Cybersecurity Governance: Why Institutional Investors Need to Care

Institutional investors have traditionally been concerned about business-related operations, such as liquidity, portfolio management systems, and how trades are best executed. However, 2019 is the year that a new threat comes to light – financial fraud.

As the operations within financial firms becomes ever more dependent on technological solutions, cybersecurity attack vectors are becoming more clever than before. These attacks include schemes such as phishing, wire transfer fraud, and vendor payment fraud – all of which are easier to complete if employees and vendors are not trained to avoid them.

The digital security of many financial firms has reached such dire straits that the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a formal Risk Alert on April 16, 2019. The alert asserts that many firms are lacking when it comes to safeguarding customer data, and many of them have open system vulnerabilities. More importantly, the report also points out that employees need to be educated on how to properly handle data and identify fraudulent attempts to get information.

Digital Security is Not Just Technology-Focused

There is a common misconception among institutional investors that technology loopholes are the only thing digital attackers can exploit. While a robust technology suite is critical to maintaining and preventing data leaks, the employees and vendors are the most easily manipulated. Today, most cases of leaked data stems from an employee giving access to somebody who might warrant legitimate access without asking any questions.

People are not foolproof. It’s important to have a contingency plan in the event that failure occurs. Agio, an IT infrastructure and hedge fund cybersecurity firm, asserts that it a comprehensive incident response plan is something every firm needs.

There is No Fool-Proof Solution

Incident response plans are becoming more popular as firms realize that it is impossible prevent all digital attacks. There is no way for a system to account for every potential attack vector and protect against them, which is why firms are shifting towards early software to detect potential leaks and plug them as soon as possible. Market research shows that firms will likely double their information security budgets by 2020 to address this growing need. It is essential to realize that technology is continuously evolving, so incident response plans must be updated periodically too.

Systems and Vendor Testing

For institutional networks, a firm’s network is only as secure as the weakest link – which could be a vendor. According to a recent study, over 63% of data breaches begin with a vendor’s cybersecurity failure, but only 52% of firms have formal security requirements for their vendors. Since financial services firms typically work with a huge number of vendors, it’s essential to understand their capabilities, the type of information they have on hand, and how secure their digital security process is. More importantly, thorough analysis should also be conducted on vetting whether or not vendors should be privy to all the information they are receiving – a server management vendor shouldn’t have the ability to access fund holdings, for example.

Preventative Measures over Reactive Measure

It’s not possible to plug every single hole. However, it is possible to create a plan of action for as many points of failure as can be detected – which is what Agio recommends. It might not be cost efficient for a firm to conduct a comprehensive digital security review in-house, but Agio is a vendor that does offer a deep digital security audit service. At the end of the day, it’s important to lay down the groundwork for a quick response to minimize damages in event of any data breach – big or small.