How Asset Management Firms Can Combat the Growing Threat of Cyber Attack
With asset management firms facing mounting cyber risks and increasing regulation, general counsels must get up to speed quickly on the dynamic cyber threat landscape and take a leading role within their firms to implement best practices to harden their digital infrastructures and respond to cyberattacks and incidents.
The financial services industry — and asset management firms specifically — are increasingly in the crosshairs of cyber attackers and intruders. Indeed, the threat of digital attacks in the sector has evolved from just one of many risk management concerns to a pressing, existential threat. In 2016, then-Chair of the Securities and Exchange Commission (“SEC”) Mary Jo White said cybersecurity risk was "one of the greatest risks facing the financial services industry and will be for the foreseeable future."
Many asset management firms, however, have not confronted that risk in a robust manner. But in recent years, regulators around the globe have progressively trained their attention on the cybersecurity postures and protections of asset managers in particular. In August 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) revealed the results of its so-called sweep of 75 asset management firms to assess their cybersecurity policies and procedures and, most importantly, their implementation. The resulting report uncovered widespread deficiencies that the OCIE staff used to develop guidelines that asset management firms could deploy to improve their cybersecurity policies and practices.
And regulators are getting serious about penalizing companies that fail to implement adequate and appropriate cybersecurity countermeasures. In September 2018, the SEC imposed a $1 million fine against Voya Financial Advisors (“VFA”) for a breach that compromised thousands of customers’ personally identifiable information (“PII”), marking the first SEC enforcement of its Identify Theft Red Flags Rule since 2011. In a press release detailing the charges, Robert Cohen, chief of the SEC Enforcement Division’s Cyber Unit, said: “This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models. They also must review and update the procedures regularly to respond to changes in the risks they face.”
Until now, asset management firms, to some extent, have flown under the radar with regard to their cybersecurity postures, practices and histories; they are not in the public eye as often as large banks, retailers or other mass consumer organizations. However, their vulnerabilities are beginning to show. Custodians of more than $74 trillion of pension funds and institutional wealth worldwide in 2017, asset management firms of all sizes are tempting targets for hackers seeking to steal customer data, financial information or even the closely guarded trading algorithms upon which these businesses increasingly rely. (Smaller firms are more attractive to criminals who believe, often rightly, that they will be easier to penetrate.) The mountain of valuable assets these firms manage places them in the crosshairs of cyber criminals. As Willie Sutton reportedly replied when asked why he robbed banks, “Because that’s where the money is.” And for asset manager general counsels today, that’s where the biggest risk to their businesses lies.
Trading Algorithms Are Targets; Third-Parties Are Gateways
For asset managers, the risks go beyond the PII they collect and store, and the accounts they manage, to include their crown jewels: their in-house trading strategies and algorithms, as well as the integrity of the trades they conduct. Those trading algorithms, designed to take advantage of price shifts that may last only milliseconds, have become critical to asset management firms as trading has become too fast for humans to conduct.
Naturally, these algorithms are valuable to cyber criminals, who often reach them through relatively simple means such as phishing attacks. According to a 2015 Financial Times report, cyber criminals had already launched several targeted attacks designed to steal the source code for these automated trading models along with other high-value intellectual property, such as data on companies in which asset managers invest. Hackers can hold these algorithms for ransom, sell them to competitors or unscrupulous traders, or put them to work themselves.
Another cyber Achilles’ heel for asset managers are the third-party systems, vendors and contractors upon which they rely. Indeed, in the case of the VFA breach, according to the SEC, the company gave its independent contractor’s representatives access to its brokerage customer and advisory client information through a proprietary web portal. Cyber intruders then impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The hackers were then able to access VFA customers’ PII and take control of their accounts.
According to the SEC, VFA failed to apply its own cybersecurity procedures to the systems used by its independent contractors, who made up the largest part of its workforce. In the digital age, every organization is increasingly dependent on third-party vendors and partners for many facets of their businesses. An average of 63 percent of the personal and sensitive data possessed by all companies across all industries is disclosed to or managed by third parties. Exacerbating this problem is a lack of transparency into the distributed technology environment. According to a recent survey by the Ponemon Institute, 67 percent of respondents said their company did not have an inventory of all their third-party vendors. In other words, they didn’t possess a record of who all their vendors were.
Asset managers are particularly dependent on third-party systems for many of their day-to-day functions, “from obtaining security data and risk analytics that inform investment decisions, to order management and trade execution systems that facilitate placing and executing trades, to accounting and performance systems and service providers that are used for reporting and recordkeeping purposes,” according to a BlackRock whitepaper.
They rely on a number of financial market infrastructures, including exchanges, central clearing counterparties, electronic trading and affirmation platforms and trade messaging systems. In this mix also are external custodians responsible for holding and safeguarding client assets, as well as facilitating the settlement of transactions. Any weak link in these networked systems could become an easy vector for cyber attackers. But, sadly, just 7 percent of in-house counsels surveyed by the Association of Corporate Counsel said they were highly confident that their third-party vendors were able to protect their companies from cybersecurity risks.
Increasing Risk, Increasing Regulation
Regulators know this and have moved accordingly. A number of new data privacy and cybersecurity laws have emerged around the globe, from the European Union's GDPR to California's new privacy law requiring companies to identify with certainty all the third-party service providers that access, process or store personal and regulated data on behalf of their client companies.
And regulators will pursue action for compliance failures, not just damaging hacks and breaches. In 2015, the SEC's Enforcement Division announced a settlement with R.T. Jones Capital Equities Management for its failure to establish reasonable cybersecurity policies and procedures even though there was no evidence that any PII was ever stolen or even affected. In 2016, the SEC charged Morgan Stanley Smith Barney for failing to adopt written policies and procedures reasonably designed to protect customer records. That resulted in the access and transfer of 730,000 customers’ PII to an employee’s personal server, fining the company $1 million, despite the absence of any evidence that the PII was compromised.
These enforcement actions are not limited to large firms. In 2017, the acting director of the OCIE reported that his office had substantially increased the number of its examinations of investment advisors and increased the size of its staff to cast as wide a net as possible. This means that not only is the SEC size-agnostic, its capabilities have been enhanced to act against any asset management firm if the controls and policies it possesses (or says it possesses) have not been implemented adequately and integrated throughout the firm. As a result, every asset management firm, no matter its size, must understand its cybersecurity obligations and design, implement and regularly monitor its policies, procedures and controls.
New Responsibilities for General Counsels
Across industries, cyber threats sit atop the corporate risk agenda, and managing and mitigating that risk falls within the purview of the general counsel. In fact, nearly three-quarters of legal departments defined cybersecurity as their top-priority risk issue, according to Grant Thornton’s 2017 Corporate General Counsel Survey, with 58 percent of legal departments highly involved in responding to data security risks and nearly a quarter having primary responsibility for the issue.
While asset managers’ legal departments historically have been focused on other types of risk mitigation and prevention, cybersecurity must now become job number one. Much of the technical work of cyber defense may be carried out by the chief information officer (“CIO”) and chief information security officer (“CISO”) functions, but in today’s dynamic and potentially dangerous threatscape, with new regulations promulgated at internet speed, the general counsel’s involvement is a strategic requirement for reducing a firm’s liability. The in-house counsel’s role can and should be both proactive and reactive, and general counsels must take the lead not only in responding to problems and risks (and mitigating the reputational damage that comes along with them) but also averting them, ensuring the security of critical data and algorithms and compliance with evolving rules. And when breaches occur (as they almost inevitably do), the general counsel’s office also will be responsible for leading the response plan, coordinating with all the firm’s internal teams and communicating with regulators and law enforcement.
It is the general counsel’s duty to stay on top of the rapidly emerging and evolving laws and regulations — rules that can vary by state or country. Rules that are of particular importance today for the asset management industry include:
- The Safeguards Rule, Rule 30(a) of Regulation S-P, which requires that every registered broker-dealer and investment adviser adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. Those policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats to the security or integrity of such records and information, and guard against unauthorized access to or use of them.
- The Identity Theft Red Flags Rule, Rule 201 of Regulation S-ID, which requires financial institutions to develop and implement a written identity theft prevention program, as VFA was fined for failing to do adequately.
Although the pre-internet Investment Advisers Act of 1940 has no specific cybersecurity language or provisions, some legal experts warn that an asset manager’s failure to make reasonable efforts to design and implement a cyber risk management program could be seen as a violation of its anti-fraud and fiduciary rules.
General counsels must understand that the SEC has discovered that most asset managers have failed to implement and test their cybersecurity policies and practices adequately and is focused on ensuring that they protect both client information and valuable proprietary information and IP going forward. Specifically, the SEC expects asset managers to create and apply cybersecurity practices that include governance, access rights, data loss prevention, vendor management, employee training and incident response planning.
They will also need to ensure that those policies and procedures are not only developed but integrated into the company and periodically tested.
Best Practices for Cyber Risk Management
While general counsels have many responsibilities, they must now consider cyber risk management as core to their role. So, where to begin? While this relatively new responsibility will be challenging for many general counsels, there are a number of actions they can take to better position their firms to prevent and respond to the growing cyber threat.
- Build collaborative relationships with IT and cybersecurity. General counsels should get to know the language of cybersecurity. They must endeavor to become a trusted partner to the CIO and CISO to make sure that their firm’s legal organization is immediately involved in the event of any breach or crisis.
- Audit key assets and the processes in place to protect them. As it is impossible (and costly) to protect everything equally, general counsels should be sure that the organization has conducted a thorough audit of the data it possesses to identify its crown jewels, prioritizing high-value customers and financial and IP-related data, including trading algorithms, whether held in-house or by third parties. General counsels should work across functions to understand the specific risks and issues that could arise if a breach were to occur and compromise any of these assets.
- Address third-party risk. “Vendor management, including the risk profiling of all third-party service providers, should squarely sit with the legal department,” says Susanna McDonald, vice president and chief legal officer at the Association of Corporate Counsel. “Otherwise, the legal department will not be fulfilling its duty of risk mitigation and prevention. The department will only be set to solve serious problems such as data breaches in a reactive rather than proactive manner.” General counsels should perform vendor due diligence before committing to any new contracts, creating a standard data privacy and security addenda that can be attached to vendor contracts, and consider requiring vendors with access to high-value information to provide independent third-party security assessments or audits. They should also create a plan that will provide for ongoing vendor security assessments.
- Undertake a thorough gap assessment of policies and procedures, including ensuring a proper incident response plan is in place. A critical aspect of minimizing the impact of cybersecurity incidents is preparing for them before they happen. General counsels should ensure that there are thoroughly understood and widely disseminated policies and procedures to be followed if there is an incident, including clearly defined roles for everyone in the firm, and oversee regular testing of that plan. However, it is often difficult to see or assess what is under your nose, what you see every day. Therefore, not everything is best handled in-house. General counsels and their organizations will be best served by having experts — including forensics firms, outside counsel and public relations crisis communications firms — on call and on retainer.
- Review the company’s insurance program to assess coverage for cyber risks. The legal department should make sure those policies provide a strong basis to recover the costs and liabilities associated with cyber incidents before they happen.
- Prepare for potential litigation. Cybersecurity incidents increasingly result in class action lawsuits, alleging anything from violations of federal securities laws to breaches of contracts to various state-law claims. Preparing for those possibilities in advance will be of great help in defending against them.
- Be ready to respond. In the event of an incident, the general counsel’s office will need to spring into action, particularly in the first 48 hours after a breach or hack has occurred. The general counsel’s role will include advising or managing incident response and investigation teams, preparing legally required consumer notification and disclosures to various agencies, analyzing digital forensic reports and physical security investigative reports, summarizing events for company executives and board members, overseeing media response, and preparing for potential litigation and governmental proceedings.
The question is not if but when an asset management firm will find itself on the wrong side of a cybersecurity incident. Any attacker with the resources and reason to infiltrate a network will do so. The asset management industry currently has not only high-value targets for cyber criminals — customer data, financial information, successful trading algorithms — but, according to regulators, weak safeguards protecting them. General counsels must be involved as early as possible, and to the fullest extent possible, in mitigating and responding to this growing and potentially existential threat.
© Copyright 2019. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
About The Journal
The FTI Journal publication Offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.