AM Tech Day: Cybersecurity is an increasing concern for asset management firms
Senior managers at investment firms have every interest in getting involved in cybersecurity issues. This was one of the findings of the round table discussion on cybersecurity held by L'Agefi at AM Tech Day 2019 on 8 October. "One year ago, cybersecurity was not at all an issue for senior management, but we are now having to look into it, at a time when two thirds of the costs of an e-banking offering are incurred from the surrounding security package and this cost is skyrocketing”, explained Hervé Mercier-Ythier, deputy CEO of UBS in France. While e-banking was not an obligation with its rather older private banking clients, when UBS got involved in it in France "this added a huge layer of costs in a key area of our business, which is the guarantee of data confidentiality".
Mercier-Ythier explained that this has also created a "huge disruption, with tools that slow down access to the company’s interface and that make things extremely unpleasant”. He also mentioned the example of the parent company in Switzerland, which has an e-banking solution that has caught on with its Swiss clients, but did not work at all in France, as “our clients were not used to going through all the security steps. Especially in comparison with e-banking in France, it was far too complicated and hurt the customer experience. We had to work at making this far more fluid, using another application".
Mercier-Ythier also explained how important it was for the bank to ensure that its external service providers also pay attention to cybersecurity: "When you have an outsourcing contract, it’s a nightmare to get the service provider to fill out the extensive questionnaire that we demand of it, to provide us guarantees and ensure us that it is willing to assume serious liabilities in the event of a default".
Philippe Duluc, chief technology officer at Atos, pointed out the importance of protecting the firm, as cyber-attacks are increasingly common. He reported that headway had been made in detection, given that, according to Atos’ figures, about 150 to 200 days can pass between the moment when a hacker has penetrated into a company and when he is detected, half as long as a few years ago.
Cyber risk is one of the top three risks cited by asset managers
Wilfried Lauber, head of information systems security at Axa Investment Managers, and chair of the cybersecurity working group at the French Asset Managers Association (AFG), reported that cyber risk is one of the top three risks cited by French asset managers. This was the finding of an AFG study on the issue in early 2018. "There is real awareness of the attacks that have been made public, such as NotPetya. The average cost of an attack, which varies with the company’s size, has been estimated at an average of €15m. For a group like Saint-Gobain, which issued a profit warning, the cost was €300m. This is a risk that can now be quantified, and asset managers are including this in their business plans, reviewing various types of attacks, scenarios, impacts on the company, and how they can start back up again”, he explained. The top cyber risk cited is the non-availability of the information system or the closely related risk of a ransomware risk. The second risk is the theft of information by a competing company, and the third risk is that regulators will be imposing more and more constraints in this area and will not hesitate to mete out punishment for security breaches.
"The asset manager’s level of maturity in protection will often depend on its size, its business lines, its Internet presence, and so on. Asset managers are generally less exposed than banks, especially those who are online, but the vast majority of wealth managers have indeed launched cybersecurity plans", Lauber said.
He pointed out that the General Data Protection Regulation (GDPR), which was adopted in May 2018, led to the activation of a number of cyber plans but many asset managers had already worked on it before. The threat of regulatory sanctions has enhanced visibility considerably on these plans even within the companies. Stéphane Astier, an attorney with Haas Avocats, for example, said that “many senior managers have realised that they themselves have to deal with the hot potato that they had handed off to IT departments, because of higher fines and their greater accountability to their boards”. He nonetheless believes that there is still “a huge amount of work to do on raising awareness and training of companies’ employees and top management".