The NATO-Russia dispute over Ukraine is fought on many boards at once. In addition to the threat of a ground war, disinformation campaigns and cyber attacks are deployed. The financial sector is particularly vulnerable. Attacks on financial service providers have increased sharply during the last two years. Asset managers are far more vulnerable than they often realise.
This increasing vulnerability of finance became apparent last autumn when the Dutch central bank published its Financial Stability Review. “Cyber risks are one of the main threats to financial stability,” it said. Financial service providers in particular are being targeted. In 2020, 44 percent experienced cyberattacks. In 2021 this percentage rose to 55. These attacks are taking place worldwide - not only, but also by Russian hackers.
The International Monetary Fund (IMF) said cyber attacks can affect financial stability in three ways: irreplaceability, interconnectedness and loss of trust. It is the latter that financial service providers fear the most.
Brutal wake up call
Last August, for example, Dutch daily De Telegraaf reported on a cyber attack on Blue Sky, the pension investor and administrator of airline KLM. This was a relatively simple example of a data leak. The cause: an employee had clicked on a link in a phishing email. Hackers then managed to gain access to his inbox, penetrated computer systems and had access to the personal data of tens of thousands of (retired) KLM employees.
For pension fund boards and pension investors, the Blue Sky incident was a brutal wake up call.
Arjen Pasma, risk manager of Dutch pension investor PGGM, addressed it in an interview with FN Institutional: “Take cyber risks. You might think that pension funds are a less attractive target than, say, banks, but I wouldn’t assume it. Apart from the enormous assets, pension funds also hold personal data on millions of people. That you have to guard well. Suppose all your participant data were to go public because your security was not in order. For us, that’s one of the worst case scenarios; it probably means the end of you as a fund or administrator.”
Shared networks make sector vulnerable
According to Dutch central bank, the financial sector is particularly vulnerable because its institutions share a substantial number of platforms, partly due to consolidation and digitalisation. A cyberattack on a highly interconnected financial institution can also lead to liquidity problems for counterparties of that institution.
This vulnerability applies not only to banks and asset owners such as pension funds and insurers, but also to asset managers, said Matt Siddick, senior director of operational risk solutions at consultant bfinance. Recently conducted operational due diligence assessments, known as ODDs, show that asset managers also belong to the risk category, he said. The Achilles’ heel: parties that offer middle and back office services and are integrated in the IT infrastructure.
Bfinance’s Siddick points to an earlier so-called ‘Fack Zoom’ attack on Australian hedge fund Levitas Capital, as well as the attack with hostile software on a sales office of SEI Investments, which also affected the American Pimco, among others.
‘This is How they tell me the World ends’
Cybercriminals now unashamedly offer their tools and software for sale on the Internet, as the American journalist from the New York Times, Nicole Perloth, has described in her blood-curdling and award-winning book This is How they tell me the World ends.
In this global hybrid war, asset managers are far more vulnerable than they often realise, said Siddick, noting that some of these attacks are also being waged by hackers linked to governments and states.
“They use relatively cheap and effective solutions, such as VPN connections, especially if multi-factor authentication is used in the process,” said Siddick.
The bfinance consultant recommends moving to a Virtual Desktop Infrastructure, known as VDI). This involves connecting a customer or supplier directly to the company’s IT infrastructure. This can be done through a so-called virtual machine, which makes it possible to set additional security requirements.
Concentration increases, so do risks
Other vulnerabilities identified by bfinance is that asset managers are increasingly using third parties for services, which makes the shared network vulnerable. The same applies to the fact that there is an increasing shift towards cloud-based solutions.
The consultant also points to the increased role for private markets in the investment strategies of asset managers. This increasingly involves one-on-one transactions, with a great deal of ‘hand-held’ communication. The underlying assets and companies in which these parties invest can be particularly vulnerable to cyber attacks.
Moreover, the attractiveness of private markets make the portfolios of asset managers more concentrated. The value of an investment opportunity that seems attractive can be completely eroded by the consequences of a data breach. This can lead to regulatory fines, fines for data privacy breaches, intellectual property theft, business paralysis, reputation damage and reduced asset valuations, warns bfinance’s Siddick.