Asset managers are an attractive target for cyber criminals. Managing some USD 78.7 trillion of pension funds and institutional mandates, they hold vast amounts of data and are increasingly reliant on technology.
Asset managers are also exposed to a wide range of cyber risks, including data breaches, ransomware, extortion, IP theft, wire fraud and spoofing, as well as business interruption from cyber attacks or outages.
There have been very few public incidences of cyber attacks against asset managers, but there is growing concern for cyber security among regulators. For example, earlier this year the UK regulator warned that cyber criminals are targeting asset managers, with attacks increasing year on year.
According to an assessment by the Securities and Exchange Commission (SEC), asset managers could do more to address cyber risks. It found that more than a quarter (26%) of US investment management firms do not carry out regular cyber security assessments while 57% do not test the vulnerability of their critical IT systems.
SEC Chairman, Jay Clayton recently issued a warning to financial services companies on cyber security, saying that the scope and severity of the cyber threat had increased dramatically.
According to Clayton, cyber security is “critical” to investors and market participants and the SEC is focused on ensuring that issuers, intermediaries and investors are identifying and managing cyber security risks.
Ironically, the SEC itself admitted in September that it had been hacked. Reports suggest that intruders may have stolen market sensitive information from the SEC’s corporate filing system known as EDGAR. The incident resulted in access to non-public information and may have provided the basis for illicit gain through trading, the SEC said in a statement.
Regulators are not alone in expressing concerns. Ratings agency Moody’s said in a report that cyber poses an escalating credit risk for the asset management industry as firms are exposed to reputational, monetary, litigation, and operational risks arising from potential cyber breaches.
Moody’s said that the boards of asset managers are increasingly focused on cyber risk and are ramping up security, however the cyber security programmes are less advanced than those of other large financial institutions.
Moody’s survey of US asset management companies found that 43% made their first presentation to boards regarding the company’s cyber security self-assessment within the last three years, rising to 79% within the past five years. Cyber-risk reporting to senior management is completed at regular intervals.
Moody’s also suggested that asset managers could face potential credit ratings downgrades if they fail to protect critical data. Both Moody’s and rival ratings agency S&P include cyber security as part of the credit ratings process for asset managers.
Investment and money managers are increasingly turning to cyber insurance to supplement their cyber risk strategies. In 2016 around 30% of US institutional money managers were thought to purchase cyber insurance, up from 5% at the start of 2014.
JLT recently launched specialist cover to address the cyber risks faced by asset managers. Enterprise Cyber covers a broad range of incident response costs including system restoration, privacy breach, digital media issues arising from third parties and cyber extortion. Insureds are able to access incident response services without negatively impacting their professional indemnity cover.
Enterprise Cyber also protects management fee income in the event of a notified cyber incident triggering unplanned redemptions.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org