In the dynamic world of asset management, risk and reward are constant companions. Yet, with a 7% rise in cyberattacks week-on-week in 2023, asset management firms are being singled out as prime targets for cyber attacks–and most companies are underprepared. 

Repositories of sensitive client information, proprietary trading algorithms, and large-scale financial transactions, many asset management companies are sitting ducks for cybercriminals. As damages associated with global cybercrime are projected to reach $10.5 trillion annually by 2025, an increase of 15% year-on-year, cybersecurity will become a dealbreaker for the sector. 

But, to understand how to safeguard against such attacks, asset managers must first understand why their industry is especially vulnerable. From the consequences of remote work, the rise of AI, and the unique risks accompanying a transaction, here’s a deep dive into why the asset management industry is primed for a wave of cyberattacks in 2024 and beyond.

How hackers are infiltrating asset management firms 

Asset management firms are only as strong as their weakest links. Hackers know exactly how to spot and exploit such vulnerabilities, which aren’t limited to one department. Criminals can target front-office operations like investment strategies and portfolio management, infiltrate middle-office functions such as compliance reporting, or breach back-office roles, including fund accounting and marketing. Here are the most common tactics hackers use to infiltrate operations:

Social engineering

Commonly, hackers deploy social engineering tactics when targeting asset management professionals. These malicious techniques trick individuals into revealing confidential information or transferring funds by psychologically manipulating their target. In 2022, a hacker successfully impersonated a Morgan Stanley Wealth Management employee and was able to retrieve financial information and authentication credentials from some of its clients. Annually, a typical firm is targeted by 700+ such socially engineered hacks, and email and web applications are the two main channels for such attacks.

Phishing

Phishing, comprising 86% of all cyberhacks, is the most prevalent form of social engineering, with Google blocking 100 million phishing emails a day. These attacks use deceptive emails, messages, or websites to trick portfolio managers into revealing sensitive information, which is particularly dangerous for asset management firms due to the sensitivity of the financial and personal data they handle. Alarmingly, in 86% of organizations, at least one person has clicked on a phishing link, and CEOs receive 57 targeted phishing attacks a year.

Ransomware

Ransomware involves encrypting a victim's data and demanding a ransom for its release, often coupled with threats of releasing sensitive data if the ransom is not paid, known as double extortion​​. Vulnerable endpoints, such as unpatched devices, are common entry points for these attacks. 

In 2023, ransomware attacks surged by approximately 73%, and the asset management sector accounted for a significant portion of the total ransomware attacks. The increase in ransomware attacks is partly attributed to the collaboration among different ransomware groups, who share tactics, techniques, and vulnerabilities for mutual benefit. While smaller organisations are more likely targeted by phishing attacks, larger organizations are especially targeted by ransomware, as attackers recognize that companies with higher revenues are more likely to pay substantial ransoms

DDoS (Distributed Denial of Service) attacks

Distributed Denial of Service attacks aim to render services unavailable by overwhelming the target's resources. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. These can include computers and other networked resources such as IoT devices.

In 2022, there was a notable shift in the type of DDoS attacks, with a significant increase in application vector attacks. These hacks, which target specific applications rather than trying to overwhelm an entire network, grew by 165% in 2022. This suggests that attackers are adapting their methods to bypass improved defenses against more traditional forms of DDoS attacks like volumetric or protocol attacks.

How hackers are infiltrating asset management firms 

When a portfolio company is the target of a hack, the financial fallout affects both direct and indirect costs, and the repercussions are often long-lasting. While the total global average of a data breach is $4.45 million, asset management firms in particular may incur expenses related to customer compensation, incident response, breach investigation, new security measures, increased insurance costs, and legal fees. The regulatory penalties for non-compliance with standards like the General Data Protection Regulation (GDPR) can be substantial. 

Additionally, share prices and company valuations are also vulnerable to the impact of a data breach. Yahoo's breach in 2013, which became public in 2016 during its acquisition talks with Verizon, led to the company being purchased at about $350 million less than the original asking price. Likewise, targeted companies can also experience indirect losses attributed to reputational damage, which can be substantial and result in lost business.

Why asset managers are particularly vulnerable to a data breach

Unlike traditional banks and fintech companies, asset management firms are uniquely vulnerable to an increasing wave of cyberattacks. Combining a heady mix of high-value data, complex interactions, lifecycle vulnerabilities, and comparative gaps in cyber defense, asset managers face a distinctive set of risks. Here’s why asset managers are uniquely exposed to a cyberattack.

Robust bank and fintech security puts a target on asset managers’ backs  

Due to the substantial investment in cybersecurity in the banking and fintech space, these financial entities have become significantly fortified against various cyber threats. This has led cybercriminals to pivot their focus toward less protected, equally lucrative targets, i.e., asset management companies. In comparison to major financial institutions, portfolio management firms often lack the resources to invest in top-tier cybersecurity infrastructure. This disparity in security investment makes asset managers more attractive and vulnerable targets for cybercriminals.

Exposure risk during specific phases of the asset lifecycle 

Asset management firms face heightened cyber risk during various asset lifecycle phases, including due diligence, announcement and onboarding, value creation, and exit. For example, during the announcement and onboarding phase, there is often a lapse in cybersecurity focus for both buyers and sellers as they are distracted by the multitude of labour-intensive tasks required to facilitate a smooth transaction. This makes it 116% more likely for both the acquired company and the acquirer to become the victim of a cyberattack once a deal is closed.

Likewise, during the holding phase, value creation involves a lot of data-driven decision-making, often reliant on sensitive financial information and proprietary investment strategies. This reliance on digital data and technology for analysis, reporting, and transaction execution makes asset managers an attractive targets for cyberattacks. Similarly, during due diligence, the scrutinizing of financial statements, legal agreements, and other confidential information makes asset managers a particularly attractive target for a hack.

Interaction with external stakeholders expands the attack surface

Asset managers are particularly vulnerable to cyberattacks because of their frequent interactions with various external parties. Each interaction with an external party potentially opens up a new attack vector for cybercriminals. Every email exchange, data transfer, or digital transaction with clients, vendors, partners, or regulators can be exploited by cyber attackers. Likewise, asset management firms often rely on third-party service providers for crucial operations, from IT services to financial transactions. If these third parties have weak cybersecurity measures, they can become conduits for cyberattacks against asset management firms.

Compliance with financial regulations often requires asset management firms to share data with regulatory bodies. The processes involved in this data sharing can be targeted by cybercriminals looking to intercept or manipulate sensitive information. Different external parties may have varying levels of cybersecurity maturity. Interacting with entities that have lower security standards can inadvertently expose the asset management firm to cyber risks.

Poor data access controls increase the likelihood of insider threats

Asset management firms are particularly vulnerable to cyberattacks due to poor data access governance and insider threats. Poor data access governance means that some employees may have more access to sensitive data than necessary for their roles. Over-privileged access increases the risk of data being misused or stolen, either by insiders or through compromised employee accounts. Without effective monitoring systems in place, it's challenging to detect unusual activities or unauthorized access. This can allow insider threats to go unnoticed for an extended period, increasing the potential damage from such activities.

Likewise, employees with malicious intent can exploit their access to this information for personal gain or to inflict harm on the firm. Insider threats can range from intentional theft or fraud to unintentional errors that leave systems vulnerable to external attacks. This type of activity not only leads to financial losses but can also damage the firm’s reputation and client trust.

The increasing complexity of AI-based attacks 

The advent of advanced AI technologies, particularly in natural language processing and generative AI, poses a real threat to asset management security. Firstly, phishing attacks are becoming more sophisticated as advanced language models can craft more convincing emails that appear increasingly authentic. Secondly, the rise of deepfakes enables hackers to create highly realistic videos or audio recordings that effectively impersonate trusted individuals, such as senior executives. These recordings are then used to get employees to divulge confidential information, transfer funds, or spread false information.

Additionally, the very nature of AI means that these systems learn from their interactions and can improve in a startlingly short amount of time. Consequently, cyberattacks are likely to become increasingly intelligent in a relatively short amount of time.

Mid-sized portfolio companies are especially at risk

Small-to-mid-sized asset management companies, with significant assets under management but limited operational budgets, are particularly vulnerable to a data breach. Despite their smaller size, these companies still handle significant amounts of sensitive financial data but, unlike larger firms, they often don’t have the same level of financial resources to invest in comprehensive cybersecurity measures, making them attractive targets for cybercriminals. 

Large corporations often have dedicated teams for cybersecurity, whereas mid-sized firms might rely on smaller, possibly less specialized IT teams. This can result in less robust security protocols and slower responses to emerging threats. Likewise, mid-sized firms, like their larger counterparts, are subject to stringent regulatory requirements (i.e., GDPR) but may find it more challenging to fully comply due to resource limitations. This can lead to vulnerabilities that cybercriminals exploit.

Solution space: How to safeguard assets from a costly data breach

As the threat landscape continues to evolve, so must an asset management firm’s approach to security. There are plenty of ways to prevent a data breach, and not all of them require a huge degree of investment. Here are some approaches to consider when deciding how to protect assets from a security breach.

The far-reaching benefits of cyber-insurance 

Cyber-insurance isn’t just a financial tool but a strategic asset within a comprehensive cybersecurity framework. It provides a critical layer of protection, ensuring that firms can recover and sustain operations in the event of cyber incidents. Such insurance can cover the direct costs associated with a cyber attack. These costs can include forensic investigation, data restoration, legal fees, and even ransom payments in the case of ransomware attacks. 

Further, some insurance packages can also support firms in the aftermath of an attack by covering the costs of operational disruptions and providing coverage for regulatory fines and penalties. An additional upside is that having such insurance can enhance client trust, as it demonstrates a commitment to protecting their interests and ensuring business continuity even in the face of cyber threats.

Better data access controls and strengthened authentication

By implementing strict access controls, such as the Least Privilege Principle and Role-Based Access Control (RBAC), asset management firms can ensure that only authorised personnel have access to critical systems and information. Good data access governance hygiene not only safeguards against external threats and insider risks but also supports regulatory compliance, operational efficiency, and the preservation of client trust.

Likewise, strengthening authentication, particularly for high-privilege accounts, through measures like Multi-Factor Authentication (MFA) and biometric verification, further secures access points against unauthorized entry. This approach not only protects valuable assets and client information but also aligns with regulatory compliance requirements, thereby maintaining the firm's reputation and client trust. In essence, these measures form a foundational component of a robust cybersecurity strategy, mitigating risks associated with data breaches and cyber-attacks.

Fighting fire with fire: Using AI to combat AI

‍According to IBM, implementing AI security solutions results in a 65.2% data breach cost reduction and cuts breach lifecycles by 108 days. This is due to AI-driven security systems engaging in proactive threat detection, automating and accelerating response to potential risks. AI algorithms can analyze vast amounts of data and identify potential threats before they manifest into full-blown attacks and AI systems can analyze user behaviors and identify anomalies that might indicate insider threats. 

Implementing AI-based security solutions results not only in cost efficiency but also in improved accuracy in identifying real threats and reducing false positives. While AI's ability to learn and adapt makes it attractive to cyber criminals, it also makes it an invaluable tool in evolving cybersecurity strategies, as it can scale and integrate with existing infrastructures. 

Implement a robust Incident Response Plan (IRP)

An effective IRP serves as a comprehensive roadmap for managing and mitigating cybersecurity incidents, ensuring that a company can swiftly and effectively respond to threats. This plan should encompass:

• Detection and analysis: monitoring systems for signs of a breach and employing anomaly detection tools. Early detection is critical for minimizing the impact of a cyber incident.
• Post-incident activities: After addressing the immediate threat, conducting thorough debriefs to analyze the efficacy of the response is important. These learnings should be used to update and improve the IRP.
• Containment strategy: Once a threat is detected, the plan must include immediate actions to contain it. 
• Eradication procedures: After containing the threat, the threat needs to be removed from the system. This typically requires updated and effective tools capable of dealing with the latest forms of malware and breaches.
• Recovery plans: This aspect of the IRP involves protocols for restoring systems and data to their normal state. Regular testing of backup processes and system restoration protocols is vital to ensure they are effective when needed.

Invest in smart, secure technology solutions

Investing in technologies that reduce cybersecurity risk is crucial for asset management firms, especially during interactions with external parties. By utilizing data rooms, asset managers can safely engage in external communications and transactions, confident in the knowledge that their critical information is safeguarded within a controlled and secure digital space. These virtual environments are designed with robust security measures including encryption, access controls, and audit trails, ensuring that confidential data is protected against unauthorized access and leaks. 

Plus, as regulatory demands around data protection intensify, leveraging cutting-edge technology ensures compliance and prevents costly legal ramifications. In essence, smart, secure technology is not just a defensive measure; it's a critical component in the operational integrity and reputation of asset management firms, reinforcing their commitment to security and efficiency in an increasingly digital financial landscape.