The cybersecurity research and publishing firm, Cybersecurity Ventures, recently published staggering numbers with respect to the increasing worldwide costs of cybercrime:
Why is all this money being spent? Cybersecurity threats are relentless, and the cost of a data breach can be crippling. Potential loss of customer data and corporate secrets, lawsuits, and regulatory scrutiny are all reasons CEO’s want to know how their firms are mitigating vulnerabilities and managing risk. These same issues should be of concern both to asset management entities as well as asset owners who deploy their capital to those managers.
Over the past year, Equifax’s handling of their data breach is a prime example of some of the potential consequences of a cybersecurity breakdown.
In 2017, Equifax suffered one of the largest breaches of personal information in history. Close to 150 million names and 145.5 million Social Security numbers were accessed by hackers due to a known software vulnerability that was left unpatched for months. Equifax’s CEO, Richard Smith was forced to step down in September 2017.
Even more astounding is the fact that the firm’s former chief information officer, as well as a more junior software engineer, were recently charged by the Securities and Exchange Commission with insider trading based on their knowledge of the impact of the breach before information became public.
With such a high-profile failure in its security management, it should come as no surprise Equifax has garnered the attention of federal regulators. In June 2018, the credit reporting agency agreed to take a set of corrective actions negotiated by the United States Department of Financial Services. Eight state banking regulators, including New York, California, and Texas joined on the consent order.
The company now has three months to implement six major actions to bolster their cybersecurity posture and prevent another data breach. They include:
All of the above actually sounds like pretty basic stuff – for investors, though, can we be sure that our asset managers, vendors of asset management products which are then added to our portfolios, have met these baseline standards?
The following three fundamental steps should bolster any firm’s cybersecurity posture, and help ensure an asset management firm can keep themselves from becoming a headline:
Any effective control environment requires a matrix of regulations, with a focus on preventative protections. Cyber threats can include criminal groups, nation-states, or independent operatives, with motives ranging from material gain, to sabotage, or simple mischief. The necessity of cyber protections to the control matrix cannot be overstated and should be top of mind when institutional investors consider allocations to new and existing asset managers.
1080 Côte du Beaver Hall, Suite 904
Canada, H2Z 1S8
84 Chain Lake Drive, Suite 501
Canada, B3S 1A2
1 Pancras Square, Kings Cross
London, N1C 4AG
+44 20 3036 0828
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
24th Floor Al Sila Tower, Suite 2422
Abu Dhabi Global Market Square
Al Maryah Island, Abu Dhabi, UAE
+971 (2) 694 8510
Level 36 Governor Phillip Tower
1 Farrer Place Sydney 2000
+61 (2) 8823 3370