Search form

Languages

Cybersecurity challenges

in Asset Management firms

21 July 2022 | 3 min read

Roland Thomas

Corporate Development Manager
Thomas Murray

Fund managers should not get caught out thinking they are a low-priority target: here’s how to identify risks and build resilience, to protect investor data and assets.

Conventional wisdom tells us that investment risk depends solely on the success or failure of a financial instrument. A higher risk appetite can reap higher rewards, but the value of an investment can be wiped out. This is true, but how many investors are aware of the huge array of other risks faced by their chosen funds? And how many investment management companies consider cyber risk to be an investment risk? In this article, we explain why cyber risk is an area of acute vulnerability for investment companies, and the steps firms can take to build security.


Banks are a harder target for threat actors

Asset management companies, like any other firm, and more than most, face unprecedented challenges to protect themselves from cyber criminals. The sector is under particular scrutiny because the banks – historically a greater focus for hackers – have invested so heavily in security that they are generally well protected against threats and are prepared to respond when attacks inevitably occur.

Most large global and regional banks now have dedicated Security Operations Centres, responsible for detecting, quantifying and responding to cyber threats and incidents. Even in spite of all this, according to analysis by Thomas Murray, 20% of banks still suffered cyber attacks in the last 12 months, with 8% refusing to disclose. Banks are still a target, especially via vulnerable supply chains, but it logically follows that cyber-criminals will increasingly pursue targets that are asset-rich but have weaker security.


Investment companies are vulnerable

With significant Assets Under Management (AUM) but often limited operational budgets, asset management companies are acutely vulnerable. Financial firms are 300 x more likely than other institutions to experience attacks, and the average cost of a data breach in 2021 was $4.23 million. While banks have the balance sheets to absorb these costs, few but the largest asset managers do. Companies are being targeted with a higher volume of attacks, by threat actors who are becoming more sophisticated, and asset managers are making themselves vulnerable by underinvesting in IT infrastructure, as well as by exposing themselves to a huge range of service providers.


Attack surfaces are growing

As asset managers responded to Covid by innovating with new digital services, they unwittingly grew their attack surfaces. The result has been that security has often not kept pace with digitisation, and performance has taken precedence over resilience. At the same time, investment firms have taken advantage of the efficiencies and expertise offered by outsourcing their middle and back office, exposing themselves – and their clients – to a larger number of third parties than ever before. These investment institutions should be bastions of security, safeguarding investors’ and savers’ assets as a minimum requirement, but they are faced with a perfect storm of growing attack surfaces, vulnerable supply chains, rising cyber criminality and complex regulation. Acknowledging the problem is the first step, but how can they respond to the challenge?


3 ways Asset Management companies can reduce Cyber Risk

There are three ways by which asset management companies can reduce cyber risk in the front, middle and back office – making security a C-Suite priority.

  1. Learn who their third and fourth parties are

    51% of organisations have experienced a data breach caused by a third party, according to the Ponemon Institute (2021). For investment firms, these third parties can include software providers, fund administrators, transfer agents, third-party management companies, distributors and a bewildering array of other firms – many of whom pose a risk of client data breaches and spillover cyber attacks. On top of that, a fourth party is any provider to your providers, and is an often-neglected area of risk. Companies should maintain inventories of their providers and indirect exposures, and should seek to monitor all of them.

  2. Include cyber risk in investment due diligence

    Include cyber risk in investment due diligence Cyber due diligence is becoming a critical area of investment due diligence. Initial checks and ongoing monitoring of investment portfolio companies should be treated like AML and KYC checks: you would never work with sanctioned individuals or indirectly facilitate terrorist financing, so why would you expose your clients to unnecessary cyber risk? This is a particularly pertinent point when it comes to Venture Capital and Private Equity firms with a small number of tech-enabled companies in their portfolios. Security is a potentially existential risk for such companies, particularly in their early stages, and a combination of due diligence and continuous threat intelligence can help a fund measure and mitigate these risks.

  3. Invest in IT Security teams & solutions

    A certain kind of asset manager has long considered IT to be a back-office function, neither seen nor heard. Today, IT Security needs to be recognised as a front, middle and back-office investment. Without well-funded, competent teams, an investment company’s IT infrastructure, staff awareness and third-party exposure will suffer.


Contact us to find out more or book a demo of our Cyber Risk tool to get started.


Robert Smith

Head of SaaS Sales and Customer Success

Contact our experts

Contact me for your free security rating, discuss your requirements or find out more about our Cyber Risk tool.

Book a demo

Want to see the tool in action? Book a demo and a member of our team will guide you through the platform and demonstrate how our tool can help you!


Recommend to read

Thomas Murray - News

08/07/2022 13:09

Cyber risk

Philadelphia, PA June 7, 2022—The Business Intelligence Group today announced that Thomas Murray Cyber Risk has won the 2022 Fortress Cyber Security Awards in the Threat Detection category.

Thomas Murray - News

01/07/2022 08:32

Cyber risk

50% of cyber-attacks originate through a third party, but Network Management teams are not doing enough to protect their banks from high-risk providers.

Thomas Murray - News

29/06/2022 09:49

Cyber risk

Thomas Murray attended for the first time the InfoSecurity Europe 2022 event at the ExCel London on the 21st – 23rd June

Thomas Murray - News

15/06/2022 11:00

Cyber risk

In a perfect storm of inflation, war and a pandemic, organisations are facing unprecedented pressure on their supply chains. Amid the crisis, supply chain cyber risks cannot be ignored.