The May 2017 WannaCry ransomware attack caused havoc to computer systems around the world. In response to this incident, the Security and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) swung into action by issuing a Risk Alert. The agency sought to draw attention to the gravity of cybercrime to the financial services community. Then it underscored opportunities for investment managers and wealth managers to enhance their defenses.
The Risk Alert notes that 26% of investment management firms conducted periodic risk assessments of the business consequences of threats to critical systems. It also indicates that 57% of investment management firms did not perform penetration tests and vulnerability scans on these same systems.
The SEC’s Risk Alert highlights a key part of the investment manager’s cyber-defense arsenal: penetration testing. Of course, these stealth exercises should never be the only tools used by a firm. However, they could be the catalyst for forming a more holistic approach that asset managers could develop to protect their assets as well as detect and respond to attacks.
These cyber-attack simulation exercises force firms to think about the vital answers to the following questions:
- What assets are most important to protect?
- How effective was our response to the simulated attack?
- What levers are available to ensure holistic protection?
- Are there opportunities in more secure, emerging technologies?
Assets of Many Kinds and Paths to Protect
The investment management business is a particularly juicy target for internal and external cybercriminals. A surfeit of treasures lies in a firm’s intellectual property and even in its trading data. For firms that operate their own transfer agencies, individual investor data is a valuable spoil. Asset managers have a secondary cyber-challenge since many key functions may be outsourced to third party service providers. Identifying and prioritizing the assets to be protected can be a key first step.
An attack simulation could be the best way to test control effectiveness. Ideally, the simulated attack would be detected by the firm’s security team. In this case, the incident investigation and response process should be allowed to run its course (up to a point) to assess the effectiveness of the escalation and response procedures. Tracking response effectiveness would be part of an overall cyber-risk assessment, including development of a rapid response team, as recommended by the SEC.
Levers for More Measures
The results of penetration testing can help produce recommendations, which could serve as windows to additional security measures. The technical, architectural and programmatic findings from the simulated attack can help spur action. Firms could launch initiatives on network segmentation, identity management, advanced analytics, application testing and vulnerability remediation as a result.
In light of serious cyber-attack consequences, firms also may take the opportunity to kick the tires on cloud computing and additional mobile security. Getting comfortable with the security and economics of the cloud could be a deliberate and thorough process for many firms in the investment management space. As investment managers become more digitally-inclined, having a platform to quickly engage customers in a secure way is critical.
Investment managers already have their plates full with fee compression, regulatory burdens and data management. However, the potential destruction resulting from a full-out cyber-attack may upend this agenda. In other words: firms should take action to boost cyber defenses.
In prior releases, the SEC said it will “continue to focus on cybersecurity and monitor events in this area.” Asset managers need to be as aggressive as the cyber-criminals in protecting key assets and establishing effective breach response procedures.
Now is the time for asset managers to ensure a 360 degree level of cybersecurity coverage from inside and outside the firm. If you’re interested in penetration testing or, as we call it, “Advanced Adversary Attack Simulation,” and how it can be a catalyst for a comprehensive approach to cybersecurity, feel free to contact me at firstname.lastname@example.org.