The Real Cost of Lacking Cybersecurity: Missing Out on Retail Investors
A lack of security technology threatens innovation and impedes retail investment.
The private markets are seeing an influx of interest from retail investors, but a lack of security technology and practices are threatening innovation, which could hinder private market transformation forbodes Alin Bui, CSO & co-founder of Anduin.
While private funds are thrilled by growing interest in alternative investments from retail investors, they are not quite ready to welcome these new entrants. Why? Because cybersecurity is lacking in the private market sector, and in financial services, that poses a serious business risk.
Case in point: financial services firms are 300 times more likely than other industries to be targeted for cyberattacks, according to Boston Consulting Group research. Despite this, thousands of private funds continue to handle their security via paper and manual methods, creating weak points that bad actors can exploit.
Cyberattacks come in various shapes and forms. For example, attackers commonly employ social engineering tactics, which play a role in over 80% of cyberattacks. The more human touchpoints in workflows, the more exposed the organization is. Private equity firms are prime targets for social engineering ploys because they rely heavily on staff to perform paperwork and frequent document handoffs. This vulnerability becomes even more pronounced at larger firms with a bigger headcount.
Beyond the human element, private market firms also often depend on manual verifications or even automated workflows on legacy software to skate by but are putting themselves at risk. The industry is hit with thousands of attacks daily, and outdated software simply does not meet current security standards.
See More: Nine Tips for Scalable Data Masking for Growing Companies
Assessing Risk: The Impact of Being Breached
Security failures can have dire consequences for private market firms, including:
- Loss of sensitive business data: When this happens, little can be done apart from damage control and remediation. Financial institutions incur high costs from data breaches—an average of $5.12 million per breach—and lose credibility in the marketplace.
- Loss of actual money: Private market firms exchange large amounts of money with sizable groups of people, often revealing wiring instructions in email messages. In 2020, a hacker group penetrated email systems at three British PE firms via phishing and misdirected wire transfers to steal $1.3 million.
- Compliance failures and fines: The SEC is scrutinizing the fulfillment of fiduciary duties with respect to cybersecurity by both RIAs (registered investment advisors) and investment companies. In 2021, the SEC proposed new rules for private market firms to assess and monitor risks, report incidents, and maintain tight recordkeeping. The industry is on notice: it’s only a matter of time before cybersecurity compliance will be a vital requirement.
Attack Methods & Targets
Hackers may approach delicately from different directions, but they nearly always target specific assets and activities:
- Movement of money in or out: Capital calls and distributions are relatively easy entry points for bad actors. Money movement via wire transfer currently requires the sender to get on the phone and conduct cumbersome callbacks to verify the destination account details. When the number of investors balloons from hundreds to thousands, person-to-person phone calls to check on wires will be unviable. Automation is imperative here.
- Internal (employee) access to sensitive and confidential data: Key investor data today tends to be locked inside unencrypted subscription PDFs. The industry-wide practice of communicating sensitive information via unsecured PDFs becomes even more problematic at scale. Firms will benefit greatly from the move to digital onboarding of investors and data flow into cloud-protected systems. But the potential threat arising from internal access means permissions must be allocated thoughtfully, along with strict measures to block any unnecessary data extraction.
What Private Funds Need to Do about Cybersecurity Now
Security strategies fall into two buckets: prevention and detection. Prevention attempts to limit the number of breaches and overall risk, while detection allows you to mitigate the severity of successful attacks. Reputation is everything in the private markets, so prevention and fast mitigation of any breach are paramount. Here are a few things to start thinking about as you strengthen your security posture.
- Train employees on security: Your people are the front line to combat social engineering ploys. Every employee will suffer a momentary lapse of vigilance at some point. Even with training and education, business employees still click on 2.9% of phishing emails, according to Verizon. Help employees build a security mindset and prepare for the worst, with warnings and clear examples of social hacking, then empower them with clear communication channels to quickly report any incidents or suspicious activity.
- Tighten access: Structured privilege lists are key to data security, strengthening both protection and detection of abnormal activity. Leadership must build a clear, comprehensive picture of who should have access to specific assets and data. Follow the Principle of Least Privilege (PoLP) to reduce risk; limit users’ access to only what is truly needed.
- Ensure good data architecture: Complement your privilege controls with compartmentalization to limit the scope of damage from a successful attack. This can be done by placing protective bulkheads throughout your data architecture. A security team can target remediation more precisely, quickly circumscribing the impacted data to quarantine the breach. Good architecture design helps keep your ship afloat after a breach.
- Issue hardware tokens: These physical keys can effectively limit sensitive data access when issued to the appropriate employees. Without physical possession of the right token, hackers cannot trick their way into a system.
- Achieve and maintain compliance: As retail investors’ interest in alternatives grows, the SEC will want to keep the broader public safe. When funds deploy more automation, they need to have software security and privacy standards in mind. Compliance will Inevitably be mandated, requiring adherence to standards such as SOC 2 Type II, ISO 27001, as well as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). Your security posture will also depend to a degree on your chosen vendors.
- Verify vendor security: In an interlinked world, vendors can be the unlocked door that attackers use to get at you. Integration points with a vendor are potential attack conduits into your sensitive data. Check their compliance and review their security. Choose vendors with integration experience who know security pitfalls and requirements and meet security certification standards. Then maintain a clear picture of interconnections between their systems and yours.
Emerging Security Solutions for Private Markets
In the coming decade, private market investments will become a staple in many more personal portfolios. An industry-wide security framework would help bridge protocols and reduce vulnerable points in transfers between investment firms and regulators. Security standardization will let automated solutions pipe data across preset corridors with less risk of interception or corruption.
Automation platforms will also help by replacing the gamut of outdated processes, from subscription documents to capital calls and wire transfer identity verification.
By nature, private funds are focused on the future – and the future includes retail investors. Proving they are secure will only attract more investors. The funds that rise to the cybersecurity challenge now, will also be able to scale and onboard new investor classes to become even bigger, more automated, highly competitive, and better protected.
How are you ensuring that your security technology is up to date and ready to scale? Share with us on Facebook, Twitter, and LinkedIn.
Image Source: Shutterstock
 
					 
						 
																				 
																				 
																				 
																				 
																				