The WannaCry cyber-attack unleashed in May that struck Britain’s National Health Service, Telefónica and Renault, among others, was billed by many around the world as a “wake-up call”. For too long, commentators said, the business community and investors had been overly complacent about cyber-security warnings, despite many listing the threat as one of their main concerns in recent years (see survey, p. 20).
The threat, or at least awareness of the threat and its consequences, has certainly been growing in recent years. In the UK alone, the country’s Financial Conduct Authority documented this year how in 2014 it received just five reports of cyber-attacks from the 56,000 firms it regulates. This figure increased to 27 in 2015 and to 89 last year, indicating both a rise in reporting and in attacks occurring.
Attacks have also become more large-scale and ambitious. Were malicious hackers to gain control of power stations, telecoms units and airports, lives could be put at risk as operators scramble to remedy the situation. But what are the risks at fund level? A wealth of information can be accessed in the event of a cyber-attack, but what would be at stake for both managers and their investors?
DATA IS KING
While ‘assets’ and ‘funds under management’ are the terms most often used when measuring the size of a fund manager, perhaps a more accurate description in this sense would focus on the ‘data under management’. Secure and sensitive information in both a personal and commercial sense about LPs is often held by funds, while performance information, specific asset data and either ongoing or planned company moves will also be at risk in the event of a cyber-attack.
“[At stake is] the loss of commercially sensitive information. For instance, M&A activity, information around portfolio companies or their strategy,” says Peter Johnson, senior vice-president and UK cyber-advisory lead at insurance and risk management firm Marsh. “If that was to get out, it could not only have a financial impact on the value of the assets themselves, but also have reputational damage for the fund itself.”
The risks and the outcomes will largely depend on the motives of the attacker, which range from those looking to extort, those seeking information for personal gain and disgruntled employees or former employees. Recent examples seen elsewhere of state-sponsored attacks also cannot be discounted at fund level.
“An attack effectively enables somebody to have an insider trading position,” Johnson continues. “There are many different permutations.”
The loss, or even just the unauthorised access of such data, is high among the worries of global institutional investors. In a survey last year, conducted by the US-based investment association CFA Institute, 45 percent of the 502 institutional investors surveyed highlighted a data or confidentiality breach as among the top five reasons they would withdraw from an investment firm. Put into perspective, this ranked only below concerns over underperformance and an increase in fees and above issues such as a lack of communication and regulatory sanctions. In other words, investors will not tolerate those that are – or just perceived as – lax with their cyber-security efforts. For fund managers, the threat is real.
FACING THE CONSEQUENCES
While issues surrounding data losses and confidentiality should not be treated lightly, the name of the game remains a financial one. So, when US-listed fund administration company SS&C Technologies last year released $6 million from the accounts of its commodities fund client Tillage Fund to what appeared to be representatives of Tillage, but were actually hackers from China, the fund was understandably furious and had to suspend its business. It launched legal action seeking $10 million in damages and accused the fund administrator of failing “to exercise even a modicum of care and responsibility in connection with known and obvious cyber-security threats”, an allegation SS&C denied.
“One thing we have definitely seen and would encourage other fund administrators to do is to enforce call-back procedures,” says Samantha Rule, information security officer at fund administration firm Maitland. “If they receive a request for payment and perform the call-back, make sure the request is a valid one and confirm the entire transaction before making the payment.” She adds that she sees a lot more attacks from email than anywhere else, with cyber-attackers aware “the weakest part [of the system] is the human part”.
While cases such as Tillage do not always result in expensive court cases, financial authorities are beginning to add an extra layer of risk to lax cyber-security measures with hefty punishments. While the US Securities Exchange Commission’s first cyber-security measure in 2015 only resulted in a $75,000 fine, it hit Morgan Stanley with a $1 million sanction following a data breach last year.
This pales in comparison with measures set to reach Europe in 2018 after they were approved by the European Commission. The General Data Protection Regulation will seek to impose penalties of up to €20 million for a data breach or up to 4 percent of turnover of the preceding financial year, whichever is higher. Those with their eyes off the ball when it comes to cyber-security are now playing a high-risk game.
“If we have a look at how companies are generally looking at cyber-security, we’re seeing their thoughts mature from ‘it’s not a problem I need to deal with’ to ‘I need to spend more money on cyber-security’ and now they think they need to buy insurance,” says Johnson.
His colleague Martin Bennett, managing director of the Marsh infrastructure team, adds: “There are some who are very receptive to understanding their risk and others still at quite a preliminary stage in their journey in terms of recognising there is an issue but not necessarily having tackled it to the full level of depth.”
BUILDING THE WALL
However, it appears this hasn’t quite hit home for some firms just yet. In the wake of the WannaCry attack, the SEC released some damning figures – 26 percent of 75 investment management firms surveyed did not conduct periodic risk assessments of cyber-security threats, while 57 percent did not conduct penetration tests on critical systems.
“We do a lot of user awareness training, making sure users are able to identify what a phishing attack looks like, for example,” Maitland’s Rule explains. “There are new threats arising every day. We don’t rely on one layer of defence to protect client information.”
Some of those in the infrastructure world are taking note and building their defences. French fund manager Antin Infrastructure Partners told us recently how it created an IT directors’ club across its portfolio companies that meets every quarter to share best practices. Similarly, French counterpart Ardian organises regular meetings with its company chief executives to share opportunities and risks, while UK developer John Laing states it has business continuity plans and data separately stored on multiple servers, which are backed up regularly.
“You need to have an incident response team, so that people are trained and prepared and know what plan to follow when responding to incidents as and when they occur,” Rule advises. “Back-ups, too, are important, but education means having knowledgeable first responders who know what steps to follow, rather than allowing ransomware to run riot across a network.”
Unpreparedness is no longer an option.