Cyber Security for Fund Managers


Share on facebook
Share on twitter
Share on linkedin


“There are only two types of companies: those that have been hacked and those that will be.” Robert Mueller, former Director of the FBI.


Over the past few years the media has whipped up a frenzy around the concept of cyber attacks and the vulnerabilities we all face in this new and evolving online world; both personally and from a business perspective. Sensational stories of cyber attacks and hacking have been prolific on a global scale, yet a lot of us are still unsure of what to do to protect ourselves and our businesses in a cyber environment. In 2014, Sony Pictures suffered a ‘Hacktivist’ cyber attack, whereby the attack itself is “cause” motivated. This infiltration into Sony’s digital infrastructure resulted in a serious data breach which ultimately led to them cancelling the imminent release of their latest film, ‘The Interview’. The financial implications are obvious but Sony’s reputation also suffered via the PR backlash they received resulting from the leak of internal employee communications that were deemed to be of questionable professionalism. This kind of breaking news story can be assumed to be a far cry from the day to day world of asset management – yet the threat, although slightly different, is just as tangible and the consequences equally as costly.


Taking the lead from the mainstream and commercial buzz around Cyber Security and Cyber Risk, the asset management industry has embraced discussions on the concept of “Cyber” and what it means to us. For a good couple of years now, Cyber Risk has been a common place topic at asset management conferences and roundtables, and is almost as frequently alluded to or touched upon in trade press as prominent industry topics such as AIFMD and UCITS.


That said….are we any closer to truly understanding the threat? What do the terms Cyber Security and Cyber Risk mean to us? Do we know the full extent and impact a cyber breach could have on our businesses and what we can do to protect against it? Here’s a basic summary of the threats and what you can do to protect your business:



Who is behind the threat?


  • Criminal organisations – money motivated
  • Hacktivists – cause motivated
  • Espionage – intelligence and politically motivated



Why is cyber security important to fund managers and their service providers?


Cyber threats pose a particular challenge to asset managers and their service providers due to the complex interactions that are undertaken across the investment management value chain. Cyber security and possible risks are now items that must be held as a priority by top level management and board members, not just the IT department or outsourced IT provider.


With ever evolving technologies and a broader interaction with these technologies across all levels of employee, the number of new ways to breach a firm’s security is inevitably increasing. In the asset management industry this is particularly important as fund managers or service providers can now be penalised or fined for negligence in some jurisdictions. The most obvious threat to the finance industry is the potential for huge financial impact and subsequent reputational damage if a breach is dealt with poorly. For this reason it’s essential that fund managers, as part of their due diligence, fully check a service provider’s cyber controls and procedures. The necessity of using multiple outsourced partners in the fund management business means that there are numerous routes for managers to be affected by a breach of one of their services providers. Measures must be taken to ensure that fund data is safe and assets are safe.


Top 3 Cyber threats and how to protect your firm:


Threat: Spear Phishing emails


Spear Phishing emails are generally the most successful tactic for exposing weaknesses and actually account for 91% of cyber attacks across all businesses. Most asset managers have basic email spam filters which can protect users to a certain degree, however there is no way to block 100% of spear phishing emails from getting into the users inbox.


Protection: Training staff


The first line of defence is certainly to utilise spam filters to block phishing emails, yet as it is impossible to block all of these it is essential that as a second line of defence, all staff are trained on how to identify and deal with this kind of email to protect the company.


Threat: Malware Attack


Malware attacks are infiltrations onto a PC, Laptop or mobile device by software specifically designed to access or damage the device without the knowledge of the user. There are various types of malware including viruses, worms, keyloggers, spyware or malicious code. This is perhaps the type of attack most of us first think of when we imagine cyber threats and is still a popular way to gain access and control to user PC’s.


Worryingly, all PC’s are being attacked by Malware on a daily basis however the anti virus software that is now common place in all businesses usually combats these attempts and users are none the wiser. If a virus does manage to avoid the anti-virus software and breaks the PC this can be costly and extremely inconvenient but more importantly, malware that can capture login credentials of the user is high risk to any company.


Protection: Regular Updates on anti-Virus


‘The best defence is a good offense’. Keeping all PC’s and IT products up to date with the latest anti-virus software from a top-end provider is critical to protecting the company. Continual review of the competencies of the software or an agreement with an outsourced IT provider to ensure this is the case is an important procedure for keeping data and equipment protected against attacks.


Threat: DDoS (Distributed-denial-of-service) attack


A DDoS attack (also known as a DoS attack) is an attempt deny access for legitimate users of an online service or network (i.e. blocking internet access). This is a popular way for cyber criminals to target a specific company by sending an overwhelming amount of traffic to a site to overwhelm the system and cause disruption. These attacks vary in both sophistication and size but can be a problem for any size asset manager or service provider.


Protection: Invest in a competent partner


It is important to allocate sufficient funds into working with a competent and robust IT provider with a strong network and boundaries. Real time traffic monitoring also helps identify early threats and alleviates some risk which is something that can be requested or undertaken in house. As our reliance on the internet continues to increase in the industry and wider world, the damage can be catastrophic therefore the investment in quality service provision is well worth it.


Leading by example


At Apex Group we aim to lead by example and share our own cyber security procedures with clients. Here are some of the processes we have in place internally to ensure we protect both ourselves and our clients to the highest level possible:


  • We have put cyber security documentation and procedures in place to provide our fund managers with knowledge, transparency and comfort that we are protecting ourselves from every level of cyber threat.
  • Cyber security is an important topic within the company and always discussed at board level.
  • We now offer email encryption as a secure method of email communication to all our clients and fund managers.
  • We have recently doubled up on data protection software; the group now uses two high end security vendors. The data protection software utilised provides real time intrusion detection systems, traffic monitoring, firewall protection, anti spam, anti-virus, detailed reporting and much more.
  • We simulate a cyber attack twice a year to test our defences and processes. A third party security vendor attempts to hack our network (this is called penetration testing) to expose any weakness or gaps in the Apex environment. If any vulnerabilities are found as a result these are quickly secured.
  • The IT team closely monitors and controls Apex staff. All employees are automatically forced to adhere to IT controls and procedures as it is important that internal staff do not unintentionally introduce an avoidable threat into the network.
  • The Apex IT department attend cyber conferences and discussion groups to ensure that they maintain awareness of current and emerging threats at all times.


What does the future look like for cyber threats and firms in the asset management industry?


Unfortunately the future will only bring bigger and more sophisticated threats. Cyber crime is growing rapidly each year as it’s a lucrative business with limited laws which are difficult to apply due to lack of jurisdiction. What we need to do as asset managers, fund administrators, prime brokers etc. is be prepared and educated for it.



Next steps


It’s not simply about stopping the threat but it is equally as important, if not more so, to have a pragmatic response plan easily executed should there be a breach. Asset managers are used to risk, its part of the every day management of fund portfolio, therefore managers are well versed in mitigating potential exposures and can adapt procedures better than most to safeguard their firm.


It is important that we all take a holistic view of our structures and operations to truly understand cyber exposures. The most common assumption is that the threat and vulnerability lie within technology, however it is essential to take human error and physical processes into consideration when implementing a robust cyber security policy.


Share on facebook
Share on twitter
Share on linkedin

Get in touch with our team

Submit your query

Cookie control
This website uses cookies so that we can make your experience better. If you wish to change your cookie settings please refer to our Privacy Policy. Otherwise we will assume you’re OK to continue. Privacy Policy