Institutional investors have traditionally been concerned
about business-related operations, such as liquidity, portfolio management
systems, and how trades are best executed. However, 2019 is the year that a new
threat comes to light – financial fraud.
As the operations within financial firms becomes ever more
dependent on technological solutions, cybersecurity attack vectors are becoming
more clever than before. These attacks include schemes such as phishing, wire
transfer fraud, and vendor payment fraud – all of which are easier to complete
if employees and vendors are not trained to avoid them.
The digital security of many financial firms has reached
such dire straits that the SEC’s Office of Compliance Inspections and
Examinations (OCIE) released a formal Risk Alert on April 16, 2019. The alert asserts
that many firms are lacking when it comes to safeguarding customer data, and many
of them have open system vulnerabilities. More importantly, the report also
points out that employees need to be educated on how to properly handle data
and identify fraudulent attempts to get information.
Digital Security is Not Just Technology-Focused
There is a common misconception among institutional
investors that technology loopholes are the only thing digital attackers can
exploit. While a robust technology suite is critical to maintaining and
preventing data leaks, the employees and vendors are the most easily
manipulated. Today, most cases of leaked data stems from an employee giving
access to somebody who might warrant legitimate access without asking any
People are not foolproof. It’s important to have a contingency plan in the event that failure occurs. Agio, an IT infrastructure and hedge fund cybersecurity firm, asserts that it a comprehensive incident response plan is something every firm needs.
There is No Fool-Proof Solution
Incident response plans are becoming more popular as firms
realize that it is impossible prevent all digital attacks. There is no way for
a system to account for every potential attack vector and protect against them,
which is why firms are shifting towards early software to detect potential
leaks and plug them as soon as possible. Market research shows that firms will
likely double their information security budgets by 2020 to address this
growing need. It is essential to realize that technology is continuously
evolving, so incident response plans must be updated periodically too.
Systems and Vendor Testing
For institutional networks, a firm’s network is only as
secure as the weakest link – which could be a vendor. According to a recent
study, over 63% of data breaches begin with a vendor’s cybersecurity failure,
but only 52% of firms have formal security requirements for their vendors.
Since financial services firms typically work with a huge number of vendors,
it’s essential to understand their capabilities, the type of information they
have on hand, and how secure their digital security process is. More
importantly, thorough analysis should also be conducted on vetting whether or
not vendors should be privy to all the information they are receiving – a
server management vendor shouldn’t have the ability to access fund holdings,
Preventative Measures over Reactive Measure
It’s not possible to plug every single hole. However, it is
possible to create a plan of action for as many points of failure as can be
detected – which is what Agio recommends. It might not be cost efficient for a
firm to conduct a comprehensive digital security review in-house, but Agio is a
vendor that does offer a deep digital security audit service. At the end of the
day, it’s important to lay down the groundwork for a quick response to minimize
damages in event of any data breach – big or small.