So, is enough attention paid to the protection of their non-financial assets?
They say that information is power, and I’ve always thought that it’s particularly true in fund management. The very core of the business is about gathering information, analysing it and turning it into market-beating performance. ‘Inside information’ is so powerful that people go to prison when it’s in the wrong place. Many houses refer to their investment functions as ‘manufacturing’, but there’s no stock and no factory - information is the raw material and the output. This really is the peak of the ‘information economy’.
So, the one business that should recognise that information is worth protecting should be the fund management business. Last week I ran a briefing session for Non-Executive Directors (NEDs) from the fund management sector, and was pleasantly surprised to see that this is very true for those charged with providing governance over these firms. NEDs recognised the risks of handling information like live portfolio information, electronic payment instructions, and clients’ personal information.
In the briefing we talked about the new shape of the cyber threat – and I was a little taken aback by the level of engagement. It’s worth thinking about why I was so pleasantly surprised.
In the past I’ve heard fund managers decide not to prioritise cyber security on several grounds:
• “This sounds like science-fiction”
• “We’re not a high profile brand, so not an attractive target”
• “I’m not an investment bank, I haven’t got the resources to beat them”
During the discussion it came out that one London-based house trained its staff on this subject by attempting to value a memory card (like those in a mobile phone or a camera) containing their retail client database. Identity thieves will pay big money for personal information – and given that these databases usually hold bank account and “know your customer” information for many high net worth individuals, they’re an attractive target. So attractive, this house reckoned, that their little memory card was more valuable per square centimetre than the Mona Lisa.
So it’s likely that an economically rational fraudster will one day target that database, the systems that transfer billions of pounds (whether executed by an outsourced provider or not), or even pre-trade information that can be easily monetised in the market in a determined way.
But this has been true for a few years, so what’s changed? In our discussion we focussed on criminal gangs who are skilled, resourced and determined. These are part of the new internet threat that has to some extent replaced the ‘old’ threats of viruses written by loners pursuing only cyber-kudos from their peers. So how does the new cyber threat relate to those risk attitudes I mentioned earlier? Here’s my view:
- This is real and it’s happening now. There are plenty of doom-merchants trying to scare people, but there is at minimum - a kernel of truth here. Firms are being attacked, and they don’t speak about it for fear of client redemptions.
- A high profile brand might mean that casual attacks are more likely, but organised criminals are willing to do fieldwork. They look past the first few results on Google, and will target organisations that are less likely to go public about problems and who are less likely to pursue them to the courts
- In any case, the likelihood may be debatable, but fund managers will be just as out-of-a-job as anyone else after a successful attack.
- Even the world’s largest investment banks admit that they can’t stop the criminals getting through every time. Increasingly, efforts are turning towards effective preparation for and response to breaches. This levels the playing field with criminals going for the firms that can’t act quickly and decisively when things go wrong.
Imagine the Mona Lisa left on a bench in a London street - it wouldn’t stay there for very long. It dawned on our group that every day firms expect internet criminals (not to mention all their employees and contractors) to simply walk past assets a lot like these and not be tempted.
Jon is a Director in Deloitte’s Enterprise Risk Services practice. Jon is an Asset Management technology risk specialist, having previously been Head of Technology Risk for a leading UK fund manager for over six years. He has led operational risk programmes covering 3rd party management, procurement, business continuity, project assurance and security.