Financial industry waking up to scale of cyber threat
(CNS Business): Cyber security is fast becoming the number one global business concern, and with hedge fund managers seen as being particularly susceptible, a sustained attack on the industry could have a major systemic impact here, as experts warn that Cayman firms are already being targeted by cyber-criminals.
Hedge fund managers were identified earlier this year by the US Government as the weak point of the financial system in terms of vulnerability to cyber-attack, largely due to their relatively small size and often weak IT systems. Numerous banks have already fallen victim to confidential data theft, so security has been reinforced in that area, but hedge funds are only now waking up to the scale of the problem — and cyber-criminals move fast, so the race is on to get systems and procedures up to speed.
The size of the industry and the sheer number of service providers with hedge fund clients leaves Cayman exposed to an attack, with law firms, fund administrators, independent directors and auditors all in the firing line. Last week international fund administrator IFS State Street was reported to have suffered a breach, with data stolen by an employee of a sub-contractor, according to HFM Week. Firms across the financial sector in Cayman are facing up to the prospect that the cyber threat is real and anyone is a potential victim.
“I think we would be naïve to assume that firms in Cayman have not been subjected to attacks,” said David Smailes, principal at Pivot Advisors, a Cayman-based IT consultancy. “The vast majority of us have received phishing emails, which are an attack on the individual or the start of a more sophisticated attack on an organisation. With regards to network breaches and theft of data, there have been a few publicised events but institutions will generally not be forthcoming with details as they do not want their reputations to be challenged.”
A cyber-attack can have a devastating impact on business and firms should be concerned about the prospect, Smailes said. In addition to theft of data and the reputational damage that can result, other fears centre around potential data leakage to competitors, major business disruption and the erosion of trust among staff, clients, vendors and investors. Companies are even being blackmailed as part of the attack, where criminals offer to restore the system on payment of their demands.
Unless there are obvious indications, firms could have been infiltrated by cyber crooks and be under attack without realising so, Smailes noted. “It is very difficult for many organisations to identify if an attack has happened or is underway unless they are approached with the details of the breach or they find their data has been published externally.”
Industry tools can assist, although these have traditionally been seen as expensive. “The costs will need to be balanced with the value of the data stored and the impact on the business of the data being compromised,” Smailes said.
Cyber security concerns are not just confined to high finance. Everyone that banks, makes purchases or has an online account with any kind of company or institution is at risk. Companies have large amounts of customers’ personal information, like credit card numbers, address, date of birth and anything else needed to fake an identity, stored on servers or clouds and consumers have to rely on appropriate measures being in place.
Last week in the UK, phone and internet company, Talk Talk, was held to a ransom before confidential details of its four million customers were exposed. Over a million had their information accessed and many lost thousands of pounds after being contacted by extremely sophisticated fraudsters claiming to work for the company. Reports suggested Talk Talk could lose as much as £75 million in revenue from the cyber-attack, as the debate questioned if the company did enough to protect its customers’ data, which was not encrypted. The company claims that it has not breached the Data Protection Act because it was subjected to a criminal act.
Cayman’s Data Protection Bill is yet to make it into law and is currently being revised. Until it does come in, companies in Cayman are still bound by common law duties of care, which includes confidentiality, so they can be sued if they don’t maintain comprehensive security and encryption for all data, especially where it is private or of a sensitive nature.
As attacks on banks and their customers are becoming more frequent, phishing attempts are more realistic and sophisticated. With greater use of social media and people generally performing more and more of their daily functions online, the cyber risk is only getting bigger and it’s really now a case of “when” not “if” people will be affected. The loss of three hundred dollars from a personal account can mean as much as $30,000 stolen from a company and online theft can be extremely unsettling because of the unknown factor.
Just recently, the Cayman Island Bankers Association placed a public advisory in the local press with advice on how to spot fraudulent email scams, such as your bank supposedly contacting you about a problem with your account, and what to do about it.
Also over the past month, two hedge fund organisations, AIMA (Alternative Investment Managers Association) and the Hedge Fund Standards Board (HFSB), have issued guidelines for best practice in developing a cyber security programme, which also outlines some of the more extreme threats faced by this industry.
AIMA’s guide pointed to polymorphic malware as the latest trend, which means that the malware changes dynamically and assembles itself only after it is on a victim’s device to avoid detection. The HFSB suggests prioritising the asset managers’ “crown jewels”, which are its most significant digital assets, such as the trading book or proprietary algorithms, as well as highlighting the response from regulators to this issue, including the use of cyber-attack simulations to better assess and mitigate the threats.
For financial services firms in Cayman, the suggestion is to prepare in the same way that they would for any crisis.
“The starting point will be a Business Impact Analysis to determine how the firm may be affected for both the short and long term,” Smailes said. “While theft of funds can have a very short term impact on cashflow, a breach of client and personal data may be catastrophic in the long term as trust is lost and this can be exacerbated by a late, vague or fragmented response to an attack.”
Once the impact of an attack is understood, then firms can look to build what Smailes calls a “multi-tiered strategy” to mitigate the risks and develop a response in the event of an attack.
“Mitigation includes developing policies and educating staff on why controls are necessary and how they can identify issues and alert the appropriate authorities,” he said. “Education is critical as some of the policies could impact the ability of employees to deliver a certain quality of service, with tighter controls on data access and the use of storage devices such as USB drives.”
With the growing threat of cyber-crime and the potentially devastating consequences of a major breach, firms will need to invest in this area. Regularly review the IT infrastructure for weakness, Smailes says. And while a firewall is important, you can’t rely on that alone.
Category: Finance, Financial Crime