Asset managers have been urged to bolster the security around their trading systems to prevent cybercrime, a whitepaper by Sumi Trust warns, although human behaviour is still the biggest cause of data breaches.
Fund firms should ensure no digital path connects trading systems to email systems and internet access, the whitepaper, Cybersecurity: what fund managers need to know, warns.
Trading algorithms used by high frequency trading firms were named in the paper as data in need of the highest level of protection. It said algorithms were not just at risk of theft, but also unauthorised changes to trading limits and denial of service attacks.
The whitepaper said data “of an existential kind”, like trading algorithms, should never be stored in the cloud, and the same was true for investment portfolio details and the names and addresses of investors.
However, disgruntled or careless employees are estimated to be responsible for more than half of data breaches.
Staff might can create vulnerabilities by storing data in cloud services, such as Dropbox or OneDrive, using memory sticks between computers, opening email attachments from unknown sources, accessing insecure websites, using work laptops in wireless hotspots, sending company data to a private email address or downloading it to a private device, and downloading insecure applications and data on their work phones.
Employees may also allow cybercriminals impersonating workers, such as pizza delivery staff or software engineers, access to business premises where they can access networks and server rooms, or steal work laptops or phones. The paper said it is “not uncommon” for cyber-attackers to approach employees through social networking sites to garner information.
A global survey of asset managers, released by Linedata last month, found 36 per cent think cybercrime will be the most significant disruptor to business over the next five years, higher than any other risk.
Last year three men were charged in the biggest cyber attack on financial services in US history in an operation that targeted 12 firms, including JP Morgan and Fidelity.
In November, the Bank of England conducted a simulated hack on financial firms to test whether banks can withstand sustained attacks in a bid to breach security.
As well as hacking, cyber security threats can include corporate and state-sponsored espionage, data theft followed by ransom demands, data corruption, denial of service attacks, identity theft and impersonation.
However, the whitepaper added that data security should not be based on an entirely technological solution and that security is compromised less by technological shortcomings than by human behaviour.
It is important not to treat cyber-security as a one-off exercise, the paper warned, stating: “Managers need to develop a culture of security that is at least as powerful as their culture of compliance.”
It recommended appointing a single person responsible for oversight and management of cyber security, and to regularly assess risks and controls.