In 2017, the SEC Division of Enforcement created its first new unit in eight years: the Cyber Unit. This team – about 40-strong, according to SEC watchers – deals with all cyber issues, including cybersecurity, computer-based market abuse and cryptocurrencies: the medium for most cyber criminals trying to extort money from corporate victims.
The unit is headed by Robert Cohen, a highly respected SEC official, and staffed by “the cream of the crop”, according to Sam Waldon, litigation partner at US law firm Proskauer in Washington, DC, and former assistant chief counsel in the SEC’s enforcement division. Within enforcement, he describes the broader topic of cybersecurity as the SEC’s top equal priority for the current chairman, Jay Clayton, along with retail. As a result, in the SEC’s rolling system of investigations of investment advisors, “cyber has become a big part of the examination”.
The ramping up of the importance of cybersecurity dates to 2014, when the SEC issued a cybersecurity risk alert. This, and other guidance documents since then, make clear that financial services firms must have a formal cybersecurity programme with someone responsible for evaluating what the firm is doing to prevent cybersecurity incidents.
“[The FCA] is beginning to send the market the message, ‘We are taking cyber very seriously …If we do not think you’re taking adequate preparation in relation to your customers, we too will fine you'”
This is not to downgrade the importance placed on cybersecurity among financial regulators in Europe, since the EU’s General Data Protection Regulation came into force in May 2018. Under these rules, a company that suffers a serious breach of data must tell the regulator and any individuals involved within 72 hours or risk a maximum fine of €20 million or 4 percent of global turnover – whichever is greater. It must also disclose the data taken, how sensitive it is and the volumes involved.
Prompted in part by GDPR, financial regulators have begun to show much greater interest in cybersecurity. In the UK, lawyers note the joint enthusiasm of three parties – the Information Commissioner’s Office, the Bank of England’s Prudential Regulation Authority and the Financial Conduct Authority – in stressing the dangers of cyber-crime.
“The FCA has really ramped up its consideration of cyber,” says David McIlwaine, partner at London-based law firm Pinsent Masons and specialist in ICT and outsourcing. “It’s beginning to send the market the message, ‘We are taking cyber very seriously; we don’t just leave it as the preserve of the ICO. If we do not think you’re taking adequate preparation in relation to your customers, we too will fine you.’”
The FCA also makes clear its view that many firms are not doing a good job in this field. In a review of asset managers’ and wholesale banks’ cybersecurity practices published in December 2018, it found that most boards did not understand cyber-risks well, and that many risk and compliance departments had limited expertise.
Optimistic fund managers might note there have been few high-profile public examples among their peers of successful hacking: many had information on their clients disclosed in the Panama Papers incident of 2016, but the leak came from Mossack Fonseca, a now extinct local law firm.
However, beyond the public gaze, lawyers on both sides of the Atlantic say they are familiar with successful hacks at fund manager clients. Few of these hacks have relied on state-of-the-art techniques, it is generally much more basic than that.
“Usually the breaches I’ve seen have not been real technical hacks in the way I imagined hacks happening, where someone was an expert at writing computer codes. Instead they’ve been cases of human failure,” says Waldon, who reports seeing several such instances since leaving the SEC for private practice last year.
He cites cases where someone takes an email address purporting to be that of someone at a client company, but which is in reality slightly different: such as two “v”s instead of a “w”. The email requests the fund manager change the wiring details for money from the usual account to another one at a different bank, from where the money is siphoned off. This is a form of “phishing” that involves hoodwinking a person rather than an IT system.
“Usually the breaches I’ve seen have not been real technical hacks in the way I imagined hacks happening, where someone was an expert at writing computer codes. Instead they’ve been cases of human failure”
Waldon’s experience underscores the importance of maintaining what experts call “basic cyber hygiene”: training staff in good practice and ensuring IT hardware and software are kept up-to-date.
James Rounds, associate partner and cybersecurity expert at EY, the professional services firm, in London, says that for the small and mid-sized businesses that account for most fund managers, basic cyber-hygiene provides “the greatest cost-benefit ratio”. This, plus one more practice: spending money on software that automates labour-intensive tasks, such as monitoring security event logs. In other words, smaller fund managers, which make up of the bulk of managers within private debt, need not despair: there is much they can do, even with slender resources.
But training in cyber-hygiene must vary depending on the person, say experts, because canny scammers will tailor cyberattacks to the person being scammed.
Valerie Abend, managing director of the financial services security practice for North America at Accenture in Arlington, Virginia, gives an example: a scammer might send a fake CV from a fake female applicant to a female HR manager. An emotionally engaging email says, as Abend imagines it: “My friend told me that your organisation really cares about diversity and inclusion” – a sensitive topic in fund management, where most of the fund managers are men. “I’m a woman seeking to make a change in my career. I would love it if someone could take a look at it.”
Embedded in the resume is malware, and the fund manager is breached.