Today, some of a firm’s highest value assets are reflected in the proprietary information they possess. As data is increasingly becoming a compelling competitive advantage, new approaches must be taken to protect high-value information. While most firms are actively crafting cybersecurity programs, far fewer are focused on the potential threat that insiders can pose to the organization.
The insider threat is a business risk created by anyone who has access to information about the firm’s systems, processes, data, clients, or proprietary information assets. This definition is critical to appropriately build insider threat programs, as it purposefully does not limit this designation to employees. While asset management professionals have a separate definition around insider as it relates to trading activities, firms should contextualize it differently in order to enable a security response.
Firms can experience loss from both intentional and unintentional insiders. Even phishing, commonly thought of as an external attack tactic, has a critical insider component as it requires a person with access inside the organization to execute the attack. Therefore, firms should cast the widest net possible in first defining those who have access to information assets in order to best respond to the insider threat.
Approximately 50% of breaches publicly reported from 2012-2017 had a substantial insider component according to a recent study from McKinsey & Company. Without increased attention this trend could grow, as firms expand their organizations to outsource non-core functions and add new vendors, service providers, consultants, and contractors. Scores of new insiders are introduced that may have previously been considered out of scope of this issue.
Cybersecurity problems are expensive and these costs are on the rise. Cybersecurity Ventures predicts that overall cybercrimes will cause $6 trillion per year in damages by 2021, an increase from $3 trillion in 2015. Financial costs of individual breaches are also growing. The average total cost of a data breach is $3.86 million, a 6.4% increase over the previous year, according to a recent report from IBM.
Beyond the financial costs, it is almost impossible to quantify the loss that a firm can experience resulting from brand damage and clients’ loss of trust in the institution. A 2019 threat predictions report by McAfee Labs notes the reputational and brand protection angle of data security is one of the top issues for organizations to watch in the coming years. Leaked information assets, defined as bodies of information with financial value, can be costly and damaging to a firm. Insiders can remove sensitive data, steal proprietary information, execute false transactions, or disrupt systems that execute trades where even milliseconds of a slowdown can have serious financial implications. Insiders can be more damaging to a firm and its investors than external attacks because employees have a deeper understanding of vulnerabilities, proprietary insights, and the most valuable competitive intelligence. They also have the greatest understanding of IT systems, potential workarounds, and can repeatedly observe how management responds to breaches, giving them a roadmap for navigating security loopholes. In the most extreme incidences, they may even have a role in system administration, rule design, and implementation.
Proprietary information assets underlie almost all aspects of a firm’s product offering and operations. Client and market data is a highly valuable part of driving the creation of unique investment solutions, enhancing a firm’s competitive advantage. To that end, data leakage or any act by an insider that compromises confidentiality poses great risk to the firm’s clients, mission, and business operations.
Today’s firms operate across multiple geographies, though this means they are often working in jurisdictions with varying degrees of security protocols and different cultural perceptions of data privacy. Expert employees may erroneously believe that code, data, or products they create are theirs, as opposed to the firm’s. As new data and technology professionals enter the industry to support digitization efforts, they may be less familiar with financial regulation and privacy protocols which differ from other industries with a greater cultural inclination to share information. Alternatively, traditional financial professionals may not recognize all instances of potential liability in data management as they engage with new digital tools and user interfaces.
Even the savviest insiders are likely to fall victim to targeted phishing attacks as actors leverage personal data to craft compelling, bespoke attacks. Social engineering has become more prevalent as attackers target someone’s hobbies, replicate the brand of their personal financial institution, or reference places they frequently visit to encourage them to engage with an email that puts the firm at risk. For example, an employee is more likely to open an email that looks like it is coming from their child’s school about an emergency, or a note from a prominent industry association seeking their expertise. Additionally, cybercriminals are now frequently targeting those below the C-Suite, such as human resources professionals who could provide personally identifiable information or accounting and back-office staff who have access to the firm’s banking and wire transfer details.
The push to bring digital innovation to asset management also introduces insider risk. First, high-value information assets can be more easily removed from a firm through web-based service providers, open-architecture web applications, and other digital storage and cloud initiatives. Second, the unprecedented creation of data—from customer profiles to new quantitative methods—means that the firm is constantly creating new high-value information assets, making it a challenging security paradigm for even the most sophisticated teams to manage.
Regulators worldwide are putting greater focus on cybersecurity and information protection issues. The recently-created Cyber Unit within the Securities and Exchange Commission (SEC) has actively offered guidance on cyber risk. In late 2018, the SEC concluded an investigation into nine public issuers who lost approximately $100 million due to business email compromise. The SEC subsequently issued a statement encouraging firms to consider cybersecurity even around seemingly non-technical operational issues, in this case, internal accounting controls. Globally, asset managers are already becoming accustomed to this posture of strengthening security around data resulting from the EU’s General Data Protection Regulation.
Investors consider cybersecurity practices an essential part of their operational due diligence efforts and boards and audit committees are also evaluating leadership on how effectively they execute cybersecurity programs. As these key constituencies come to expect cybersecurity measures, firms can differentiate themselves by having additional security around their most critical information assets.
Firms are always at risk of an information breach, however, insider threat risk is often heightened around events, such as employee resignation and data migrations. The perception that asset management employees are highly-intelligent, well-screened experts who do not readily bring to mind the persona of a criminal can also foster insider risk. Executive leaders who have the mindset that these issues cannot occur inside of their firm set themselves up to underinvest in programs that can protect critical intellectual property (IP). Tools like background checks are helpful in predicting future behavior, but also only represent a single point in time. Firms must remain vigilant throughout the employee and organization’s lifecycle to spot potential issues. Firms should heighten awareness of potential insider risks around major organizational shifts, extensive employee complaints, performance reviews, contract renegotiations, or mergers and acquisitions.
While firms are always at risk for an information breach, there are certain events where insider threat risk is heightened.
When firms add vendors, engage in third-party relationships, and bring on
contractors they introduce insiders—regardless of whether or not they are
directly employed by the firm. Many of these relationships can entitle users with
administrative-like privileges that may be off the radar of employee-focused
security protocols.
Another common instance of high risk is in the weeks prior to an employee
resigning or during a notice period. System logs may catch that they are
transferring large files, using external storage devices, or emailing outside of
the network in greater volumes. They may also request new permissions, which
systems or administrators should recognize as a potential threat and flag for
further review.
Cloud migration’s adoption in asset management has increased potential insider
threat risk. Specifically, firms should ensure that all users are aware of data transfer
protocols and have a thorough understanding of sharing any links or privileges. Firms
should consider assessing whether their service-level agreements with these partners
address potential insider threats and have subsequent opportunities for recourse or
insurance to cover quantifiable risks. As these are often cross-border companies,
different regulatory jurisdictions could impact recovery, implementation, and
general adherence to a firm’s preferred security standards.
Cyber issues are more likely to arise for firms that are consolidating because
disparate processes, systems, and governance models can create gaps in security
protocol. In 2019, the SEC’s Office of Compliance Inspections and Examinations
announced a third review of firms’ cybersecurity compliance efforts, with a
particular focus on firms who have recently gone through a merger or acquisition.
Firms should consider formalizing an insider threat program involving people across the organization who are empowered to act and who have dedicated roles in advancing data security. There is no universal norm for protecting information assets as a responsibility within asset management firms. Accordingly, this means that an insider threat program is likely to require coordination between the Chief Risk Officer, Chief Information Security Officer, Chief Data Officer, and Chief Technology Officer, whose responsibilities may vary widely depending on the firm’s size and organizational structure.
Stakeholders across the organization should include legal, compliance, security, business heads, and systems network and technology specialists. Each of these partners has a specific point of view on employees’ vulnerabilities, performance, and system activity that ultimately are necessary to create a holistic program. Firms are also likely to discover that their program should be led by the highest levels of the C-suite in order to garner the greatest buy-in and best execution. It is critical for firms to involve their legal counsel in the development and implementation of any insider threat program in order to ensure compliance with privacy regulations and laws governing employees.
Equally applying controls across the organization is not the most efficient way to mitigate human risk. Firms must identify critical data assets and weigh those organizational protection efforts more heavily, aligning dollars, human resources, and technology applications. Business stakeholders must define their most high-value information assets by addressing these questions:
Firms will likely need to shift their mindset to include measures beyond traditional efforts to protect physical IT infrastructure and access points. They may also need to challenge their assumptions about who could be at risk of a breach, either intentionally or unintentionally. Those who are working in proprietary algorithm development or employees who have access to outsourcing plans and processes that offer an industry competitive advantage may now need more attention.
Providing end-to-end security protocols around employee access and vendor onboarding is an essential risk mitigation tactic. For example, many firms quickly terminate remote access for employees who separate from the company, but often less stringent protocols are implemented around job shifts. As roles change, access should as well and a robust program constantly updates and addresses these microrisks. Organizations with single points of failure or key man risk around data issues should also consider widening their checks and balances system.
Crucial for every other aspect of IT management, an incident response plan is equally important for insider threat programs. Starting with the high-value information assets identified at the outset, firms should use process mapping to address step-by-step actions that will need to be taken depending on the actor and asset involved. Identify who among stakeholders has ultimate responsibility for informing clients or initiating a communication plan around any incident. Lastly, testing incident response plans over a tabletop exercise gives participants an opportunity to test their individual responsibilities. It further allows a risk-free forum to update new scenarios that may emerge as the firm grows.
Firms should prioritize how to handle their own data leakage, but would also benefit from considering how to respond in the event they are presented with another firm’s leaked high-value information asset. Firms should respond swiftly and responsibly to new arrivals who appear to come equipped with excessive code, competitor intelligence, or personal IP. Having readily available contacts at local law enforcement agencies will enable a quick response.
Monitoring is only one aspect of risk mitigation and is becoming increasingly complicated to scale and implement without running afoul of privacy concerns. Historically, defensive measures have included tactics like routine reviews of network security and password protocols, however, many new solutions take a more offensive posture. The newest predictive technologies build on the traditional personas vulnerable to insider breach issues and combine this knowledge of behavioral intelligence with machine learning and big data. AI-supported intrusion and detection tools are now able to continuously review logs and make decisions to flag suspicious behavior, a task once left exclusively to humans. A 2018 cybersecurity study by Deloitte found that respondents prioritized investment in data and analytics as one of the top three priorities for cyber defense programs, highlighting how this type of data and AI can support improved security.
Enterprise-wide solutions now take a more adaptive approach to detection and generating actionable intelligence by building a baseline and individual pattern of behavior for all insiders, making it easier to detect anomalies. These solutions can often be deployed quickly, alerting management to potential issues and identifying those most at risk for compromising a high-value information asset. As email remains one of the most frequent avenues of information compromise, phishing simulators are a valuable aspect of insider threat program management. Phishing simulators bring awareness of insider threat and data protection issues down to an individual level, reinforcing for employees that their personal actions can significantly impact the firm. These training technologies can be periodically executed throughout the organization and identify those in need of additional training on how to spot and report these dangerous attempts.
Rules and regulations around security issues have the greatest impact when they are tied to the firm’s organizational goals, principles, and values. Insiders are likely to engage more responsibly if executives draw clear connections to how individual behavior can compromise the firm and investors. It can be helpful to provide simple and non-threatening ways for any insider to report concerns to management. These avenues are often built out for employees, but as the insider circle widens, ensure there are multiple options for secure communication with management. If these processes are cumbersome or not handled with privacy, insiders may be disinclined to speak up.
Hiring managers should go beyond the ‘background check’ mentality. Assess problem solving and judgement skills around information security with the same level of seriousness as other aspects of a candidate’s skill set. Integrating behavioral interview questions on handling proprietary information and conflicts of interest can be an effective way to convey from the beginning of an insider’s engagement with the firm that information security is everyone’s job.
Cybersecurity is a complex effort that requires a coordinated approach across a number of functional areas. With many risk factors being outside of a firm’s control, enhancing data protection efforts by implementing a holistic insider threat program is an important aspect of protecting what is fast becoming one of an asset manager’s greatest assets. Successful programs start at the top and combine technical strategies with human intelligence efforts, overlaid by a culture that prioritizes information security in ultimate service of the end investor.
