Recent cyber attacks on the NHS and large businesses have provoked fears that criminals have online trading platforms and other financial institutions in their sights. Jeff Salway runs through the risks faced by investors, and suggests some practical ways of minimising them.
The threat posed by cyber crime was made clear once again in May when parts of the NHS were hit in an attack that also affected organisations across the globe. The ransomware attack was just the latest in a wave of assaults on computer systems that has underlined the threat from cyber criminals and the huge disruption they can cause.
Several banks and investment fund firms have been targeted by various forms of hacking. Retail investors have yet to be targeted in an attack on the scale of the May assault; but with the UK government revealing in April that almost half of UK business discovered at least one cyber breach in 2016, it may only be a matter of time before a major investment firm suffers at the hands of cyber criminals.
It’s a worrying prospect that raises the question for investors of what would happen to their assets if their fund manager, broker or platform suffered a cyber attack. Cyber crime is considered the single biggest risk fund managers can expect to face over the next five years, according to a survey published in early 2016 by technology vendor Linedata. Yet it also found that cyber security was well down the list of firms’ technology spending priorities, behind improving legacy systems, installing compliance tools and enhancing reporting.
Christian Arndt, financial services cyber security director at PwC, says: ‘Common weaknesses include prolonged underinvestment and a lack of necessary skills in security teams. Cyber threats evolve quickly, so investments in cyber security technology can quickly become outdated.’
A spokesperson for the Investment Association, which represents UK asset managers, says it is ‘working closely with members to encourage good governance, and robust risk identification and security processes.’
Platforms and fund supermarkets are also vulnerable. Of the nine platforms quizzed in a survey by trade magazine Money Marketing and IT security firm NCC Group, six reported suffering some kind of security breach or fraud in the previous year. The study also found that few platforms had cyber security insurance, despite holding vast amounts of client data.
Robo-advice platforms, where investors complete online risk assessment tests and have portfolios designed and managed by algorithms, could also be at risk. The online investment manager Nutmeg has already suffered a data breach.
The challenge faced in mitigating the cyber threat is a formidable one. Cyber criminals often create sophisticated international operations that ‘are increasingly professional and industrialise their criminal activity’, according to the National Crime Agency (NCA). Cyber threats take various forms, and the tactics employed by cyber criminals can evolve rapidly, making detection and prevention difficult.
Ransomware attacks, for example, involve threats to publish, corrupt or delete confidential or sensitive data if a victim doesn’t pay up. Distributed denial of service (DDoS) attacks, where a website is flooded by traffic from many sources to take the service offline, are widespread. Data breaches are suffered by ‘almost all large companies and most smaller companies’, according to the NCA. Financial services firms are a particular target.
Risks to investors
Concerns have been raised over the security of the trading systems used by fund firms, because of their links with emails and websites. In a white paper titled ‘Cybersecurity: what fund managers need to know’, the Sumi Trust warns that trading algorithms are at risk of theft, unauthorised changes to trading limits and DDoS attacks.
Investment firms are also vulnerable to insider threats, where records may be compromised by the malicious or accidental actions of an employee. ‘Yet there is nothing widely recognised as promoting awareness specifically on cyber security in asset management,’ says Arndt.
The risks to investors are abundant. They include the wiping of records and the use of hacking to obtain sensitive financial information. Investors may also be affected indirectly by losses incurred by companies caught out by cyber attacks. According to a study by Oxford Economics and cyber security consultant CGI, cyber attacks have wiped £42 billion off the value of shares from 2013 to 2016 – and that’s just in the incidents that have been made known to the public.
So how are you as an investor protected in the event of a cyber attack on a fund firm, platform, broker or other organisation you invest through? The key point to remember is that investors’ assets are usually held by third-party custodians and depositaries, and not physically held by the firms investors invest with.
Money invested through platforms and brokers will usually be placed in a nominee account, which ensures it is ringfenced should the investment company experience difficulties. This is typically looked after by an independent custodian, who is responsible for administering and looking after investment holdings. The same goes for assets invested in unit trusts and Oeics.
Mark Polson, principal at the Lang Cat consultancy, says: ‘The security of your money is less threatened in that regard, but custodians need very strong systems. However, asset managers also need solid security to ensure they are able to run their funds and businesses normally and deliver the investment styles and returns they have promised.’
Asset managers have a duty to ensure the custodians they use have appropriate controls in place to prevent data being compromised by cyber criminals. Businesses and organisations are required under the Data Protection Act to keep people’s personal data safe and secure. The sophistication of cyber crime and the rate at which it evolves is a source of great anxiety for funds and investors. For all that organisations invest in combating the threat, no company is impregnable. Investors would be wise to know their rights and be vigilant.
How to protect your assets from cyber crime
Secure your devices and software: All devices used to access accounts (such as PCs, laptops and mobile phones) should be secure, as should any software used. This can be done by installing good-quality anti-virus, antispy and firewall software, some of which offer significant protection for free.
Be streetwise: Avoid using the same passwords for different services. Complex passwords that vary between different services may be difficult to remember, but they offer good protection against cyber threats. A strong password is one more than 12 characters long containing lowercase and uppercase letters, numbers and symbols. Multi-factor authentication, where you’re asked for an answer to a security question or for a code that has been sent to your mobile phone when you log in, protects against someone accessing your account using stolen credentials. Try not to use public PCs or networks to access financial information online, as such systems are often insecure.
Back up and be vigilant: Keep a detailed record of your holdings and retain statements in case a breach or a systems failure compromises that information. Always be vigilant. If you think you have received a phishing email, exit the message and contact the ‘impersonated’ source directly to find out if it has contacted you. Never open an email or click on a link unless you’re totally sure about its authenticity.
Data rule breach compensation tips
Investors with concerns over the way an organisation is handling their personal data can report it to the Information Commissioner’s Office (ICO). The ICO oversees the behaviour of organisations and individuals that collect, use and keep personal information; its powers include criminal prosecution, civil monetary penalties and non-criminal enforcement.
However, it doesn’t award compensation. Instead, it encourages individuals to go to court to claim compensation for damage or distress caused by an organisation that has breached the Data Protection Act.
Claims for a data loss that causes damage or distress can be made directly with the firm in question or pursued in the small claims court. An ICO document agreeing that the Data Protection Act has been breached can provide powerful support for a claim.
The protection options are clearer where the firm in question is authorised and has been declared in default, as investors have recourse to the Financial Service Compensation Scheme (FSCS). In the case of a hacked investment firm holding client money/assets that has been declared in default, the FSCS will compensate eligible customers if the data shows a shortfall (or loss) in client money/assets. The compensation limit for such claims is £50,000 per investor.