Table Of ContentB U I L D I N G
C Y B E R
R E S I L I E N C E
I N A S S E T
M A N A G E M E N T
MAY 2 0 1 8
2 Building Cyber Resilience in Asset Management
3
CONTENTS
FOREWORD .......................................................................................................................................................1
EXECUTIVE SUMMARY ...............................................................................................................................2
1: CYBER SECURITY THREAT LANDSCAPE .................................................................................3
2: BUILDING A CYBER RESILIENT BUSINESS ...............................................................................9
3: COLLABORATIVE ACTION .............................................................................................................15
4: FUTURE TECHNOLOGY DISRUPTORS...................................................................................19
BUILDING CYBER RESILIENCE: ACTION PLAN .....................................................................25
REFERENCES ....................................................................................................................................................26
1 Building Cyber Resilience in Asset Management
FOREWORD
Cyber crime is a growing global industry Firstly, as we have seen, cyber attacks are real and
now estimated to make criminals over $400 are happening to a growing number of businesses
billion a year1. Cyber attackers are becoming regardless of their industry. The asset management
more determined and more skilled sector’s cousins in banking and insurance can vouch
for this, and are generally far ahead in confguring
than ever. Highly professional and highly
their defences, in part because of the greater
motivated, they are continually developing
threat they have faced to date. However, asset
new techniques and seeking new targets to
management frms are not immune to a cyber-
attack. With just 39% of asset management
attack and are likely to be an increasing target given
CEOs consulted in KPMG’s 2017 CEO
the signifcant value of assets under management.
survey saying they are fully prepared for
a cyber event2, now is the time for the Secondly, regulators and authorities are increasing
industry to act decisively to protect their their focus on cyber security as an issue and
clients’ data and their own reputations. looking for assurances that businesses are
taking the necessary steps to prevent breaches.
Technology is transforming the asset management The UK government strongly supports the
industry at a speed and scale never seen before. Investment Association’s development of an
The global regulatory environment for cyber Asset Management Cyber Security Strategy3.
security and privacy is becoming more complex It called on stakeholders to “participate in this
and fragmented. This combined with the regular work and engage with industry to provide a new
cases of high profle breaches being reported in level of protection for asset management and
the media, creates an issue that requires attention FinTech frms.”
in the Board room.
A 2017 review of cyber security commissioned
The Investment Association and KPMG have by the US Securities and Exchange Commission
jointly written this paper to provide an overview found that asset management frms had generally
of the key cyber security risks facing the industry, improved their cyber security standing. The review
offer guidance on the steps organisations can found that while most frms had now implemented
take to protect their business from cyber-attack, cyber security policies, many did not enforce
share thoughts on the power of an industry wide them properly4.
response and present cyber security risks around
future disruptive technologies. Now is the time for asset managers, as individual
frms and as a community, to get serious about
There are two key drivers behind publishing cyber security. This paper should help you consider
this paper: cyber security risks and the practical steps you
can take to protect your business. After all,
your customers are putting their trust in you to
safeguard their investments and their data.
Building Cyber Resilience in Asset Management 2
EXECUTIVE SUMMARY
The key messages in this report are:
Cyber Security Threat Landscape: Collaborative Action: the sector
cyber-attacks are most likely to come needs to work more collaboratively
from organised crime groups or from as a community and beneft from the
a malicious insider. Malicious data disclosure, economies of scale and pooling of
CEO fraud / business email compromise and expertise across the industry. By sharing threat
ransomware are particular threats. Risks can intelligence, collaborating to create solutions and
materialise across the entire value chain of an asset working together on response and recovery best
manager, with particular risks around the theft of practices, we can help everyone improve.
client data as well as payment fraud. There are
Future Technology Disruptors:
also risks to client data processed by third party
the speed at which technology is
administrators and custodian banks, while the use
transforming the asset management
of cloud service providers needs to be carefully
industry adds an interesting new dimension to the
managed. Criminals are becoming more creative in
cyber security risk landscape. Digital channels, the
how they attack systems including using increasingly
cloud, artifcial intelligence and robotics, blockchain
automated methods to attack large numbers of
– the industry is becoming increasingly dependent
organisations using customised malware.
on technology at the core of its business. This
Building a Cyber Resilient Business: creates fantastic ways for asset managers to
there are key actions which help build differentiate their business, grow revenues and
an effective cyber security capability. increase profts but also creates opportunities for
The Board must be fully engaged and have an cyber criminals. The potential cyber security risks
understanding of cyber security issues, and establish need to be understood, managed and mitigated –
clear accountability for action. It is vital to map in some cases this will require new and innovative
the cyber security risks facing the business, check approaches to security controls.
whether the current cyber security capabilities deal
with those risks and agree the organisation’s cyber
security risk appetite and tolerance levels. There
should be the technical ability and processes to
detect, respond and recover from incidents; and
cyber security risks should be managed effectively
across the supply chain. But most importantly of
all, employees should be educated around cyber
security risks and good behaviours.
3 Building Cyber Resilience in Asset Management
1: CYBER SECURITY
THREAT LANDSCAPE
The frst section in this paper highlights the BUSINESS DRIVERS
broad and growing array of cyber security
There are a number of compelling business drivers
risks confronting the asset management
for proactively understanding and managing cyber
industry and the business drivers for
security risks.
managing these effectively.
Cyber security is, perhaps more than anything else,
We have produced a cyber security risk radar an issue of brand and reputation. Organisations
showing the current threats, identifed the ways that have secure systems and manage customer
in which these threats could potentially impact data effectively will uphold their perception in the
the asset management value chain and highlighted market as trusted players. By contrast, organisations
examples of cyber security incidents that have that have fallen foul of a cyber-attack have often
occurred. The section concludes with a view on the suffered signifcant reputational damage. This is
future direction of cyber threats. especially the case for businesses that have
not managed the fall-out well. Poor handling of
communications can further damage customer
confdence that has already been dented by the
breach occurring in the frst place.
Cyber security incidents can also disrupt business
operations for a signifcant period of time beyond
the initial incident itself. We only need to look
at the WannaCry ransomware episode where
some businesses were offine for days and weeks
afterwards5.
Building Cyber Resilience in Asset Management
4
This causes further frustration, anger and loss of Moreover, the penalties from regulators for falling
customer confdence, which can be hard to win short are only set to rise. The General Data
back. Organisations have to be able to show that Protection Regulation (GDPR), for example, could
they have sustainable operations. see fnes of up to 4% of global turnover for lax
6
privacy protection .
Looking at other sectors such as banking, some
organisations have taken a proactive approach to Organisations that have suffered cyber security
increase customer confdence and engagement, breaches may face signifcant fnes from authorities,
such as by offering or promoting awareness of compounded by a hit to their share price.
anti-virus software products. This extension into Compliance with standards is a licence to do
end-consumer territory enhances their own business, not a choice. This can be challenging,
standing as cyber aware organisations and shifts especially in the heavily regulated fnancial services
their cyber security strategy from brand protecting sector – but the best organisations will rise to
to brand enhancing. that challenge.
In today’s digital and interconnected world, Quite simply, managing cyber security effectively
businesses rely on each other across partnerships can turn a threat into an operational and strategic
and supply chains. It is essential that everyone in strength and drive a competitive advantage.
the chain can rely on each other and there is a
vested interest for all parties to be safe and secure.
5 Building Cyber Resilience in Asset Management
CYBER SECURITY RISK RADAR
Based on KPMG’s experience and analysis of publicly available incidents we have produced a cyber security
risk radar. Figure 1 shows the cyber security risks posed from fve threat actors to the asset management
industry. The main cyber security risks originate from attacks by organised criminals or from people within
an organisation (e.g. employees, contractors or third parties). Very high operational impact could materialise
from a malicious data disclosure, with other high profle impacts coming from CEO fraud / business email
compromise and ransomware.
Figure 1: Cyber security risk radar
Operational Risk Impact
LOW
Website compromise for
cryptocurrency mining
MEDIUM
Accidental
Fake website
data loss
Intellectual
property theft Data manipulation
Targeted attacks on HIGH
Distributed Denial
payment systems
of Service attacks
Client Ransomware Sabotage
data theft
Social
engineering VERY HIGH
CEO Fraud & Business
Email Compromise
Malicious data
disclosure
Distributed
Denial of
Service
Malware attacks
distribution
to clients
Social media
attack &
hijacking
Client
data theft
Website
Intellectual
defacement
property theft
Trading strategy theft
Social media
impersonation
Client
data theft
Intellectual
property theft
m
p
Source KPMG International
Probability key
Very likely Possible
Likely Remote
C
o
e di s n I
r
N
t
s
n
o
i
t
a
e
t
a
s
t
H
a
c
k
t
i
v
i
O
e
s
i
n
a
g
r
m
i
r
c
d
e
o
r
e
t
i
t
Building Cyber Resilience in Asset Management
6
CYBER SECURITY THREATS TO THE ASSET MANAGEMENT SECTOR
This section presents a view on how cyber security threats could potentially impact the asset management
value chain. Figure 2 below presents an end-to-end example of an asset management frm’s value chain,
with the key cyber security threats overlaid.
Figure 2: Cyber security risks to the asset management value chain
Distribution
Front Offce Middle Offce Back Offce
Channels
5 7 1 2 3
Investment strategies
Digital client apps Regulatory reporting Human resources
& research
5 7 3 6 3
Trading applications Payments and
Finance systems
& algorithms settlements
1 2 7 4
Customer relationship Marketing and
Risk models
management for sales social media
1 5 7
Robo-advisers
1 2 8
Portfolio
management
1 3 5 1
Third party administrator
Retail fund platforms
1 2 3
Custodian bank
1 2 5 7
Cloud
4 5 8
Website and applications
5
Market data
2 3
Data transmission & protocols (e.g. SWIFT / FIX)
5
Financial market infrastructure & exchanges
Key
1 C lient data theft 3 P ayment fraud 5 D DoS attack 7 I P theft
2 D ata loss 4 W ebsite or social media attack 6 C EO fraud 8 R ansomware
Source KPMG International
Some of the key observations from Figure 2 are:
• Cyber security risks can materialise across • There is an increased use of, and dependency
the entire value chain and in particular there on, infrastructure and market utilities. In
are risks around the theft of client data and particular, there are multiple cyber security
intellectual property as well as payment fraud. risks associated with the use of cloud service
providers to support across the entire value
• Given the signifcant use of third parties and
chain that should be managed.
the complex web of providers, there are risks
to client data as this is processed by third party
administrators and custodian banks.
Infrastructure and Third
In-house
market utilities parties
7 Building Cyber Resilience in Asset Management
EXAMPLES OF CYBER SECURITY INCIDENTS
Figure 3 depicts a selection of publicly reported cyber security incidents based on KPMG’s research of
online sources. It shows incidents suffered by asset management frms or other closely related industries,
and highlights that the overwhelming majority of incidents suffered have involved client data theft or data
loss more generally.
Figure 3: Cyber security incidents in the asset management and related industries
1
11
2
8
12
10
3
4
9 15
5
13
6 14
7
Source KPMG International
A summary of the medium to high severity incidents is provided below:
(1) O nline Brokerage: hackers accessed 4.6 million (11) I nvestment Managers: criminals copied names,
clients’ personal information including their logos, addresses and created look-alike websites of
contact details multiple high-profle asset management frms. 95
dubious website appeared on the Financial Conduct
(2) Global Bank – Wealth Management Division: forced Authority’s warning page for clones in the frst nine
to pay $1 million fne after an employee stole data months of 2017
about approximately 730,000 customer accounts
(12) O nline Brokers: a hacker broke into at least four
(8) W ealth Manager: details about thousands of the different brokerage frms to make fraudulent trades
frm’s clients were leaked, not stolen, to investigative aimed at manipulating share prices so they could
journalists resulting in high-profle news stories beneft from this. The attack caused $1 million in
losses for the victims
(10) I nvestment Firm: an employee sent $495,000 to
a bank account in Hong Kong after being tricked
by a spear-phishing email claiming to be from a
company executive
See Figure 3 references in the appendix
Incident Severity
Minimal Low Medium High
Client
data theft
Data loss
Payment
fraud
Website
attack
DDoS
attack
CEO
fraud
IP theft
Ransomware
