Digitisation leaves the funds industry at a crossroads of innovation and vulnerability, as cybersecurity within financial firms remains a major concern, reports Benjamin David.
The funds industry, embracing cutting-edge digital solutions with increased fervour, finds itself vulnerable to hackers. According to tech company VMware, the first half of 2020 saw a 238% increase in cyber-attacks targeting financial institutions.
Likewise, research by IBM and the Ponemon Institute found the average cost of a data breach in the financial sector in 2021 to be $5.72 million. These attacks compromise financial assets and sensitive data, threatening the cornerstone of trust within the sector.
Against this backdrop, significant questions arise: What are the implications of the cyber-attacks, what about the regulatory landscape and what proactive steps can fund managers take to protect their businesses?
Digitalisation and cyber vulnerabilities
Digitalisation in the funds industry refers to adopting and integrating advanced technologies, including artificial intelligence, blockchain and data analytics, streamlining operations, enhancing investor experiences and improving decision-making processes. Through digitalisation, fund managers can automate tasks, attain deeper market trend insights and boast more personalised investment solutions, ultimately increasing efficiency and competitiveness in the market.
Yet, the funds industry has experienced a significant increase in cybersecurity concerns over the past decade due to the digitisation of financial services. Rahul Bhushan, co-founder of Rize ETF, notes that “the adoption of cloud computing has introduced new security risks, while social engineering attacks targeting employees have become a major issue”.
One risk is failing to realise that while cloud providers secure infrastructure, it is organisations themselves that must secure everything else. Failure leads to unprotected cloud workloads.
This concern proliferates across the industry. According to the results of the inaugural ‘Crestbridge Alternative Manager Mood Index’, when asked about the most pressing topics for investors during the fundraising due diligence process, a majority of respondents identified cybersecurity (71.43%) as a top concern.
Shaun Davies, director of client operations at Crestbridge, says the industry is an attractive target due to the large amounts of financial data that hackers seek. Investors, therefore, are increasingly concerned about the potential economic and reputational damage that may arise from cyber-attacks on their fund managers.
This chimes with a recent blog by cybersecurity firm Palo Alto. According to them, the rationale is simple: “Threat actors target organisations that have what they want and what pays big – data and money.”
Meanwhile, European financial institutions have been called on to fortify themselves against an escalating cybersecurity threat that is exacerbated by geopolitical conflicts and hinders economic resurgence post-Covid.
What to do about it?
Fund managers might be wondering what specific steps and strategies they should adopt to fortify their cybersecurity posture and comply with relevant regulations.
According to Michael Johnson, group head of institutional services at Crestbridge, which provides administration services to investment funds, fund managers should understand global cybersecurity standards like the NIST Cybersecurity Framework, ISO 27001 or the UK's Financial Conduct Authority (FCA) and other regulatory body guidance about internal practices. Furthermore, integrating cybersecurity into the business continuity plan and conducting regular third-party audits can ensure preparedness and continued compliance with evolving regulations, Johnson says.
Notably, the UK has several acts in place, including the Fraud Act 2006, the Data Protection Act 2018 and the Computer Misuse Act 1990.
The Cybercrime (Jersey) Law 2019 is another noteworthy regulation, given the British Crown Dependency’s large private assets industry.
The FCA has emphasised the need for firms to protect sensitive data and also recommends foundational steps for effective cybersecurity management, including data identification, access reviews, encryption and system maintenance. Additionally, operational resilience rules have been introduced, requiring firms to maintain operational capability in the face of disruptions.
The new regulations necessitate that financial entities in the UK fully comply by March 31, 2025. Furthermore, the FCA plans to consult on requirements for third parties in 2023 after gathering feedback from a 2022 discussion paper.
Beyond regulation, the industry is advised to implement a layered approach to cybersecurity, combining technical solutions such as firewalls and intrusion detection systems with employee training.
According to Johnson, "Balancing digital innovation with cybersecurity in the funds industry requires a strategic approach. Digital solutions should be developed or implemented using 'secure-by-design' principles, with data protection and risk mitigation at their core.”
For Johnson, this includes advanced encryption algorithms, zero-trust architectures and distributed ledger technologies for data integrity. Simultaneously, employing threat intelligence platforms can identify emerging cyber-threats, he adds, while advanced machine learning algorithms can predict and prevent breaches before they occur. “This integrated approach ensures competitiveness without compromising security,” states Johnson.
Managed security services providers are also being increasingly utilised to manage cybersecurity risks effectively. Factors such as the use of mobile devices and remote work, the sophistication of cyber-crime techniques like ransomware and phishing and the complexity of regulatory requirements, including GDPR, are additional challenges that need to be considered in cybersecurity strategies.
Outsourcing cybersecurity also offers numerous benefits to businesses. Leveraging the expertise of managed service providers (MSPs) offers companies a chance to achieve cost savings and to sidestep the overheads of an in-house team.
This model ensures that specialists swiftly identify and counter the latest security threats, facilitating enhanced risk management. As businesses grow, the scalability of outsourced services ensures they remain protected without significant investment in new technologies.
Furthermore, MSPs’ advanced tools and analytics optimise security protocols, ensuring businesses are shielded against both current and emerging threats. Ultimately, entrusting cybersecurity to experts gives business owners peace of mind, allowing them to focus on core operations while confident in their data's protection.
Despite the increasing technological defences, the role of employees in cybersecurity cannot be overstated. Regular training dramatically reduces the risk of breaches, with human errors being the cause of 95% of incidents in 2021, according to IBM. Proper training equips employees to better protect sensitive data and respond effectively to breaches. For businesses in regulated sectors, it ensures compliance and prevents legal issues.
Consistent cyber-training instils a security-centric culture, making employees vigilant against emerging threats. As cyber challenges intensify, employee training remains crucial to ensure an organisation's robust defence and uphold stakeholder trust.
Innovation and vulnerability
The digital evolution of the funds industry heralds unprecedented opportunities for streamlined operations, enhanced investor experiences and data-driven decision-making. However, with this digital boon comes a heightened susceptibility to cyber-threats.
Financial institutions, now more than ever, are at the crossroads of innovation and vulnerability. Proactive measures, including strict regulatory adherence, robust technical infrastructures and continuous employee training, are imperative.
By strategically balancing innovation with cybersecurity, the funds industry can ensure sustained growth, maintain stakeholder trust and safeguard the financial assets and sensitive data that form its backbone. The journey forward necessitates vigilance, adaptability and a commitment to excellence in both digital transformation and cybersecurity.