Cybercrime and cyber security attacks hardly seem to be out of the news these days and the threat is growing globally. Be it a major financial institution or an individual, nobody would appear immune to malicious and offensive acts targeting computer networks, infrastructures and personal computer devices. Firms clearly must invest to stay resilient.
Indeed, and according to the latest results of the 2016 Global Asset Management and Administration Survey from Linedata, a NYSE Euronext-listed IT vendor providing solutions to the investment management industry around the world, cybercrime is being viewed as the “greatest business disruptor” over the next five years. But alongside this regulation remains a priority for financial firms.
The 20-page survey, which was conducted by the fintech vendor in the fourth quarter of 2015 and canvassed two hundred market participants either face-to-face at Linedata Exchange events in London and San Francisco or via an online survey, found that more than a third (36%) of respondents were concerned about the threat from cyber criminals.
Undoubtedly this figure was buoyed by the large number of recent high profile cyber attacks. These have included a recent one on Ashley Madison, the Canadian-based online dating service, whose site was hacked on July 15, 2015 by a group calling itself ‘The Impact Team’. Prior to this the website of phone and broadband firm TalkTalk in the UK saw almost 157,000 data breaches last October. The incident resulted in a bill of up to £35m (c.$49m) bill, which highlights the financial crushing that that can be wrought.
And, back in October 2014, JPMorgan Chase, the biggest US bank by assets, witnessed the addresses, names, telephone numbers and emails of a whopping 76 million homes – equivalent to a tad under two-thirds of all households in America – being compromised in a cyber attack.
Gauging the exact size of cybercrime and putting a precise US dollar dollar value on it is nevertheless tricky. One thing we can be sure about though is that the number is big and most probably larger than the statistics reveal. Also, very few people ever know they’ve been attacked or defrauded. Or, if they do it’s often many months later.
Kurt Baumgarten, Head of Information Security & Technology Management at Linedata in Boston, MA, commenting at a recent cybercrime panel in London, said: “According to some recent figures [on cybercrime] the global figure has been put at around $200 billion (bn) annually. Or, looking at it from the retail level $670m in associated costs through theft, time loss, identify theft, etc.”
According to the UK Government body for cybercrime the numbers range from £11bn to £27bn per annum for the entire UK and Plc economic impact. But perhaps the more worrying statistic is that this figure only relates to a third (34%) of cybercrimes actually being identified within six months of incidents occurring.
We could also cite the impact on a firm’s brand and reputation from an attack, which has the potential to cause permanent and catastrophic damage. In certain circumstances it might ultimately cost even more over the longer term.
In fact the future may frighten some given that we can expect the amount of cyber-attacks to be on a steep increase going forward.
One only has to look, for example, at there being one connected device (i.e. computer) per person on the entire planet in 2013. By 2015 it had risen to two devices per person, and by 2017 it has been projected to reach three per individual. So, even if the level of cyber-attacks is not increasing as a percentage, the actual set of data and global data sloshing around the world will lead to an increase.
Regulation Cited As Main Concern
Linedata’s latest survey findings, which update a previous analysis from 2013 undertaken by the vendor, reveals that 58% of respondents spanning asset managers, hedge fund managers, fund administrators and other stakeholders in the asset management industry (i.e. custodians and prime brokers included), also finds that regulation was their main and “most serious on-going concern”. This isn’t perhaps a surprise given the whole host of regulations being pumped out in Europe and North America.
Adaptation to new regulatory regimes was ascribed as the “top challenge” facing firms. Cybercrime is nevertheless rising up the agenda for financial firms as well as across other industry sectors.
Over the past year various regulatory bodies have been seeking to address the thorny issue of how market infrastructures can remain resilient in the face of the growing cybercrime threat. It used to be a matter of concern just to IT heads within trading firms, but now it’s focussing the minds of senior individuals right up to the CEO and board level.
Last year President Obama was pushing cybercrime law and unveiled a further package of cybersecurity legislation, which proposed new powers to tackle cybercrime and limited liability protection for companies who share information on cyber threats.
Michael de Verteuil, Head of Business Development at Linedata who is based in Paris, commenting in the wake of the firm’s survey says: “While the key challenges of managing regulatory change and maintaining operational efficiencies remain at the fore, the threat from cyber criminals has been added to asset managers’ growing list of concerns.”
Highlighting how matters have progressed and the response of authorities in the US, the Department of Homeland Security (DHS) last October made the month ‘National Cyber Security Awareness Month 2015’. “Cybersecurity is a top priority for DHS. Cyber threats are increasing in their frequency, scale, and sophistication,” stated Alejandro Mayorkas, Deputy Secretary of Homeland Security as the initiative commenced.
Coinciding with that DHS’s efforts, US exchange Nasdaq made cyber security its inaugural topic in its Nasdaq ‘POINT’ Series, which is a new quarterly corporate threat preparedness initiative.
Technology Deployment Key
Mr de Verteuil, who was involved in founding Linedata alongside Anvaraly Jiva, argues that the “judicious use of technology” in addition to adoption of best practice, is “vital for firms wishing to differentiate themselves and add value to their offering in today’s marketplace.”
It was also a line I heard underscored at a briefing at the British Bankers’ Association in London earlier in the week (24 February 2016) covened by Merit Software on preparing for the US Internal Revenue Service’s (IRS) Section 871(m) tax regulations, which address withholding and dividend equivalent payments on certain notional principal contracts, derivatives and other ‘equity-linked’ instruments for non-US persons.
Alongside other transaction taxes (e.g. the EU’s Financial Transaction Tax (FTT)), complying with 871(m) will require many data items and statistics to be pulled together by firms across a wide variety of instrument types. (Note: The 871(m) regulations will generally apply to transactions issued on or after 1 January 2017). So, with ten months to go firms need to get ready and have systems in place.
Searching For Efficiencies
“In the hunt for greater efficiencies, technology can reduce costs and improve margins while offering both clients and businesses a faster, more comprehensive and intuitive experience,” says de Verteuil. “Meanwhile, new technology is driving change in the sector, both in terms of the products it can support and the way it can support them.”
It was interesting to see that the survey found that the lowest ranking challenge is service provider oversight, such as third-party administrators.
The authors of Linedata’s current survey noted in relation to this aspect that: “We see three possible interpretations of this: oversight is not seen as a challenge relative to other more pressing concerns. Or, because our respondents feel that they have appropriate measures in place in terms of service provider oversight, or that this has been an underestimated challenge to date.”
In all events, this is certainly an interesting data point given that the emphasis that regulators are putting on oversight – a concept that is addressed by welter of regulations – in AIFMD, UCITS, MiFID, MiFIR, REMIT and local legislation such as the UK’s FCA rules – to name a few out there on the block.
Cybercrime: Need For ‘Preventative’ & ‘Reactive’ Controls
As regards cybercrime, combatting attacks and staying resilient, firms need not only to take and put ‘preventative’ controls in place – i.e. buying solutions to try and stop it happening in the first place. But perhaps more importantly they need ‘reactive’ controls – alongside with detective controls – to know what actions to take when a cyber attack is identified.
It would also make sense to consider having framework contracts (i.e. period rates) in place in advance when buying Cyber Forensic Services to deal with any attack. By contrast to calling on senior experts in this area at ‘crisis rates’ – at daily rates as high as around £8,000 (c$11,200) – it can prove cost effective having standard market rates at around a third of that figure (c.£2,500-£3,000) through having a framework contract.
Mark Brown, Executive Director, Cyber Security & Resilience, at Ernst & Young LLP based in London, commenting on how much financial institutions spend in addressing cybercrime and whether it’s ever enough, points out: “The problem is not so much how much firms spend [on this area], but rather how they spend it and ensuring they get the right product and/or right advice.”
Knee-jerk reactions and throwing constant pots of money at the problem is not the answer. Firms need to sort out their governance, awareness, their organizational culture and critically “look at the business purpose and processes” according to EY’s Brown. But whatever else, one thing you can be certain over is that the threat of cyber attack is not going away anytime soon. I’m just left wondering when and where the next cyber attack occurs.
This article was written by Roger Aitken from Forbes. This reprint is supplied by BNY Mellon under license from NewsCred, Inc.
BNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporation as a whole and/or its various subsidiaries generally. This material does not constitute a recommendation by BNY Mellon of any kind. The information herein is not intended to provide tax, legal, investment, accounting, financial or other professional advice on any matter, and should not be used or relied upon as such. The views expressed within this material are those of the contributors and not necessarily those of BNY Mellon. BNY Mellon has not independently verified the information contained in this material and makes no representation as to the accuracy, completeness, timeliness, merchantability or fitness for a specific purpose of the information provided in this material. BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material.