Cybersecurity: An Industry Perspective

With cybersecurity high on every firm’s agenda, BBH recently hosted asset managers and industry colleagues in Luxembourg and Dublin to share insights on this important and ever-evolving area.

Regulators are ramping up their guidance on cybersecurity related requirements for asset managers, and firms are increasingly focused on governance around customer data and asset protection practices. But while executives agree that IT and cybersecurity are important, only 16% feel their firms are well prepared for the associated challenges. Not only is the implementation of an ever-evolving ruleset challenging, but the regulatory guidance, however stringent, cannot protect against the growing threat of sophisticated cyber-attacks.

This was the consensus at recent BBH Cybersecurity symposiums in Luxembourg and Dublin where asset managers and their consultants came together to discuss the evolving cybersecurity landscape, impacts to asset managers, and best practices for threat protection and management of inevitable cyber incidents.

Here are the key themes from our events and practical guidance offered by experts from EY, Deloitte, Sumitomo Mitsui, and BBH. Some of the debate centered on common sense pointers to defend a firms’ perimeter from threats, however the harsh reality, according to the panel of experts, is that many firms aren’t taking cybersecurity as seriously as they should.

More Education Needed

There is no question that humans remain one of the greatest weaknesses in preventing a cyber-attack. With so much being spent on technology and cyber experts to prevent breaches, hacks, and attacks, what is also crucial is that all staff receive adequate cybersecurity training. This is critical to ensuring employees aren’t the weakest point of the security chain.

The panelists urged firms to instill in their employees the mindset of being consistently, professionally skeptical. Employees need to be taught (and regularly reminded) what to look for in social engineering or e-mail phishing scams, which often use emotional triggers like wages, holidays, or emergency family issues to extract personal data. Compromised email communications that lead to ransomware incidents were up 350% over the last year, according to Dimension Data.

“The industry conversation on cybersecurity has moved on from being exclusively about protection against attack. The expectations of regulators and clients alike are increasing as they seek greater assurances regarding an organizations cyber controls. The conversation has also evolved to consider how reactive firms are when they are attacked or compromised. There is broad recognition at clients and regulators that when an organization is attacked, that they will ultimately be judged based on how well they react and respond to contain and manage the incident. Having a robust well tested plan helps reduce impacts.” Ben Dulieu, BBH

Board of Directors’ Responsibility

Regulators expect boards to understand and oversee cyber risk management practices. It is their responsibility to ensure their partners and employees are appropriately apprised of and understand key risks, and that any outsourcing arrangements comply with regulatory and a firm’s own cybersecurity standards. Firms can achieve awareness by regular testing of cyber incident procedures. Well-orchestrated incident management can substantially decrease the impact of a threat.

Cyber is Everyone’s Business

Many managers are increasing investments in cyber across their business model and at the core of their operational infrastructure – cyber threats are no longer an issue confined to the IT, systems, or security department of an asset manager, it is the responsibility of everyone in the firm to protect against the forces from outside. The cyber risk management strategy should be closely aligned to the overall business strategy. This focus will continue to increase in the coming years.

Quest for Global Regulatory Clarity

Earlier this year, the Securities and Exchange Commission (SEC) adopted interpretative guidance on public company cybersecurity disclosures in the US. The EU is in the preliminary stages of a phased implementation of the Directive on Security of Network and Information Systems (NIS Directive), raising the bar for cybersecurity across multiple industries, including banking and financial market infrastructures across the EU. Aside from implementing these new rules, global asset managers have another critical challenge – country or area specific regulations often do not consider how to integrate their rules with other cybersecurity regimes, greatly complicating the efforts of global firms to establish and maintain global compliance structures.

“It’s crystal clear from the number of attendees and their attention throughout this session that cyber is a topic high on the agenda of every board member and decision maker within asset management. Understanding your data model is important to managing the risk and proving that you are on top of your brief.” Simone Vroegop, BBH

Cybersecurity is emerging as one of the preeminent risks for businesses – and the stakes have never been higher. The news cycle continues to be full of large scale breaches and security compromises. Assessing these events, the recurring theme among industry leaders is that more can be done to prevent or contain cyber events. As regulators and clients increasingly focus on the use, governance, and protection of personal data, it is critical that asset managers put the appropriate level of attention and resource on this critical issue.

 Special thanks to:

  • Peter Callaghan, Sumitomo Mitsui Trust, Global Asset Servicing, Chief Operating Officer
  • Jacky Fox, Deloitte, Cyber Security and IT Forensic services
  • Thomas Koch, EY Luxembourg, Associate Partner and Head of Cyber Security, Digital Forensics, and Incident Response Services
  • Benjamin Dulieu, BBH, Vice President of Cyber Risk in Enterprise Risk Management
  • Simone Vroegop, BBH, Senior Vice President of Fintech Product Management
  • Mehtap Numanoglu Tasiopoulos, BBH Luxembourg, Chief Risk Officer