Alternative fund firms should be on high alert for cyber threats. The big banks have effectively steeled themselves against attacks, so the thieves are going after the next tier of financial firms—the ones who move large amounts of money in and out of bank accounts.
That was the central message from the panel on Cyber Threats, Fraud, and Cloud Computing at the Managed Funds Association MFA West conference in Los Angeles on March 7 and 8. Security professionals from large financial institutions, fund compliance officers, and a special agent from the FBI were on the panel.
According to the FBI, the world’s largest banks are spending as much as $1 billion per year on cyber defenses, making themselves virtually impenetrable. As a result, attackers are targeting asset and fund managers as conduits into the banking system. Fund firms are vulnerable to material losses and severe reputational damage in a successful breach.
So what should fund managers be doing to mitigate their vulnerabilities? While several defensive technologies are available, the human factor is the weakest link in the cybersecurity chain. Email “phishing” and social engineering are still the most prevalent and effective attack methods despite many highly publicized incidents. These are techniques used to deceive employees into clicking on attachments or links that launch malware or to steal credentials that allow entry into a firm’s network. Effective training to prevent your staff from falling prey to such deception is the essential first line of defense. Ironically, high-level executives are often prime victims of social engineering because they have not been as well trained as staff members to recognize fraudulent behavior.
Fund managers are also vulnerable through their service providers, the panel noted. It is essential to assess prospective service providers’ security posture during due diligence, and contracts should explicitly require vendors to notify your firm if they are breached. Firms and vendors using large, brand-name public cloud providers may be lulled into a false sense of security, when in fact those providers take responsibility for securing only their own infrastructure and services. Users are responsible for securing their own data and applications running in public cloud environments. It’s important to understand precisely where the provider’s responsibility ends and yours begins.
Private clouds are another matter. Outsourcing providers that host applications in their own private cloud instances will likely assume greater responsibility for security. However, fund managers should monitor them regularly to ensure they are keeping their end of the bargain, with periodic audits to prove it.
Because of the heightened regulatory scrutiny on cybersecurity, fund managers are often reluctant to report breaches for fear of being sanctioned for weak controls. The FBI says this is a mistake. The bureau does not have any regulatory role, nor is it obligated to report incidents to any other agency. The FBI’s sole concerns are catching the perpetrators and making the victims whole. The FBI boasts a fairly impressive 82% cyber theft recovery rate. Do not hesitate to report a breach to the FBI. And don’t delay—given how fast money can move to offshore accounts, the first 48 hours are critical.
The FBI suggests checking out its Internet Crime Complaint Center for tips and to familiarize yourself with the incident reporting process to get ahead of potential attacks.
Written by Tim Kropp