Credits: FT News
Andreas Utermann of Allianz Global Investors is under attack. “I’m being impersonated every day,” said the chief executive of the €513bn fund house. “The CFO and board members get emails asking for money which are designed to look [as if] they’re from me.
It happens all the time. We’re wise to it and we have procedures to deal with it but it’s clearly a concern.” Mr Utermann is one of the many financial services executives who are targeted or whose name is used by cyber criminals. In this case, crime pays — hackers net more than $600bn a year, says McAfee, the cyber security specialist. Fund companies, which collectively manage trillions of dollars and hold oceans of data on customers, are logical targets.
Now regulators are forcing fund managers to face up to how exposed they are. The EU-wide General Data Protection Regulation, which came into force on Friday, requires companies to report any breach of personal data to the authorities within 72 hours.
Failure to comply could lead to fines of up to €20m or 4 per cent of global turnover, whichever is greater. “This legislation is game-changing,” said Matthew Martindale, head of investment management cyber security at KPMG, the consultants.
“It goes beyond just reporting to regulators. It’s about how you report internally, to third-party stakeholders, to business partners and to customers whose data has been breached.” Until now, fund companies have been reluctant to admit their vulnerability; there was no requirement to report minor hacks although regulators did encourage voluntary disclosure.
The worry is that cyber hacks are rampant within fund management — a concern that will be put to the test with GDPR.
The number of cyber attacks reported to the Financial Conduct Authority shot up last year, but these figures are thought to only scratch the surface. The FCA was told of 69 cyber incidents last year, up from 38 in 2016 and 24 in 2015.
Asset managers reported 16 incidents in 2017, up from three in 2016 and four in 2015. “While some fund managers who manage to contain breaches may want to brush them under the carpet, that option is no longer within their gift,” said Mr Martindale.
“The regulator is very clear about what needs to be reported and within what time.” Last year KPMG asked chief executives of asset management companies if their businesses were prepared for cyber attacks. Only 39 per cent felt they were. It is a similar story in the US.
The Securities and Exchange Commission, the regulator, reviewed investment companies’ procedures last year and found widespread failings. More than a quarter of businesses did not regularly conduct risk assessments to identify threats, vulnerabilities and the possible effect on their business. More than half of US investment companies did not conduct penetration tests on their critical systems, while 4 per cent had a significant number of out-of-date security patches. The SEC later admitted flaws in its own software, which had opened the door to hackers.
“We must be vigilant,” said Jay Clayton, SEC chairman. “We also must recognise, in both public and private sectors including the SEC, that there will be intrusions and that a key component of cyber risk management is resilience and recovery.” In Britain, the Investment Association has stepped up its work in the area. In April it formed a cyber security committee to work with fund managers, regulators and public bodies to promote training and share guidance. It also set up online learning for asset managers and ran its first cyber security conference. The IA also gave a presentation of its cyber security initiative to the UK government’s asset management task force, made up of industry chief executives and hosted by John Glen, economic secretary to the Treasury.
Pauline Hawkes-Bunyan, director of tax, compliance and risk at the IA, expects that GDPR will lead to asset managers being more willing to share information with rivals. “Data security is very important for the industry,” she said. “Investment managers will have to comply with GDPR obligations in terms of reporting and accountability.”
The IA is working with City of London Police, whose 730 officers cover the Square Mile (the larger Metropolitan force covers Greater London). Its latest initiative, Cyber Griffin, aims to improve finance companies’ security.
Officers will brief asset managers on threats, share intelligence and give detail on how to respond to attacks. Despite the obvious draw for cyber criminals, no fund company has publicly reported a large cyber attack.
The biggest breaches in financial services have been at banks and brokerages, such as JPMorgan Chase, eTrade and Scottrade. Equifax, the credit reporting group, last year admitted that hackers had stolen information identifying 143m Americans and 15m Britons. The data included 200,000 credit card numbers. Mr Martindale said industries other than asset management have proved easier targets, but executives should not be complacent.
He warned that fraudsters could switch their attention to them if other companies increase security. “Other organisations have probably been lower-hanging fruit but they will have learnt their lessons,” he said.
A poll of asset management executives by Osney Media and BackBay Communications in March showed that many expected the cyber threat to grow. Two-thirds said cyber criminals posed a greater threat in 2018 than it did in 2017, with just 2 per cent saying the risk was less. Half said they planned to increase spending on cyber security, while a third said better cyber security was a business priority for their company.