SEC’s Cybersecurity Agenda Is a Call to Action for Asset Managers

When it comes to cybersecurity, one weak link makes the whole chain vulnerable. To combat an increasing threat, global regulators are bolstering global cybersecurity initiatives. But regulations alone aren’t enough. Here we look at what global asset managers can do to keep their firms one step ahead.

Early in his tenure as Chairman of the US Securities and Exchange Commission (SEC), Jay Clayton issued a stark warning about cyber threats. “Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself,” Clayton said. “Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery.”[1]

This SEC focus on cyber security is also evident within its Strategic Plan and is consistent with the global focus on this important and ever-evolving area. As a result of the SEC’s assessment of investment firms’ vulnerability, the agency issued a Cybersecurity Risk Alert and adopted a number or regulations, such as Reg S-ID on Identity Theft Red Flags, which primarily dealt with disclosure requirements after a cyberattack takes place. In coming months, however, we expect the SEC and other government agencies to begin issuing a series of regulatory tweaks and new rules on cybersecurity that will directly impact asset managers, hedge funds, and private equity firms. The goal will be not only to require these firms to adopt measures to protect themselves against cyber penetration, but also aimed at preventing a contagion effect should a financial firm be compromised in such a way that it systemically disrupts the global financial system.

Data Officers and Service Providers

For asset management firms looking at the allocation of resources in the coming year, the likelihood of a slew of new cybersecurity regulations may provide an indication where those expenditures should be focused. For example, firms that have not yet appointed a chief information security officer or looked at the cybersecurity measures adopted by third-party service providers, may want to assign a priority because these are the areas regulators are likely to address first.

The SEC emphasized their focus on cyber security in their recent release of the list of 2019 priorities for their Office of Compliance Inspections and Examinations (OCIE):

“Cybersecurity protection is critical to the operation of the financial markets. The impact of a successful cyber-attack may have consequences that extend beyond the firm compromised to other market participants and retail investors, who may not be well informed of these risks and consequences… Specific to investment advisers, OCIE will emphasize cyber security practices at investment advisers with multiple branch offices, including those that have recently merged with other investment advisers, and continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.”

The SEC demonstrated they are also active in the prosecution of cyber threats to the US financial markets on January 15, when they said in a statement that nine individuals had been charged in connection with a cyber penetration of the SEC’s own EDGAR company reporting system in 2017. The defendants were accused of using non-public information contained in the EDGAR database to make stock market trades and earn $4.1 million in profits.[2] The disclosure came during the US government shutdown, another potential risk that some feared hackers could exploit.

Confronting Systemic Cyber Risk

There are three major sources of cyber threats. The first is hacktivists, a small group of agents, domestic or foreign, who try to make a political point by undermining or causing anarchy within a particular system. The second type is organized crime. These cybercriminals engage in targeted attacks and are commonly driven by profits. They are looking for non-public information of customers and/or employees to exploit. The third area of threat is state-sponsored activity, which may evolve as the most dangerous of the three. These are well-funded, sophisticated, and highly motivated. They are driven by profit, political, or military agendas. Regardless of the source of the threat, the challenge here is for asset management firms to plan and prepare to detect and defend against these threats. Planning and preparation, of course, require resources, but the importance of doing so cannot be overstated.

The SEC’s response to these potential cyber risks is likely to be driven by their ongoing work with the industry and the insights arising from their inspection and examination activity. It is no longer in the SEC’s interest to go in and fine a firm after an attack happens; the goal is to prevent and detect attacks in the first place. Accordingly, further action will address the types of checks a firm needs to put in place to prevent it from being attacked to begin with. Here, the OCIE priority statement signals the emphasis on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. Firms subject to examination would be wise to review the content and presentation of their cybersecurity measures in line with this guidance.

The threat is very real. For example, if a group wanted to significantly disrupt a registered investment advisor, it could potentially focus on specific vulnerabilities such as manipulation of data within the advisor’s trading systems or access and extract sensitive client information from the advisor’s database. If all critical data of the advisor resides on a single server or data system, then a cybercriminal could gain access to this sensitive information and disrupt, edit, extract, or destroy it. Each of these could have serious consequence to the victim of the criminals.

The other type of attack common in financial markets is what is known as a Distributed Denial of Service (DDOS) attack which involves an external party gaining access to the advisor’s internal systems. Hackers could penetrate an advisor’s trading system and freeze out the advisor from executing trades, until such time as a ransom was paid to the hackers. This would raise both reputational and monetary risk to an advisor. It’s not hard to imagine the contagion effect on the global financial system if a coordinated attack on several advisors occurred on a widespread basis. Also, it is important to note that advisors must not only protect their own firms’ perimeter, they must also seek to ensure that all business partners in their data chain are equally vigilant and protected against cyber penetration attacks. Appropriate due diligence of all investment advisor partners, delegates, and outsourced vendors must form part of an advisor’s holistic approach to cyber security. Firms are only as strong as the weakest link in the chain when applied to cyber security.

What’s Next

In the coming years, SEC-registered managers will also need to monitor and respond to new regulation from other sources as well, including the EU and New York State’s Department of Financial Services. In November 2018, the EU adopted the Network Information Systems Directive (NISD), which specifically included financial firms, requiring them to take measures against hackers and laid down reporting requirements for firms that are attacked. New York’s rules, which were adopted in 2017 and come into full affect in March of 2019 apply to banks but not asset managers, also required the appointment of a chief information security officer, mandated firms carry out an annual cyber risk assessment, and included third-party service providers in the audit.[3]

While these developments are important to SEC-registered manager, they do not yet fully address the threats arising in this interconnected, 24/7 global trading world. If you are a New York bank, you might place a trade for a Malaysian client in Singapore and it will be settled on a Russian exchange. At the same time, a cyberattack in Malaysia could impact Wall Street in seconds. The global impact from the WannaCry and NotPetya ransomware attacks are real life examples of this. Cyberattacks can reverberate around the globe in a way that the industry has never yet experienced.

Because global financial services firms are executing transactions across borders, most often through globally interconnected electronic exchanges, the time has come to consider global cybersecurity solutions that reflect connected thinking and multiple regulatory structures in the context that even one weak link makes the whole chain vulnerable. Early prevention and detection is always going to be much better than a cure. It needs to be both a governmental and industry solution, and the solution needs to be global. However, in reality, global regulation is not possible. That’s why global firms must try to adopt general best practices but also be nimble enough to adapt and tweak local policies and procedures in the case of rule divergence.

The cybersecurity initiatives of the SEC may be a major step toward that goal. Asset managers should plan accordingly, whether that’s by creating a separate line item for cybersecurity on their balance sheet or by asking the right questions to their service provider, or both.