Investment Managers: Three Critical Cyber Risks to Know

Traditionally, cyber risk has been associated with companies that have a high volume of records with personally identifiable information. Think banks, mutual funds, retail stores, healthcare, and the like. 

But alternative investment managers, such as venture capital, private equity, hedge funds, real estate funds or family offices, are not immune to cyber risk either. In fact, a 2019 report stated that cyberattacks are 300 times more likely to target the financial services sector, while only 6% of financial service companies report that their information security meets their needs according to an EY report. And these stats don't even consider the risk of cyber terrorist attacks on the operations of portfolio companies.

Here are three areas of cyber risk you should focus on as an investment manager, how to mitigate them, and how cyber insurance will respond. 

1. Ransomware

Ransomware is malicious software that infects a computer system and blocks access to it or your data until a ransom is paid. Applying a ransomware scenario to an investment manager, you can see how quickly the impact of a ransomware event might be felt by the business. The inability to access critical technologies, the embarrassing publication of personal investor details, or dealing with the technology and legal sides of a ransomware attack can derail many companies. 

Investment management firms have plenty of high value intellectual property that is the target of attackers. Think proprietary trading algorithms, model portfolios, and other trading platforms and order management systems; not to mention the IP owned by portfolio companies that may be accessible through an investors network.

As recently as July 2020, TCW and MetWest Funds suffered a cybersecurity incident believed to be ransomware.

More recent trends in ransomware attacks serve to put even more pressure on companies to pay the ransom. Specifically, some attackers are actually stealing the data before encrypting it in order to release the data publicly if the victim doesn't pay. Under a similar vein, some attackers are now publicly shaming companies they have successfully infiltrated but which haven't forfeited the desired ransom amount through designated data leak sites. . 

Despite this trend, 56% of ransomware victims in 2019 were able to restore their data using backups according to The State of Ransomware 2020 report by Sophos. This is in line with the FBI's Internet Crime Complaint Center (IC3) recommendations, which promote backing up data and storing it offline as a proactive measure against ransomware. "Offline" is the key word here, as ransomware attacks have been known to target backups as well.

Even though paying a ransom can restore your system quickly after a ransomware attack, the IC3 discourages organizations from doing so. Only 26% of victims in the Sophos report did pay. 

But when they did, it doubled the cost of dealing with the attack, according to Sophos:

Paying the ransom doubles the cost of dealing with a ransomware attack. The average cost to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is US$732,520 for organizations that don't pay the ransom, rising to US$1,448,458 for organizations that do pay. [According to the report, the average cost of remediation for ransomware in the US was about $623,000.]

For more on how cyber insurance would respond in a ransomware attack, see our article on Ransomware Attacks and Your Cyber Insurance: A Complete Action Plan.

2. Social Engineering

Social engineering involves the manipulation of people to give up confidential data. And the investment sector is the newest target. 

It can involve phishing scams that use email, social networks, and more, and other means (like AI) to trick people into gaining sensitive information.

Perhaps one of the earliest examples of this is the infamous "Nigerian prince" email scam (which apparently still brings in about $700,000 a year). 

But not every social engineering scam is known and easily detected. Notwithstanding that attackers are becoming more sophisticated, human error already contributes to 90% of cyberattacks on a business. And according to Kaspersky, phishing/social engineering was among the top two causes of a serious data breach for businesses in North America. 

Business email compromise (BEC) is a result of social engineering scams that target individuals who perform transfer-of-fund requests. IC3 reports there was a 100% increase in global exposed losses from BEC between 2018 and 2019, resulting in $26 billion in losses. 

One example of BEC is the October 2019 attack on Arena Investors, the Kansas University Endowment and Community Foundation of Texas. In this attack, the hackers were able to compromise an individual account and then target other potential victims with legitimate emails containing malicious links. While this attack wasn't successful in transferring any money to the attackers, it highlights the possibility of loss from such a simple failure of employee vigilance. 

In a bit of good news, social engineering coverage is available to protect companies from this type of fraud through cyber insurance and crime policies. It's important to work with your broker, though, to understand how these two policies can work together. 

For more on what might be covered on a crime policy versus a cyber policy, see an earlier article we wrote here. 

3. Reputation Loss

One cyber risk that may not be top of mind is the reputational risk that your firm could face as a result of a cyber event. This could mean lost revenue in the form of service or investment fees impacted by an influx of redemption requests from concerned clients. 

Whether it's a ransomware attack, a social engineering scam, or something else, there's an inherent lack of trust in companies that have suffered a breach. According to a survey at PwC, 87% of consumers "will take their business elsewhere if they don't trust a company is handling their data responsibly."

This is especially concerning for asset managers and their ability to attract future investors or deal with redemption requests from current clients. 

Cyber insurance coverage can apply for lost revenue due to reputation damage occurring from a cyber incident, usually limited to a specific time period. That's key for asset managers because redemptions typically take time. 

But over an extended period of time, whether it's six months or 12 months, you will see that reputational impact come into focus and potentially have a way to quantify the impact of lost fees due to redemptions and claim that under an insurance policy.

What's Not Covered by Cyber Insurance: Inability to Trade

Cyber insurance covers the typical losses that an alternative investment manager would face after a cyber event. This includes all of the areas that I have outlined in this article on what cyber insurance covers. 

However, losses due to the inability to trade after a cyber event that causes your network or another network to go down would not be covered. 

One example of this is the stock-trading app Robinhood and its outages earlier this year due to infrastructure issues. Some people claim that they lost as much as $100,000 as a result of the outages. 

Managing Cyber Risk

In summary, investment managers face more cyber risk than they may think. Any business that relies on technology and people is at risk. Today, a cyber incident is not really a question of "if" but "when" it will happen. 

Mitigating cyber risk often requires a multi-faceted approach, including employee training, strong cyber security controls, appropriate attention from the board, and increasingly an investment in cyber insurance. We recommend firms conduct a financial damage assessment to better understand the risks they face, quantify those risks, and understand how an insurance policy can offset potential losses.

Outside of insuring losses suffered directly, cyber insurance can provide the added benefit of a turn-key incident response process. Most cyber insurance carriers have pre-approved vendors on stand-by to help clients through every aspect of immediate incident response, including legal and IT forensic specialists.

With proper cyber risk management, alternative investment managers can proactively deflect the common cyber risks of operating a business in today's day and age.