Fund Managers Face Heightened Cyber Risks
In the Global Risks Report 2018, the World Economic Forum anticipated that cybercrime would cost businesses US$8 trillion over the next five years. In this year’s report, “technological vulnerabilities” are cited as among the top five global risks, alongside key environmental and societal risks, such as “extreme weather events” and “weapons of mass destruction.”
There has been a spike in 2019 of targeted cyberattacks against Asia-based fund managers, especially those in a startup phase of business. Recent attacks on Hong Kong and Singapore‑based fund managers have included the following:
- Identification of key persons interfacing with investors through social media outlets such as LinkedIn and Facebook. These persons are then targeted for specific hacking and phishing attacks in startup institutions with system vulnerabilities.
- Copycat websites pertaining to marquee fund launches in an attempt to dupe unwitting investors into remitting funds to accounts run by cybercriminals.
- Widespread evidence of protracted periods during which cybercriminals have been able to hack into vulnerable systems, monitor transactions and personnel movements with targeted precision, and remit sophisticated instructions to other staff members designed to effect fraudulent transfers.
- Impersonation of key senior personnel to remit fraudulent payment instructions via telephone and video. The use of social media to identify and aid more effective impersonation is proliferating.
Startup fund manager institutions are viewed as particularly vulnerable to such attacks. Targeted attacks typically occur ahead of scheduled travel or peak holiday periods when vigilance may be relatively less disciplined.
Preventive Measures
Despite the alarming spike in cybercrimes, the U.S. Securities and Exchange Commission (SEC) recently discovered that 26 percent of U.S. investment management firms examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities and their potential business consequences. Regulators worldwide, including the Securities and Futures Commission of Hong Kong, have issued guidelines for reducing and mitigating hacking risks. These controls include the following:
- Implement multifactor authentication: Multifactor authentication is widely lauded as the most effective control to detect and prevent unauthorized access. For remote access to emails, trading systems and other electronic data containing confidential information, the authentication mechanism should utilize at least two of the following factors:
- what a person knows (e.g., standard login passwords)
- what a person has (e.g., hardware tokens and one-time passwords)
- who a person is (e.g., biometrics)
Note, however, that a dual-password model constitutes only one factor (i.e., what a person knows), which may not be sufficient.
- Set session timeout controls: Users should be required to login under the multifactor authentication system again after a period of inactivity.
- Verify investor/counterpart messages: Before payments are made and/or sensitive documents are transferred in accordance with instructions received, relevant staff should follow a standard playbook and confirm the identity of the investor/counterpart and the legitimacy of the instruction – for example, by contacting the investor or counterpart via another agreed channel of communication.
- Install spam/phishing email filters: While awareness is important, filtering and blocking emails from unknown sources that contain suspicious hyperlinks, attachments or malware can further mitigate key risks that commonly emerge from human error.
- Identify external messages to users: Most email applications allow users to configure automatic warning messages for emails from external senders.
- Alert users before opening a link/attachment: Common email applications and add-ons will instantly display warning messages before a user opens an attachment or hyperlink from an external sender.
- Provide regular training: Industry experts should provide regular cyberawareness training to ensure that all personnel remain alert to evolving cyberthreats and recent trends.
Crisis Management
Even with robust controls in place and extensive precautions taken, an unauthorized data breach may occur. Decisions must be made swiftly and effectively in the event of a system breach to optimize the prospect for recovery and to mitigate losses. The firm should consider the following:
- Mandatory reporting to international regulators and law enforcement: A cyberattack can give rise to myriad international law issues. It may trigger mandatory reporting requirements in the jurisdictions where the fund, the fund manager, the bank account and the investors are located. Regulators in many key jurisdictions are typically critical of firms that delay reporting pending the outcome of investigations.
- Voluntary notification to regulators and law enforcement: While a voluntary self-report to a regulator may be perceived as a responsible and prudent gesture in one jurisdiction, this may create a cascade effect triggering mandatory reporting requirements in other jurisdictions.
- Disclosure to investors and other stakeholders: The firm should understand the full extent its legal and fiduciary duties in the event of a data breach.
- Data privacy issues: Cyberattacks often involve identity theft. The firm should consider potential claims by investors and other relevant parties in evaluating next steps.
- Forensic investigation: The firm should consider engaging cybersecurity experts and consultants to conduct a full forensic investigation to understand the extent of damage, the loss of confidential information, existing system vulnerabilities and possible remedial and contingency actions.
- Insurance: The firm should communicate with its insurance company and review policy coverage. Insurance should be specifically evaluated with potential cyberattacks and data breach in mind.
If you have any questions, please contact one of the following:
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.