Asset management must not become complacent about cyber security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.investmentweek.co.uk/investment-week/opinion/2427619/why-asset-management-must-learn-lessons-from-other-sectors-on-cybercrime

The financial services sector, in particular, need to plan for when, not
if, they are successfully hacked, with last month's distributed denial of
service attack on one of Britain's largest banks serving as a reminder of
the sector's vulnerability.

Regulators in the US, UK, and recently Ireland have all warned the
financial sector about cybercrime, with the Bank of England's Financial
Policy Committee saying that UK firms are underestimating the threat.

The ever increasing scale and frequency of breach reports has primarily
been driven by US breach notification laws but there is really very little
reliable and appropriate data available on the frequency of cyberattacks.

There is a significant sampling bias in most cyber data reports, as they
focus specifically on breached firms that have either publicly reported
their breach or were assisted by the authors of the report.

While there is more data than ever available, it relates to known breaches,
not all breaches, although a number of groups are working to improve the
quality of information available.

Data breach

One of the more interesting reports is the 2015 Cost of Data Breach Study
from the Ponemon Institute. It estimates the average chance of a data
breach over a two year period is 22%.

That is a bold assertion that needs to be taken with a pinch of salt, but
on the face of it the estimate suggests two inferences.

The first is that 78% of firms will not be breached over a two-year period.
The second is that if the probability is truly independent every two years,
then there is a 71% chance of a firm having a data breach every ten years.

This is not as bad as some industry experts say, but it does shows that
data breach risks are hardly 'black swan' events. Importantly, cyber risk
must form a key part of operational risk management, with a clear strategy
in place to handle such incidents.

It is worth considering that the study focuses on data breaches defined as
an event that puts an individual's name and medical or financial record at
risk. The 22% probability estimate is, therefore, likely to be too low if
considering a wider definition of a security breach, which can also involve
business interruption, reputation damage and data integrity issues.

Many firms have already stepped up their approach to identifying data
breaches and security incidents, leading to improvements in the speed of
detection and reaction.

However, professional experience suggests those firms which detect attacks
faster than their peers have either previously handled a major breach or
have an active regulator focusing on cyber security.

Those that remain unaware of the threat are commonly slower to detect and
react to a breach and there will be many firms currently suffering breaches
that remain blissfully unaware.

Some will never find out. Just because you do not know you have been
breached, unfortunately does not mean you have not been breached - and what
you do not know certainly can hurt you.

Identifying attacks

The 2015 Cost of Data Breach Study identified an "upper-sloping linear
relationship" between the time taken to identify an attack and the average
cost of a data breach. A similar relationship exists with the time taken to
contain a breach.

Reducing the time to identify and contain attacks directly reduces costs.
And if we accept cybercrime as a normal operational risk that is likely to
occur on a reasonable time horizon, we should be thinking about reducing
the cost of occurrence.

The asset management sector has recently been accused of complacency around
cyber security by The Cerulli Edge, published by Cerulli Associates. While
it is true many firms have not been leaders or early adopters of new
practices or technology in this space interest has recently picked up.

The lessons learned by the wider financial services sector can be used by
fund managers and investment firms to accelerate the improved management of
cyber risk, by reducing the time taken to identify and contain attacks.

There is a new determination to improve detection through deployment and
maturation of security operations centres, improving incident readiness
through formal planning and tabletop war gaming exercises and early
glimmers of interest in advanced techniques, such as pro-active threat
hunting.

Fund managers have a long journey ahead of them in improving their cyber
risk strategy. While it is not all black magic and black swans,
considerable challenges remain in safeguarding the assets and reputations
of firms and clients alike.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!