Magazine issues » December 2017

SPONSORED FEATURE: Cyber crime - the next systemic risk

Margaret_Harwood-JonesThe best way for financial organisations to protect themselves against cyber crime is to employ diverse, well-trained teams, says Margaret Harwood-Jones, global head of securities services, Standard Chartered. For the second time in a little under two months, an audacious hack of major institutions spanning vast geographies was executed by cyber criminals. Companies operating in around 64 markets were breached as a result of malware, causing enormous cost and delays to their operations. Recent attacks have been indiscriminate, sophisticated and diverse. A timely Standard Chartered white paper, ‘Strengthening responses to cyber crime in Financial Services’, cited figures from Cybersecurity Ventures, which said global annual cyber crime costs would increase from $3 trillion in 2015 to around $6 trillion by 2021. Financial institutions look after trillions of dollars in retail and institutional assets, making them ideal targets for cyber criminals. In such a heightened risk environment, cyber security measures must be effective, and implemented rigorously. One of the biggest cyber breaches in history occurred in February 2016, when $81 million was stolen from the Bangladesh Central Bank by cyber criminals, who successfully obtained unauthorised access to SWIFT and set up fraudulent bank accounts to which funds stolen from the Central Bank were wired. These attacks are not confined to lone hackers, but extend to highly sophisticated criminals, such as quasi-corporate enterprises who have acquired the technical knowledge and tools inexpensively on the dark net. Be alert
The securities services industry needs to be on top of cyber security, otherwise it could face severe consequences, and it is something the delegates at the inaugural Network Forum Annual Meeting in Warsaw were under no illusions about. The Standard Chartered white paper highlighted core risks such as the theft of assets, misappropriation of customer data, data corruption or manipulation, disruption to clearing and settlement, or a DDoS attack on corporate actions that could cause significant delays to transactions. Depositaries are held liable by the Undertakings for Collective Investment in Transferable Securities V (Ucits V) and the Alternative Investment Fund Managers Directive (AIFMD) for assets that go missing in custody, so the cyber security risks associated with asset safety must be prioritised by providers of custody. The consequences of failing to implement a robust cyber security regime are major, and often lead to monumental losses. For example, a bank could face huge claims from clients in the aftermath of a significant hack or cyber security incident, and it would be practically a mission impossible for organisations to prevent the misuse of leaked information. Recovering stolen files would be an unenviable problem, and it would involve equally massive reputational risk. Even if a firm recovered from the breach and the associated PR fallout, regulators would scrutinise what went wrong, and this could precipitate civil or criminal proceedings. With the stakes being so high, an organisation’s cyber protection framework has to be excellent. The securities services industry faces several issues which may make it harder to adequately confront cyber risks. The most obvious is that much of the industry still uses legacy technology, which is infused with structural flaws that may prove vulnerable to hackers. But it is not simply ageing infrastructure which is susceptible to attacks. Technologies such as blockchain or artificial intelligence (AI) are still in the trial stages of their development. The paradox is that while these technologies could be used to mitigate cyber risks, overly hasty adoption of such disruptors could render such organisations more vulnerable to cyber risks, particularly if they do not fully understand the technology itself. In the selection of a new service provider or in their due diligence assessment of their current provider, network managers undertake careful scrutiny of that provider’s risk culture and framework. The lack of a proper cyber security framework, inadequate investment in a robust cyber security infrastructure or firm-wide complacency will not be looked upon kindly. Indeed, cyber health checks are now a constant in network managers’ sub-custodian due diligence questionnaires (DDQs). The Association for Financial Markets in Europe’s DDQ contains an excellent section on cyber security, where it asks about company policy, governance, business continuity, testing, past incidents and track record on prevention. It is crucial banks are up to speed with this. A failure to demonstrate a strong risk culture and up-to-date, frequently tested protection will likely mean any supplier will struggle to win clients. Evolving workforce
Effective cyber security infrastructure is only part of the solution. Humans are ultimately the first and last line of defence against cyber crime. Financial institutions – and not just securities services – need to rethink how they engage with staff on cyber matters. Simply sending an email or circular to employees advising them against clicking on unsolicited or suspicious links is hardly sufficient. A deep-rooted cultural change needs to be executed in the short term. Standard Chartered’s white paper emphasised how important it is that C-level executives engage and communicate regularly with staff on cyber security issues to drive awareness and compliance, and embed the risk culture from the top down. This follows a paper by Accenture, ‘Think banking cybersecurity is just a technology issue? Think again’, which found two-thirds of banking executives did not believe their business unit and cyber security strategies were aligned with the leadership and across the organisation. If the C-level is taking the threat seriously, enterprise-wide training that is consistent and meaningful will usually follow. Staff may undergo simulated hacking exercises, for example. As the white paper articulated, such testing must not be ad hoc or reactive, but regular and documented, and made readily available for future reference. Hiring practices also need to be revised at banks. Cognitive diversity is an asset – indeed, it should be a requirement – in every field and every industry, whereby individuals with different skill sets, experiences and backgrounds provide their own unique insight towards solving a problem. The cyber world is no exception. However, this world remains un-diverse insofar as the individuals in such roles are overwhelmingly male. In Asia-Pacific, just 10% of cyber-roles are carried out by women, according to the 2017 Global Information Security Workforce Study. This urgently needs to change. The absence of gender diversity in cyber roles is a problem as it makes it harder to recruit talented, younger or millennial women to those roles. Cognitive diversity will enable cyber security experts to engage better with board directors and senior managers, and this will ultimately help organisations deal with new challenges holistically. It is imperative that further work be done to encourage women to contemplate working in the burgeoning cyber security industry, a point made in the Standard Chartered paper. Addressing the problem
Securities services is changing, but so are the threats and risks. Cyber crime is a continuously evolving challenge, to the extent that regulators are reluctant to impose prescriptive legislation for fear that it will be out of date by the time it is formally introduced. Adhering to industry-wide standards such as the ISO 27000, NIST or CPMI-IOSCO provisions is a positive starting point, as is building excellent cyber security protections and regularly testing them. The human factor, though oft-overlooked, remains key. Financial institutions would do well to make concerted efforts to address this, and a good way to start is by expanding the cyber talent pool with a view to achieving cognitive diversity. ©2017 funds global asia

Industry comments

Investing in tomorrow’s world

investmentAt times like these, HSBC Asset Management easily pivots towards emerging markets.

The spotlight on growth markets and the need to be nimble and dynamic is ever-sharper, given the difficulty in predicting monetary policy in the world’s major nations.

Sponsored feature: Navigating the complexities of FX execution and currency risk

A comprehensive, cost-effective, and transparent currency overlay hedging solution is crucial to mitigate FX exposure risks in the complex landscapes of Japan and China's FX markets, explains Hans Jacob Feder, PhD, global head of FX services at MUFG Investor Services.

Opinion

Transitioning to an era of scarcity

The world is transitioning from an era of commodity abundance to one of undersupply. Ben Ross and Tyler Rosenlicht of Cohen & Steers believe this shift may result in significant returns for commodities and resource producers over the next decade.

Asia credit: An outsized winner in the region’s energy transition?

Ross Dilkes, fixed income portfolio manager at Wellington Management, examines the opportunities and risks for bond investors presented by the region’s decarbonisation agenda.

A quiet revolution in Japan’s corporate governance

revolution, Japan, corporate governance, Shareholders, corporate, governance, standards, improvement, Tetsuro Takase, SuMi TrustShareholders in Japan no longer accept below-par corporate governance standards. Changes are taking place, but there are still areas for improvement, says Tetsuro Takase at SuMi Trust.

Why rising demand for healthcare is creating investment opportunities in China

rising demand, healthcare, investment, opportunities, China, Robert St Clair, Investment Strategy, Fullerton Fund ManagementRobert St Clair, head of investment strategy at Fullerton Fund Management, explores the reasons investors should be paying attention to the rising demand for healthcare in China.

Executive Interviews

Executive interview: PGIM CEO on where the ESG flowers should bloom

Sep 27, 2021

David Hunt, president and chief executive of PGIM, tells Romil Patel about leading a top 10 global asset manager in times where “empowering and encouraging the kind of investment decisions as...

Executive interview: Nicolas Moreau’s orderly transition

Jul 12, 2021

Nicolas Moreau, CEO of HSBC Asset Management, is moving to Asia as the firm looks to connect more directly with the region’s growth story. ESG is also a key focus – including the ‘just’ carbon...

Roundtables

India: An “obvious choice for global investors”

Jun 22, 2023

Funds Europe, the sister publication of Funds Global Asia, hosted an India investment discussion with two seasoned experts and asked if India is the ‘last one standing’ from the Brics phenomenon. We also hear that for India, the inclusion of Indian bonds in a major index may not be the desired...

Roundtable: Singapore comes of age as an Asian ESG hub

Dec 01, 2021

Strong ESG credentials strengthen the case for Singapore as a leader in Asia of the post-Covid recovery. Our panel discusses the risks and opportunities.