Cybersecurity’s Climb Up the Corporate Ladder

The cybersecurity research and publishing firm, Cybersecurity Ventures, recently published staggering numbers with respect to the increasing worldwide costs of cybercrime:

• In 2015, cybersecurity cost the global economy $3 trillion per year.
• By 2021, the damage caused by cybercrime will double to $6 trillion per year.
• From 2017 to 2021 global businesses will spend $1 trillion on cybersecurity products and services.

Why is all this money being spent? Cybersecurity threats are relentless, and the cost of a data breach can be crippling. Potential loss of customer data and corporate secrets, lawsuits, and regulatory scrutiny are all reasons CEO’s want to know how their firms are mitigating vulnerabilities and managing risk. These same issues should be of concern both to asset management entities as well as asset owners who deploy their capital to those managers.

Equifax Data Breach Fallout

Over the past year, Equifax’s handling of their data breach is a prime example of some of the potential consequences of a cybersecurity breakdown.

In 2017, Equifax suffered one of the largest breaches of personal information in history. Close to 150 million names and 145.5 million Social Security numbers were accessed by hackers due to a known software vulnerability that was left unpatched for months. Equifax’s CEO, Richard Smith was forced to step down in September 2017.

Even more astounding is the fact that the firm’s former chief information officer, as well as a more junior software engineer, were recently charged by the Securities and Exchange Commission with insider trading based on their knowledge of the impact of the breach before information became public.

With such a high-profile failure in its security management, it should come as no surprise Equifax has garnered the attention of federal regulators. In June 2018, the credit reporting agency agreed to take a set of corrective actions negotiated by the United States Department of Financial Services. Eight state banking regulators, including New York, California, and Texas joined on the consent order.

The company now has three months to implement six major actions to bolster their cybersecurity posture and prevent another data breach. They include:

• Board members must review and approve a written cyber risk assessment plan.
• Improved oversight of its information security program, which will include a written policy, followed by an annual report on the program’s performance.
• Board must review security policies and keep them up to date and applicable to current threats.
• An audit committee of the Equifax board will be tasked with evaluating IT controls.
• Equifax must extend these measures to third-parties, improving all vendor oversight to safeguard consumer information.

All of the above actually sounds like pretty basic stuff – for investors, though, can we be sure that our asset managers, vendors of asset management products which are then added to our portfolios, have met these baseline standards?

How Can Data Breaches Be Prevented?

The following three fundamental steps should bolster any firm’s cybersecurity posture, and help ensure an asset management firm can keep themselves from becoming a headline:

Employee Security Awareness Training

• As we have written, it’s established that employees are often the weakest link in an organization’s security posture – it’s essentialto institute a rigorous security awareness program to prevent their exploitation for criminal gain.

Patch Management

• The importance of a thorough patching and update regiment cannot be overemphasized. In the current threat landscape, software vendors are constantly publishing updates and security patches. Neglecting to ensure that business critical systems are running the most current version of software and firmware is a completely avoidable gap in security posture.

Third Party Awareness

• Some asset management firms, while diligent in their own controls, can neglect their responsibilities to understand the safeguards suppliers and other partners have in place to protect their data. When negotiating with third parties, it is crucial to establish the right to audit a vendor’s cybersecurity practices and discuss corrective measures and compensation should your data be exposed. These are difficult discussions to have, but necessary to protect an organization from unwanted exposure to outside vulnerabilities and risks.

Any effective control environment requires a matrix of regulations, with a focus on preventative protections. Cyber threats can include criminal groups, nation-states, or independent operatives, with motives ranging from material gain, to sabotage, or simple mischief. The necessity of cyber protections to the control matrix cannot be overstated and should be top of mind when institutional investors consider allocations to new and existing asset managers.