Cybersecurity: What Fund Firms Can Learn from the Latest Data Breaches

News of data breaches at major retailers like Target and Home Depot have signaled that cyber-attacks are no joke. Firms face a huge risk if they have a security failure in the event of a data breach or a virus like GameOver Zeus or Heartbleed.

They may sound like the titles of 8-bit puzzle-platformer games of the ‘90s, but GameOver Zeus and Cryptolocker are sophisticated computer viruses. They grabbed headlines because law enforcement agencies and private security companies fought back against cybercriminals and stopped the further spread of this malware network. It’s high-profile viruses like these, as well as cyber-attacks on global companies like eBay, which serve as a strong reminder to us that we cannot afford to be complacent about cybersecurity measures.

Greg Medcraft, chairman of the board of the International Organization of Securities Commissions (IOSCO), recently said the next major financial shock will come from cyberspace.

Organizations may have secure protections in place, but cyber threats are constantly evolving, making it ever more difficult to detect and halt attacks. While the reasons for the attacks can vary from greed to a form of protest, the targets are usually financial firms. As explained by Mark Manley, the Senior Vice President, deputy general counsel and chief compliance officer at AllianceBernstein, “Probably 10 years ago cyber threats were viewed by some as an IT problem, but for asset managers and funds today, this has to be a central business imperative.” Fund managers must make sure that confidential client data is kept safe.

Invest more in preventative measures

Just as there is more than one reason for cyber-attacks to occur, there is more than one benefit to preventing them. For starters, being vigilant about security is a good way to ensure client loyalty and create a good reputation for the company. These aspects are, in some ways, worth just as much as whatever financial benefits are gained. Consider this study from the Ponemon Institute. The report says, in part, “The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers.” The report also mentions some specific numbers:
“When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million.”
Moreover, this fool.com article explains how spending more on security could mean saving money in the long run. “After companies like eBay, Adobe, and Target are breached, they must spend heavily to rebuild their public images and acquire new customers,” it says. “Litigation costs could also pile up—lawsuits against Target and its credit card security company, Trustwave, are still ongoing.”
This summer, Securities and Exchange (SEC) Commissioner Luis Aguilar went so far as to call on corporate boards to ensure the adequacy of their corporations’ cybersecurity measures and help oversee risk management. And just this week, the possible breach of Home Depot’s customer data caused them to hire Symantec and Fishnet Security to investigate. “Target and now Home Depot are both seminal moments,” said John Stewart, chief information security officer at Cisco Systems.
The single best way to enhance security is to start in-house by educating the employees on the risks of cyber-attacks and teaching them what to look out for. Some fund firms have tested their employees’ awareness using e-scams.

Understand the credentials of outsourced providers

But beyond employees, it’s critical to know the security credentials of outsourced providers. Today, nearly every firm relies in some way on outsourced software and cloud services. But not every company is awarded a certification for their security standards. Features like two-factor authentication system can be advantageous in the fight for security. And there are other methods to keep customers protected, for example, Facebook and Google use crowdsourced white-hat hackers to look for any flaws in the system, as does e-Bay. Perhaps this is a tactic that fund firms should consider. Active involvement of the C-suite is also important, as PWC’s 17th Annual Global CEO Survey shows.

Have a plan for the worst-case scenario

Heartbleed cyberattack key cyber-security
Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library.

Still, even with the best of intentions and some top-of-the-line security measures, not all cyber-attacks can be prevented. Therefore, planning for the worst-case scenario is important — and making communication a central part of the plan is essential. Even if a company has not been directly affected by a cyber-threat, it’s smart to keep customers informed. As Pat Allen said in her blog post about Heartbleed, “[The virus] was an opportunity for a firm to demonstrate the attributes of being social—transparency, accountability and authenticity among them.” These qualities will likely reassure customers that they’re doing business with a reputable firm. Furthermore, sharing information about threats and attacks with relevant authorities can help to prevent future attacks.

Make cybersecurity imperative

While the Internet has granted us unprecedented access to information, the sad reality is that there are some people who would choose to use that access for nefarious purposes, making cybersecurity imperative. In the wake of recent hacking scandals, privacy breaches and leaks, regulators are stepping in. Fund firms must create change from within to make the web a safer place, and the solution lies in being prepared, using open communication and working together.