Following on the heels of both the Secret Service and the FBI sending out warning advisories to retailers about the ongoing cyber attacks, now the Securities and Exchange Commission (SEC) has publicly stated that it will be looking at what "policies are in place to prevent, detect, and respond to cyber attacks"1 at the nation's financial asset management companies.
Having just this month (3/14) briefed hundreds of financial executives through their SIFMA annual education program at Wharton, and hundreds more financial fraud investigators through their Association of Certified Financial Crime Specialists (ACFCS), I can say with certainty that these are all the right questions to be asking asset managers, who not only manage huge multibillion-dollar portfolios, but also access and store extensive personally identifiable information (PII), which in itself is valuable to thieves today. Until recently, asset manager companies felt secure by their very obscurity, since they do not typically project a large profile to the media or population at large. But assuming the thieves won’t find you won’t work as a defense any longer, as our Global Threat Intelligence teams regularly track highly advanced and organized thieves that focus only on two things -- finding things of value, and determining how hard they will be to steal. So if you’re in business today and have anything of value (in the case of asset managers that have both money and PII), the only variable you can control is how hard you make it to steal. The security paradigm has to shift towards an inward focus. Securing the virtual supply chain is paramount when attempting to manage modern-day operational and reputational risk," reminds Tom Kellerman, managing director for cyber protection at Alvarez & Marsal.
Unlike the retail sector, which got some forewarning but some bad advice and no threat of regulation to improve, the financial asset management companies are getting forewarning and better advice, but also a hammer of SEC investigations to ensure compliance.
The SEC is right to focus companies on their ability to “prevent, detect, and respond to cyber attacks,” rather than attempt to tell each of them specifically which malware signatures to look for (these new ones change or "morph" constantly, so signature-based defenses won't find them).
--Prevention takes on a number of layers, including security education, roadmaps, architecture, monitoring, and management.
--Detection requires highly advanced and current techniques, technology, and talent, and trying it yourself or with standard commercial tools will generally lead to a false sense of security.
--Response has two critical success factors -- advance expert planning and access to the right team of integrated experts when and where you need them.
One of the key lessons that the asset managers can learn from the ongoing retail attacks is that they need to address the security not only of their enterprise, but also all of their supply chain partners that have access to their networks. In the case of Target, entry was gained by first breaking into a trusted supplier, and then using their access to get into Target's systems. At the end of the day, it's still Target that takes the hit. By flowing top-level security policies down to vendors and partners, you greatly reduce the chance that you’ll be successfully attacked from the bottom up. This can be done through a combination of security policy changes, purchasing contract changes, and more rigorous testing of your third parties. While these changes may cause some short-term consternation with your supply chain folks, the small efforts here could be the difference between continued operations and a total loss of trust to your client base.
While it may seem like the cyber sky is falling with the weekly headlines of new breaches, in reality the story for asset management companies is very bright. While these threats are real, and most certainly now active in asset management environments, security firms that have years of hands-on experience with these specific advanced threats (in defending Government and Defense clients) on top of decades of overall experience in the cyber defense business, not only have the tools to quickly detect what malware is inside your networks today, but also partner with you to protect and respond.
1 Jane Jarcho, National associate director for the Securities and Exchange Commission's investment adviser exam program, to Reuters on 27 January, 2014