes to reduce the access, dissemination and reliance on highly sensitive data. It also should involve recasting infrastructure and systems to limit the extent of potential damage when an attack strikes or systems and processes fail. And it may include re-working ways in which legal and liability protections are incorporated into service agreements to prevent fraud-related losses or expenses associated with remediating impacted customers.
For more on this topic with an eye to the best ways forward, read our new white paper on “Cybersecurity for Asset Managers: Shield Your Firm from Risks.” https://www.sec.gov/news/pressrelease/2015-202.html  http://www.finra.org/industry/2016-regulatory-and-examination-priorities-letter