Cybersecurity has emerged this year as the top concern for most investors. Shaun Davies, Crestbridge's director of client operations, discusses why - and what fund managers can do to secure their and their investor's data.
The increasing digitisation of the financial services sector has brought many benefits, including enhanced efficiency, improved data management and streamlined processes. However, this transformation has also exposed the industry to the ever-growing threat of cyber attacks, leading to an increased focus on cybersecurity. The 'Crestbridge Alternative Managers’ Mood Index' (CAMMI) survey results highlight the prominence of cybersecurity as a hot topic for investors during the fundraising due diligence process.
The recent CAMMI survey reveals that most respondents (71.43%) identified cybersecurity as one of the top concerns for investors during the fundraising due diligence process. Rapid technological innovation and increased reliance on digital systems have made fund managers vulnerable to various cyber threats, including data breaches, ransomware attacks and phishing scams. The industry is an attractive target: investment funds hold large amounts of financial data for hackers seeking financial gain. Investors, therefore, are increasingly concerned about the potential economic and reputational damage that may arise from cyber attacks on their fund managers.
In response to these concerns, fund managers are responsible for prioritising cybersecurity and adopting robust measures to protect their businesses, investors and sensitive data. Regulators across the globe have recognised the importance of cybersecurity and have implemented various regulations and compliance standards for investment funds. For example, the UK's Fraud Act 2006 and applicable Data Protection Acts and The Computer Misuse Act 1990 still apply, as does the Cybercrime (Jersey) Law 2019 and in the US, the 2021 State & Local Government Cybersecurity Act has been introduced to improve coordination between states and federal agencies. Investment funds operating in the US must comply with this law and other applicable cybersecurity regulations.
"Regulators across the globe have recognised the importance of cybersecurity and have implemented various regulations and compliance standards for investment funds"
The Office of Foreign Assets Control (OFAC) in the US is also making it harder for firms to pay hackers for ransomware attacks. While some firms may pay the ransom to regain control of their systems, evidence suggests that even if hackers are paid to "release" ransomware, information may have already been shared with other criminals. The OFAC's measures seek to prevent firms from inadvertently financing criminal activities.
Following a cyber attack, it is expected by regulators that firms will report incidents that have resulted in a significant loss of data, caused IT systems to become unavailable or uncontrolled, impacted a large number of clients, or led to unauthorised access to information systems. If a firm deems an incident material, it should report it through normal channels. Dual-regulated firms in the UK should also notify the Prudential Regulation Authority (PRA). Cyber attacks often lead to a loss of data, which may include sensitive information, so financial services firms must report such incidents to the Information Commissioner's Office or the local equivalent within the designated timeline (usually 72 hours). If hackers have successfully committed or attempted fraud, firms may need to report the incident to other entities, such as Action Fraud or the local police. Additionally, sharing information about the incident on the NCSC-managed Cyber Security Information Sharing Partnership (CiSP) platform in the UK can help other firms combat cybercrime.
As the financial services sector continues to evolve and embrace digital technologies, the importance of cybersecurity in the fund management industry cannot be overstated. The CAMMI survey results indicate that investors are acutely aware of the potential risks and seek fund managers who prioritise cybersecurity.
By implementing best practices, investing in employee training, and staying ahead of emerging threats, fund managers can effectively address investor concerns, safeguard sensitive information and maintain the trust of their clients. Ultimately, strong cybersecurity measures will be a crucial factor in the success and longevity of fund managers across all asset classes and businesses.
© 2023 fundsTech