The cost of cybercrime has risen dramatically in the past few years. The EU Commission estimates that globally the cost rose to €5.5 trillion by the end of 2020 which represents a doubling since 2015. The impact of this criminal activity is felt by individuals and corporations alike. In the EU particularly, there has been a policy and media focus on taking steps to protect through legislation such as the second Payment Services Directive which mandated two factor authentication for transactions. Progress in the corporate world, however, has been somewhat slower. Whilst fund managers and others must abide by data protection laws there is currently a lack of mandatory cybersecurity obligations that businesses must meet.
The fund management industry is changing, with regulatory bodies taking a stronger interest in how managers are implementing best practice when it comes to cybersecurity. The Central Bank of Ireland conducted a thematic inspection of cybersecurity risk management in asset management firms in 2020, whilst later that year the EU published a draft Digital Operational Resilience Act (DORA). The latter envisages a wholesale revamp of how financial services firms and others act to improve their resilience against bad actors in the cyber space. This work also reflects guidelines and best practice information that the Federal Reserve in the U.S. and the PRA and FCA in the UK have published, again focused on how institutions can guard against cybercrime by focusing on making their systems more resilient to compromise.
Some may say that fund managers have been slow to recognise the need to make cybersecurity a primary focus. Such a view ignores the operating reality in which funds don’t own their own technology platforms and instead rely on Service Level Agreements with external providers which they, not unreasonably, expect will provide their operations with an appropriate degree of protection. The changing expectations of regulators means that forward-looking fund managers and fund boards won’t be able to rely solely on those contractual arrangements in the future. In Ireland, for example, the Central Bank’s guidance requires regulated financial service providers to evidence updated IT policies and an overall technology structure that aligns with the provider’s risk strategy.
Fund boards, including their Independent Non-Executive Directors (INEDs), need to ask how they are going to meet these evolving regulatory demands. Historically, the traditional model would be for a fund to enlist the support of a standalone cybersecurity service. That provider would in turn liaise with others such as the governance and compliance advisors but would report separately to members of the board.
This approach creates several problems. A fundamental one being that if boards receive accurate but highly technical information about cybersecurity risks, do they have the technical capability to interpret that analysis into clearly defined actions? Most fund boards focus on ensuring they have directors with a broad range of financial services expertise; few are likely to be cybersecurity specialists. In addition, if cybersecurity is separated from other elements of a fund’s service providers the risk emerges of boards receiving disjointed and inconsistent information around data protection and cybersecurity provision.
That’s a clear concern, especially for INEDs who are becoming ever more aware of the personal responsibility they have in ensuring that funds are properly managing and mitigating their cybersecurity risks. The gold-standard approach would be to ensure that every fund has its own permanent Cyber Officer. However, many funds aren’t of the scale where the cost of such a person would be proportionate to their activities. This is why firms such as Waystone are now offering an integrated cybersecurity and data protection solution which sits alongside existing compliance and governance services. These next-generation services offer fund boards regular cyber security training, accessible cyber assessments and access to a Cyber Officer as needed.
It’s important to remember that the threat of bad actors looking to breach and damage digital infrastructure is not the only issue that funds currently face. Issues around the processing and handling of data remains a concern for the whole financial services industry. Given the institutional nature of many funds’ investors, there might be a preconception that data protection is a second order issue for fund boards. That isn’t the case though, given that funds still have responsibility for a great deal of personal information, whether that is for staff, investors in the fund or beneficial ownership records and, it is worth noting that, in most jurisdictions, breaches of data protection create a requirement for timely reporting to regulators.
Well-governed funds should be looking to embed cybersecurity management and data protection in a sustainable and responsible way and not only because of the changing regulatory outlook but also because investors are increasingly taking an interest in how funds are handling these risks, not just in ensuring they have committed to doing so as part of due diligence measures. Fund managers have largely stayed out of the headlines precisely because the industry hasn’t yet seen a major cybersecurity breach that has led to financial loss or compromised technology platforms critical to their operation. But as we all know, past performance is no guarantee of future results. Which is why responsible funds should look at how they can integrate best-in-class cybersecurity and data protection in their day-to-day operations.
Conor Flynn, Chief Information Security Officer, Waystone