This publication looks at the risks inside the wealth and asset management supply chain.

The world’s wealth and asset management industry - along with many other sectors - faces cyber-security threats. Crooks are after money, so its hardly surprising that banks and similar institutions attract the bad guys. Breaches at firms such as Yahoo and Equifax, to name just two of the largest cases, have sent shockwaves. Beyond that, however, what do firms do to deal with the situation? To address this question, and others, Dr Jamie Graves - chief executive and founder of cyber-security company ZoneFox. The editors of this news service are pleased to share these views; they don’t necessarily share views of guest contributors and invite readers to respond. Email: tom.burroughes@wealthbriefing.com

It’s no secret that, due to the swathes of sensitive information held on file, the asset and wealth management industry is a prime target for cyber miscreants. As one example, traditional investment banks are increasingly focusing on asset and wealth management, due to stricter regulation and corresponding fines within investment banking. This represents a most lucrative supply chain for nefarious hackers, in terms of the value of the data itself and the wide range of people to swindle it from.

Elsewhere in the finance industry, memories remain of the Nutmeg and Tesco Bank hack. Also, just this month, it was revealed that credit-rating company Equifax has added 2.4 million individuals to its list of victims, following its colossal 2017 breach. The Equifax scandal should serve as a wake-up call about the cyber security weaknesses within financial institutions, encompassing the wealth management organisations underpinning global economies.

Unfortunately, despite these incidents, according to the recent Capgemini and RBC Wealth Management report, only 7 per cent of asset and wealth management institutions are actively looking at cybers-ecurity. What’s more, ransomware may dominate headlines, but stories on the likes of crypto-mining, insider threats, and doxware often don’t receive as much attention. Within financial organisations, insider threats and weaknesses within the supply chain prove the most perilous of cyber security concerns.

First and foremost, it’s important to define the increasingly murky terms of the insider threat. What makes these specific threats so hard to detect is that they vary so much. On the malicious side, a disgruntled or desperate employee may attempt to earn some extra cash by selling highly prized financial data. At the same time, social engineering carried out by cyber criminals means that it's possible for anyone within the wealth management industry to fall victim to a targeted cyber attack.

This is the other side of the coin - the non-malicious incident. A client advisory staff member may find themselves responding to emails that they think are from the CEO. Similarly, a CFO may be a hacker's primary goal, but all it takes is one door to be opened from a more junior member of staff for an entire financial institution to be at risk. It goes without saying that such threats can seriously harm any wealth management business, along with its data and reputation.

This is where the value of User and Entity Behaviour Entity Analytics (UEBA) technology becomes most apparent. Such technology can establish clear patterns of ‘normal' human behaviour among employees, subsequently identifying abnormalities in these patterns. For example, a system that flags when an employee is logging onto the company server at an unusual time or location, or another employee is accessing a file outside of their usual domain.

Inevitably, alarm bells should ring if someone from HR is accessing confidential client data three floors away from their desk at 12am. Powered by machine-learning and statistical analysis, UEBA technology means that IT staff and the C-suite can act much more quickly and efficiently when such a scenario arises.

Undoubtedly, whether malicious or accidental, the insider threat is becoming increasingly dangerous for the asset and wealth management industry specifically. This is compounded by the serious cyber security holes that are frequently found in a supply chain. As standard practice for day-to-day working, suppliers, vendors, service providers, and business partners may at times require connections to an organisation’s network and systems. Making life easy for all parties is a great benefit for the industry, but it’s easy to imagine the dark side to these types of arrangements.

Bank account information, financial records, investment strategies, trading algorithms, and even trades themselves could be targeted. Rather than a direct approach, hackers can use social engineering to carve out a backdoor to an organisation within their supply chain. At the same time, permitting external access to resources with an asset and wealth management organisation doesn’t have to end badly. Following a few best practices with a focus on compliance can help safeguard third-party access to any network within the industry.

Any decent cyber security controls must have solid policies behind them. If partners or vendors in a supply chain are routinely permitted access to the network of a wealth organisation, appropriate parameters must be defined for such access from the start. Once these policies, parameters, and standards are in place, they cannot be negotiable. Policies and procedural controls provide the foundation for secure transactions between an organisation and external parties - from prime brokers to fund administrators, auditors to IT service providers.

Moreover, if a service provider or partner says that it needs access to an asset management environment via a virtual private network, on-site appliance, or any other means, it must comply with the organisational standards at hand. After all, when an external party has access to sensitive data, systems, or other proprietary information, the risk is automatically high. If a provider is not willing to accept such an organisation’s rules, there’s always a host of competent companies out there who will.

As well as robust cyber security protection in the form of technology, the importance of staff training and generally creating a culture of security cannot be overstated within asset and wealth management organisations. Truly interactive training is crucial - which means it’s time to bin the PowerPoint slides. Instead, regular social engineering tests with employees can be fruitful, rewarding those who pass with prizes. Additionally, a cyber security audit and even printing out some posters to stick on the walls can help - certainly better than burying helpful information in a staff handbook.

Ultimately, asset and wealth management organisations must treat any systems that may be installed in - or connected to - their environment from a third party as if they are their own. The last thing anyone wants is to become famous for the wrong reasons: by getting breached. What’s more, the imminent General Data Protection Regulation, aka GDPR, means that the consequences of a breach will be much more costly: all breaches must be disclosed within 72 hours, including details of any protective measures taken (or lack thereof), with hefty fines for those who fail to comply. Consequently, for everyone’s sake, the wealth management industry must arm itself with knowledge about the various threats it faces - from insider threats to supply chain weaknesses - as well as the appropriate protection.