A recent flurry of cyber attacks on asset managers should remind asset management firms and other financial institutions that they are attractive targets for cyber-exploitation and need to remain vigilant and institute appropriate preventative controls and monitoring procedures, as well as post-attack action plans.[1]

Many companies still see cyber attacks as one-off, anomalous events. But as recent events have shown, few are immune from illicit cyber-penetration and the frequency of these attacks continues to increase.

A recent spate of business email compromise schemes have involved fraudulent email messages sent to fund executives and officers.[2] The emails notify the recipients that they have an encrypted message, which they can access by clicking a link. Clicking the link causes malicious software to download onto the user’s computer, gaining access to the user’s account and perhaps further penetrating the institution’s systems. While these and similar cyber schemes may sound like transparently suspicious and easy to detect attempts at blunt force penetration, their cost to businesses can be substantial, with some estimates exceeding $50 billion a year.[3] And considering the sheer volume of emails that asset management and other financial firms send and receive as a necessary part of conducting day-to-day business, even the most transparent cyber attacks are likely to succeed every once in a while.

Moreover, not all of the attacks are blunt force and transparent. Cybercriminals are employing increasingly sophisticated schemes and technologies. The Wall Street Journal recently reported on a cyber-fraud involving the use of artificial intelligence voice-impersonation software, which the perpetrators used to impersonate the voice of a company’s CEO and call its subsidiary to arrange for a $243,000 wire transfer.[4] Given that phone verification is a common recommendation in the event of a suspicious-looking email, the prospect of sophisticated voice impersonation emphasizes the need for more tailored procedures and controls.

Regulators recognize that financial firms are uniquely at risk, and have made cybersecurity a top priority, calling for companies to institute both prophylactic and remedial measures to deal with cyber attacks.[5] For example, the SEC Enforcement Division’s Cyber Unit (formed in 2017) is tasked with investigating cybersecurity at regulated entities, as well as issuer disclosures of cybersecurity incidents and risks.[6] And, the SEC’s Office of Compliance Inspections and Examinations (OCIE) continues to include cybersecurity among its Examination Priorities.[7]

This emphasis has been accompanied by an uptick in investigations and enforcement actions. In September, the CFTC reached a $1.5 million resolution (encompassing fines and restitution) with a futures commission merchant for failing to prevent, and then disclose, a successful phishing attack that resulted in a fraudulent $1 million withdrawal of customer funds.[8] The CFTC specifically alleged that the firm failed to comply with Regulations 166.3 and 1.55(i), which, under CFTC’s interpretation, required mechanisms for the detection and deterrence of cybersecurity breaches and imposed an obligation (at least in certain circumstances) to disclose cybersecurity breaches.[9] Last September, the SEC settled an enforcement action against Voya Financial Advisors Inc. with a $1 million fine for Voya’s alleged failure to protect confidential consumer information and prevent identity theft in connection with a 2016 cyber-intrusion. And last October, the SEC published a report on its investigation into public issuers that were victims of cyber-frauds resulting in losses of nearly $100 million, and whether the issuers were liable for failing to have sufficient internal accounting controls that could have prevented the losses.[10] The SEC ultimately decided not to pursue enforcement actions against those issuers, but its report sent a clear message that the SEC will not treat financial firms as mere blameless victims of cybercrimes if they have not instituted robust preventative, monitoring, remedial, and disclosure mechanisms.[11]

What should asset management firms and other entities that have access to significant funds do? The answers are both simple and complex.

  • No matter how robust your company’s preventative access controls, monitoring procedures, and technical protections, some cyber attacks are bound to penetrate (even if they do not end up appropriating data or funds). But these controls are still an essential first line of defense for preventing and mitigating the vast majority of cyber attacks. And importantly, regulators expect to see them in place and continually updated.
  • Companies also need to institute an action plan in the form of clear, thought-through policies and procedures to respond to cyber-penetrations if and when they occur. This should become part of a firm’s general crisis management plans. Firms should contemplate lining up technical experts, executives, and counsel who can engage the necessary mitigation and disclosure procedures at an early stage. The right policies and procedures will not only ensure legal compliance, but perhaps even increase the chances of tracking down the location of the stolen funds and data and the perpetrators who took them.