Regulatory action on cyber-crime inevitable, says KPMG
It is inevitable that regulators are going to force fund managers to disclose to the authorities information as to whether they have been subject to a cyber-attack, according to KPMG.
This comes as John Carlin, assistant attorney general for national security told delegates at the SALT Conference in Las Vegas that managers need to pay increasing attention to cyber-threats and share more information with governments if hackers attempt or successfully cause disruption. The Department of Justice also warned investors their data was at risk and they could incur losses in the event of a cyber-attack. As such, managers have been urged to bolster their security measures against cyber-criminals.
“I believe it is a dead certainty that regulators everywhere are taking note of the issues around cyber-crime, particularly at asset managers. While the industry has collaborated increasingly on the issue, I think regulators are going to impose rules on reporting cyber-breaches soon. Unfortunately, I do not believe this will be done in a uniform manner but the rules will be fragmented,” said Matt White, senior manager in KPMG’s Cyber Security practice.
The Securities and Exchange Commission (SEC) has examined 100 broker dealers and asset managers on their cyber security policies and is likely to advise on what needs to be addressed later in the year. This review came amid a number of high-profile hackings at financial and non-financial institutions.
However, fund managers are increasingly cognisant of the issue. “While many of the potential breaches are probably not being reported, it is likely they are common (or unrealised), making the investment management sector similar to many others, but this is improving. More and more frequently we are being approached by investment management companies asking if there is any advantage that can be gleaned from the sector’s ‘older siblings’ in financial services, such as the higher tiered banks. By taking their ‘lessons learnt’ and applying them we can more quickly help shore up their defences, with companies not realising that potentially small changes can help them get the basics right, reducing their potential exposure to risk of a breach,” said White.
The Depository Trust & Clearing Corporation (DTCC) published a white paper in October 2014 urging regulators and financial institutions to collaborate more on the threats posed by cyber-crime. The DTCC advised regulators and financial institutions to share more information on the nature of the threats posed by cyber-criminals. It recommends the creation of a harmonised, clear and non-duplicative notification system in order to achieve this.
The white paper advocated the formation of global industry working groups, who will work with national regulators to help develop sensible cyber-security regulation, which can address these risks on a real-time basis. The UK appears to be ahead of the game. In summer 2014, the Bank of England unveiled a new cyber-security strategy for financial institutions at a summit held by the British Bankers' Association (BBA). The initiative - known as CBEST - stress-tested the security systems at financial institutions using real-threat intelligence and information gleaned from monitoring the Internet which indicated potential threats to firms.
A DTCC survey of clients towards the end of 2014 found a record 84 per cent identified cyber-risk as one of their top five concerns, an increase from 59 per cent in March 2014. 33 per cent ranked cyber-crime as the number one systemic risk to the broader economy, up from 24 per cent in March 2014.
The reputational risk of falling victim to a cyber-attack is substantial. A survey of global institutional investors with more than $3 trillion in Assets under Management (AuM) by KPMG found 79 per cent would be discouraged from investing into a business that had been hacked.
One of the ways fund managers can mitigate the fall-out from cyber-attacks is to purchase cyber-insurance, a nascent form of insurance. Such coverage can mitigate liability for data breaches and regulatory actions such as fines. In addition, a sensible insurance policy should provide coverage to pay for forensic experts to determine the cause of the breach and crisis management such as public relations. Coverage should mitigate against lost income or extra expenses for Distributed Denial of Service (DDoS) attacks or theft, as well as hardware damage and extortion. Of particular importance was regulatory coverage. Nonetheless, 74 per cent of security professionals across all sectors surveyed by KPMG said their businesses did not have cyber insurance. For those that did have cyber insurance, 48 per cent doubted the policies would pay out if they were required to.
“Cyber insurance is an embryonic form of insurance coverage. One of the challenges is that different countries have different rules on this issue. For example, even with the US, there are different rules. It is essential firms get global coverage to reduce the risks,” said White.