A new study just released by Moody’s Investors Services about the cybersecurity preparedness of US fund management firms suggests that asset managers could face a credit ratings downgrade if they can’t protect their critical data. That data could include anything from a proprietary algorithm to trade positions, client data and business strategies.
“Although client assets reside at custodian banks and are not directly held by asset managers, we believe there could be monetary loss from delayed or halted trading if a cyberattack were to disrupt operations,” says David Wang, assistant vice president at Moody’s who co-authored the report on asset managers and cybersecurity. “A widely publicized breach could also lead to the loss of assets, especially given the industry’s increasing competitive pressures and relatively low switching costs.” That is when a ratings downgrade could take place, says Wang.
Moody’s isn’t the first ratings agency to incorporate cybersecurity preparedness and breaches into its ratings analysis. Rival S&P says it does so as well. However, Moody’s research on asset managers suggests a tightened focus on their practices and vulnerability to cybercrime in evaluating asset managers’ credit ratings.
The good news: although no major asset manager has publicly disclosed a cybersecurity breach, concerns over potential monetary and reputational risks have already led fund managers to take some action, says Moody’s. For starters, C-level understanding of the importance of cyberresilience is on the rise. So are reliance on third-party vendors and execution of internal preparedness testing. The bad news: fund managers still have a few gaps to fill before they can claim to have comprehensive cybersecurity programs in place.
At the very least, asset managers know they have to meet minimum regulatory demands. The US Securities and Exchange Commission has repeatedly indicated that it will be reviewing cybersecurity preparedness in its exams. Colorado recently became the first US state to impose prescriptive cybersecurity policies for asset managers doing business in that state.
Whether the threat of a ratings downgrade will motivate fund managers to take greater steps to protect critical data is anyone’s guess. Moody’s wouldn’t say how much cybersecurity preparedness or the lack thereof impact their credit-rating decisions.
Moody’s not-so-subtle warning is good news for institutional investors who hope that third-party pressure will prompt asset managers to make the necessary investments in cybersecurity prorgams. Timothy Ng, chief investment officer for Clearbrook Global Advisors in New York, says that an asset manager’s cybersecurity preparedness will account for about twenty percent of Clearbrook’s total risk profile. “It’s one thing for an asset manager to lose money because of unpredictable market fluctuations, but another to do so because the right cybersecurity controls weren’t implemented,” he cautions.
Moody’s won’t say how many US fund managers it reviewed, which ones it analyzed, or the value of their assets under management. Based on previous announcements from Moody’s, it has issued credit ratings for some of the US’ most prominent fund managers. They include Alliance Bernstein, BlackRock, Eaton Vance, Janus Capital, Legg Mason and Neuberger Berman.
Level of Preparedness
So far, asset managers appear to be paying at least some attention to cybersecurity. Over one-third of the chief technology officers or chief information officers at the surveyed asset management firms who are responsible for developing cybersecurity programs are reporting to chief executive officer and other c-level executives about their cybersecurity programs either on a quarterly or monthly basis. About 40 percent of those in charge of cybersecurity programs are reporting to board of directors annually and 40 percent are doing so quarterly. Those reports include the specifics of cybersecurity programs including escalation procedures in the event of a data breach.
Outsourcing appears to be the major trend for cybersecurity directors with 44 percent of those surveyed saying that they relied on third-parties to ensure their preparedness. Moody’s did not specify which functions were outsourced, but ten chief technology officers at US fund management firms who spoke with FinOps say that the most common tasks they outsource are annual vulnerability and penetration testing. Five of the ten officers say that they have also relied on consultancies to help design cybersecurity programs and monitor effectiveness. Six of the ten officers say that they will use an external firm to help with employee training.
“Some of the smaller asset managers with newly hired technology staffers were relying on third parties more heavily than larger firms with greater internal resources,” Wang tells FinOps. On average, the asset managers reviewed by Moody’s used 11 cybersecurity vendors. The most common uses were for testing and employee training, he says.
When it came to testing their cybersecurity preparedness, doing the basics seems to be the norm. All of the firms surveyed were doing at least the minimal vulnerability scanning with 90 percent also conducting penetration testing. Penetration testing takes vulnerability scans to the next level by proving the actual severity of the firm’s IT weaknesses and the potential for a data breach.
However, only half of the asset managers surveyed by Moody’s engaged in tabletop simulation — or mimicking a scenario of how staffers at the asset management firm would react to a data breach. Such simulations can help identify whether firms have correctly formulated a plan to determine who should do what tasks and who should be notified. What’s more, only 40 percent conducted red-team testing, which is the most advanced form of penetration testing involving relying on external hackers to try out different scenarios for how to steal sensitive data.
Yigal Behar, chief executive officer of 2Secure, a New York-based cybersecurity technology provider for small to mid-sized fund managers isn’t surprised by Moody’s results. His own rating of cybersecurity preparedness for asset managers: low to medium. “Granted asset managers are paying more attention to cybersecurity, but vulnerability and penetration testing is as far as all but the largest ones will go,” he says. The reason: they just want to check off the compliance box and they think that buying cybersecurity insurance is a panacea. Some asset managers believe that the cost of cybersecurity insurance would be far less than that of administering a full-fledged cybersecurity program, including more frequent advanced testing.
Not so, cautions Behar. “Cybersecurity insurance might not pay for human errors and that is where the greatest vulnerability often lies. One click on the wrong email and the firm can easily become a target for ransomware,” he says. Behar recommends that fund managers spend just as much effort educating employees on the warning signs of a potential hacker as they do on testing cybersecurity effectiveness.
“The simplest mistakes can be the most costly ones,” says Ng. With more employees working remotely and using cell phones, iphones and ipads to conduct transactions, fund managers need to pay even closer attention on explaining the dos and don’ts of preventing data breaches. Knowing who has access to critical data, particularly when it involves investor information should be part of a risk-based cybersecurity program designed on need to know protective barriers.
Directors, chief compliance officers and IT specialists at fund management firms which fall within the orbit of ratings agencies could well find themselves subject to more inquiries on their cybersecurity programs. Hopefully, they will be prepared to justify the decisions they have made. Cyberrisk is the new and increasingly important factor that could dramatically change fund values.