The Harvard Law School Forum notes that asset managers and the financial services industry are facing higher cybersecurity risk. These firms are a particularly attractive target for cyber-exploitation which has resulted in a recent flurry of attacks. As a result, they need to remain vigilant and should be implementing preventive controls, procedures and an action plan in the event they experience a cyberattack.
The industry has experienced a wave of schemes related to compromised business emails. These schemes are often predicated on a fraudulent email that is sent to fund executives and officers. The email content generally notes that the recipient needs to click a link to read an encrypted message. This link downloads malware onto the recipient’s device, gaining access to the user’s account and possibly further penetrating the companies systems. Although this email scheme may seem obvious to spot, they have proven to be successful for hackers, as many managers are busy dealing with a large volume of emails daily.
There are also more sophisticated attacks cybercriminals are employing against asset managers. The newest cyber fraud involves “artificial intelligence voice-impersonation software.” In this scheme, the attacker may use AI software to impersonate the voice of the CEO, requesting that funds be sent via a wire transfer. This type of scheme “emphasizes the need for more tailored procedures and controls.”
Cyber threats continue to escalate in severity and sophistication. Pairing these factors with the increased regulatory environment, organizations must adapt and implement practice to protect the organization and the assets for which they are responsible but also to put themselves in a defensible position.
Asset management firms (and companies that have access to significant funds) should consider doing the following:
- Develop a robust defense to cybersecurity risk. This needs to be a multifaceted effort, utilizing multiple tools to develop a well-rounded approach. Tools that should be considered include technical solutions, contractual protection, risk management implementation (pre- and post-incident), and risk transfer.
- These firms should ensure that proper controls are in place and are continually adapted to the changing cyber environment. This will not only help to ensure legal compliance but may also increase the chances of tracking down the location of stolen funds as well as the perpetrator.