When you entrust your money to a fund supermarket, wealth manager or another financial services firm, you hope for healthy returns and minimal investment disasters. But behind the scenes, the companies that handle your money are fighting to keep your assets and data safe from targeted hacks.
“It’s one of the things that keeps our members awake at night,” says Liz Field, chief executive of the Wealth Management Association.
As long as the internet has existed, companies have been subject to a barrage of hack attempts, many of them indiscriminate: simple malware, sometimes contained in “phishing” emails, seeks openings wherever it can.
But the UK has undergone a rapid rise in targeted attacks, in which criminals try — with a high degree of human involvement — to access specific information or assets. This can range from customer details that will be sold on to enable fraud, to trading information for use on the markets, or material that could embarrass companies if published in a Sony-style hack.
A focus of attack
Some 81 per cent of large organisations and 60 per cent of small businesses found their digital defences had been breached in the past year, according to UK government data released in 2014. Financial companies are at the sharp end, not just because of the money they manage but because of the sensitive personal data they hold. The risks have grown as services that initially lagged behind the digital revolution, such as accounts held by fund and pension customers, move fully online.
“The information that the firms we represent have is the information that is of greatest interest to cyber criminals because it’s where the money is. They are a focus of attack,” says John Barrass, deputy chief executive of the WMA.
Retail banks are among the most high-profile targets of hackers, and face constant assaults, but specialist firms handling investments can also be tempting to the discerning criminal, says Michael Soppitt, a director at Parker Fitzgerald, a financial services management consultancy.
“The average value of an account at an investment management firm is significantly higher than at a retail bank, and high-value customers’ information is more saleable,” he says.
His company is aware of 13 major breaches at fund management companies over the past year. And he says that hackers have also become more adept at finding weak spots in the many types of companies — technology platforms, advisers, custodian banks — involved in the financial products supply chain.
Data breaches reported to the Information Commissioner by financial advisers, wealth managers and asset managers more than doubled to 31 in the year to the end of June 2014, from 14 a year earlier, according to figures gathered by RPC, a law firm which advises victims of breaches. But Alex Hamer, a partner at RPC, acknowledges that these numbers probably represent a fraction of the real total.
“At the moment there is no compulsory notification regime, so whether a breach is notified will be a commercial decision for the institution concerned,” says Mr Hamer.
Ernest Hilbert, head of cyber investigations for Europe, the Middle East and Africa at the security firm Kroll, is more blunt. “They are woefully underreported,” he says. “The real numbers are probably in the thousands.”
Similar questions hang over whether companies are informing customers whose data has been compromised — partly because they may not even have detected the breach, especially if a genuine login is being used.
“Most companies today don’t have either the capability to discover a targeted attack or the well-tested response plans to recover from it,” says Greg Day, chief technology officer for Europe, the Middle East and Africa at the leading cyber security company FireEye.
Even when an attack is detected, “it can be hard to identify exactly what the impact of a breach has been”, says Jonathan Burdett, a director in IT risk and cyber security at PwC.
Criminal supply chain
While the public image of a hacker was once that of a lone nerd or idealist — in Mr Soppitt’s words, “a geek in their garage” — companies are now up against organised criminal gangs who trade in various markets for illicit information. Criminals may breach a company’s defences and then sell access to others.
“There is a supply chain in the cyber crime world,” says Mr Burdett. “User IDs and passwords are sold on the ‘dark web’, allowing people to procure and trade identities. Those are then used to perpetrate identity fraud and theft, and the proceeds are used in other criminal activities further down the line.”
Virtually every targeted attack starts with hackers taking over an account belonging to either a customer or a member of staff, says Mr Hilbert. This can be done through a variety of means: malware hidden in a download, which then records a user’s keystrokes; “spear-phishing” emails, which target particular companies or people, using fake identities; spoofed web pages or WiFi hotspots used to harvest logins; or phone calls purporting to be from a bank or other company. In some cases, rogue employees have chosen to share or sell information.
Once inside the system, a hacker may seek routes into other linked companies — say, using a wealth manager to try to access a custodian bank— or they may simply sit inside the system, harvesting information for what can amount to years. A survey by Mandiant, which is owned by FireEye, last year found that breaches took an average of 229 days to be discovered.
In rarer cases, hackers may opt to steal money directly: Kroll has seen 50 cases worldwide of financial losses resulting from accounts being taken over, including at wealth management and fund management firms.
Since no company can be totally impervious to attack, rival groups are engaged in something of an “arms race” on digital security, says David Moffat, group executive at International Financial Data Services (IFDS), which provides administration and technology services to financial firms. “Everyone wants to be more difficult to burgle than the guy next door,” he says.
Accepting that some breaches will be inevitable, companies are also devoting more resources to disaster recovery, says Mr Day. Where once they might have spent 80 per cent of their budgets on prevention, now it is closer to 30 per cent, with the rest devoted to detecting attacks and mitigating their effects.
In the UK, because of the weaker reporting requirements, we seldom hear about individual hacking cases. In the US, where reporting requirements are much stronger, news reports of data breaches are frequent. This month, Morgan Stanley said that up to 10 per cent of its wealth management clients had their account information stolen by an employee who may have been trying to sell it.
New European regulations, set to take effect in 2017, will introduce much bigger penalties for failing to report data breaches, meaning the public will be much more likely to hear when they occur. It will also move the spotlight on to companies that fail to deal with their vulnerabilities, and those whose weak defences may in turn expose other firms.
“Companies are really going to have to hustle to get this done,” says Mr Hilbert.
Help is on its way
A series of initiatives is under way to improve digital security in UK financial services. The government launched its Cyber Security Information Partnership (CISP) in 2013 to boost information-sharing among companies. UK and US authorities are planning a mock cyber attack on commercial banks to test their robustness later this year. The Financial Conduct Authority, the City regulator, says it will start to examine companies’ technology and digital resilience, and expects them to address cyber security at board level. Industry groups are also setting up their own information-sharing initiatives, including one run by the WMA and another by IFDS.
The technological divide between companies is wide. Firms like BlackRock, the world’s largest asset manager which also runs the Aladdin trading platform, have large-scale cyber security operations and ringfence different pools of information to minimise risk. IFDS, whose technology underpins several UK fund shops, runs duplicate data centres and has hired the former chief information officer of the Bank of England, Simon Moorhead, to help keep its information secure. In addition to its digital firewalls, it also trains all its staff in data security. “People are a key part of our defences,” says Mr Moorhead.
“We’ve had much more interest recently from corporate clients wanting to make sure their entire supply chain is protected,” he adds.
At the other end of the spectrum, some smaller firms among the UK’s network of wealth managers and financial advisers are struggling to get their defences up to date, particularly as they have also been dealing with market changes brought in with the Retail Distribution Review (RDR). “There’s often a resourcing issue — some smaller organisations don’t have the large budgets for IT, compliance and training,” says Mr Hamer.
Overall, the industry remains in a vulnerable phase where awareness of cyber security is rising but day-to-day measures may still be deeply inadequate, according to Mr Day, Mr Hilbert and other experts.
“Many organisations have been caught unawares. Just a decade ago, stealing from an institution would have required a gun,” says Mr Soppitt.
“But we are seeing important ideas gaining traction. Companies are recognising that security is an ongoing process, not just a product that you buy. That’s an important shift in thinking.”
Don’t let the thieves in
The biggest risk to your data, say specialists, is you. “The most common type of attack that firms experience is where the end customer has accidentally lost or given away their login details,” says Mr Burdett, of PwC. Here are three easy steps to improve your digital safety:
Passwords. Weak passwords are key vulnerability. Mr Hilbert, of Kroll, worked with a bank that had 17,000 customers all using the password “Arsenal1”.
He says it is vital that consumers use strong passwords — switching to Arsenal2 won’t cut it — while ensuring that passwords used for financial accounts are never used elsewhere. About 85 per cent of people currently use the same password for all their accounts, making them much more vulnerable. If you are offered two-step verification on accounts, says Mr Hilbert, always use it.
Software. “Practice good ‘digital hygiene’ on your own devices — make sure your firewalls are up to date and your browser security is sufficient,” says Mr Soppitt, of Parker Fitzgerald.
Awareness. Digital fraud was once largely about “phishing” emails containing malware. But as awareness of these grew, the fraudsters moved on; now it may be inside a more convincing social media link, or a hacking attempt may start with a phone call soliciting personal information.
Don’t be afraid to ask companies what measures they have in place to protect you as a customer, says Mr Soppitt.
Investing in cyber security
Global cyber security spending is set to reach $76.9bn ($50bn) in 2015, according to the research firm Gartner — 8.2 per cent above its estimated figure for 2014.
The fight against online crime, which is estimated to cost the global economy more than $400bn a year, has fuelled the rise of companies in fields like secure data storage, identity verification and threat intelligence, as well as the digitally focused divisions of insurers and defence companies.
Polar Capital’s Technology Trust has benefited from holdings in Palo Alto Networks, a broad-based US cyber security firm, while the Axa Framlington Global Technology vehicle holds US firm Radware — which specialises in application delivery and network security — among its top 10 holdings. Other major US cyber security firms include Symantec and FireEye, while younger companies in the field are a fast-growing target for venture capital.
Closer to home, UK-listed cyber security firms include NCC, which stores data and spots security flaws for companies, and Accumuli, which provides data analytics and information on threats. Companies such as Corero Network Security, which focuses on fighting distributed “denial of service” attacks, in which hackers overload servers and networks with requests, are among those occupying a specific niche within the industry.
Get alerts on Cyber Security when a new story is published