Cybersecurity excels in asset management | Grant Thorton (2023)

Strict controls can lead to lower insurance costs

In the asset management industry, cyber security is how funds and managers can differentiate themselves from the competition by attracting investors while protecting themselves from cyber attacks.

It is often difficult for investors to distinguish between opportunities, whether they plan to work with hedge funds, registered investment advisers, private equity funds or asset management firms. All are usually run by highly qualified professionals who have been educated at the most prestigious universities and have an excellent track record.

"But if you ask a question about cyber risk and security and someone says, 'Here's how I've increased my control over the last two and five years, here's the insurance policy we have with a well-known insurance company and here's how we do the our tests and our documentation of the tests ... I think that's definitely going to be a differentiator," said Michael Patanella, national managing partner for asset management at Grant Thornton LLP.

However, it is a challenging time for managers and funds in the asset management industry to take the lead in cyber security. Cyber ​​insurance premiums and the need for new controls are on the rise, while the industry is seeing a big drop in revenue.

The economic downturn is hitting the industry hard, with market losses expected in calendar year 2022 of around 20%. In such an environment, asset management companies are under cost pressure across all of their operations, including cyber security initiatives.

One avenue that asset management firms are currently looking at is to spread cyber security spending across funds where possible. Asset managers and legal counsel should review fund partnership agreements to see if it is possible to allocate cyber security costs directly to the funds.

If allocation is not allowed, the cyber security costs will be a direct cost to the asset management company.

"Companies are trying to balance risk and cost," Patanella said. "It's an issue across all sub-sectors - asset management, private equity, registered investment firms and hedge funds - all in a very challenging investment market where most mutual funds have lost double-digit percentages over the year."
\r\n

The advantage of mature controls

According to the Council of Insurance Agents and Brokers, cyber insurance prices are soaring - 27% in the second quarter of this year, 28% in the first quarter of 2022 and 34% in the fourth quarter of 2021.

Mathew Tierney, global insurance practice leader at Grant Thornton, said that while Grant Thornton is not an underwriter, the market is seeing increased cyber-attacks and increasing ransomware payments leading to higher premiums. The cost of responding to breaches is also increasing as forensic and legal services are required and the cost of replacing IT in the event of a breach has increased. This is reflected in higher premiums.

"The organization's lack of health and safety policies and incident response plans has a significant impact on insurance premiums," Tierney said. “The absence of an initial defense plan opens the door to unlimited exposure. The lack of a detailed business interruption plan can result in the inability to secure insurance, as well as being a significant factor in increasing insurance premiums."

However, at a time when fund and asset managers are eager to cut costs, there are opportunities related to cyber security. Reduced cyber insurance premiums may be available from carriers for customers who implement certain cyber security controls.

Without some of these checks, it may even be impossible to find an operator that provides coverage. Inspections that may reduce premium rates include:

\r\n
• Multi-Factor Authentication (MFA).
\r\n
• Endpoint Detection and Response (EDR) with Security Management Services.
\r\n
• Incident Response Plan (IRP).
\r\n
• Secure backups.
\r\n
• Endpoint protection.
\r\n
• Permission Access Management (PAM).
\r\n
• Manage local administrator rights.
\r\n
• Email security.
\r\n
• Penetration test.
\r\n
• Remote access management.
\r\n
• Employee training and anti-phishing campaigns.
\r\n

"If you have well-developed security controls, you're likely to see a potential 20% reduction in premiums compared to the current situation," said John Pearce, director of cyber risk consulting at Grant Thornton. “If you look more sophisticated and have some basic controls, but maybe they're not fully activated and functional, you could see your premiums go up by 50%. If you don't have basic checks in place, you may not be able to get insurance from a market-leading carrier.”

While larger asset management firms likely already have fairly robust controls, investing in stronger controls could be an opportunity for smaller asset managers and private equity portfolio companies to generate insurance coverage savings.

Meanwhile, cyber security and cyber insurance should be key factors in M&A deals, Tierney said.

"Asset managers and PEs should conduct a thorough review of a potential investment's cyber audit during due diligence," Tierney said. "This includes evaluating controls for gaps, reviewing the customer/supplier contract, compliance with applicable regulations and reviewing program loss history."

Tierney said insurers won't issue a premium quote without evaluating all the cyber defense elements in the deal. He said mergers and acquisitions may require a combination of due diligence. representation and warranty insurance; and cyber security.

"However, cyber policies will include a 'change of control' provision, so the target company's insurance will not be transferred to the acquiring party," Tierney said. “Coverage of the existing buyout portion will include provisions for ``changes in operations'' requiring notice to the transaction carrier. The carrier will likely ask for details of the target company's exposure and may estimate a premium increase as a result.

The role of the board of directors

Cooperation with cyber insurers is management's responsibility, but management's fiduciary responsibility requires a certain level of oversight in this area. Boards of directors have become increasingly involved in risk oversight in recent years, and cyberattacks are perhaps the most prevalent type of corporate risk facing companies in today's environment. Management's ability to ask probing questions about cyber security is essential.

"They should ask themselves, 'What is the nature of cyber incident coverage?' said Johnny Lee, general and national chief medical examiner at Grant Thornton. “What wouldn't it include? How does insurance cover key suppliers that can be integrated into our environment?”

For items not covered by the contract, Lee suggests boards ask more probing questions, such as:

\r\n
• What actions are being taken to reduce this risk?
\r\n
• Does the organization have an incident response program and is this program regularly implemented?
\r\n
• Has the company or fund invested in EDR technology?
\r\n
• Are key professionals (such as outside legal counsel and coroners) covered by the contract prior to cyber incidents?
\r\n
• Does the organization have an established IT asset management function?
\r\n
• Is it clear to management where the "crown jewels" are located in the organization and how they should be protected in the event of a potential system compromise?
\r\n

Regulation on the horizon

As cybercriminals modify their methods, companies strengthen their controls, and insurers provide protection, regulators continue to play their part in the cybersecurity landscape. As a result of regulations proposed in February by the Securities and Exchange Commission, new rules for registered investment advisers and mutual funds are on the horizon.

The final rules have not yet been published, so it is impossible to predict which of the SEC's proposals will become requirements. However, the key elements of the proposal, if adopted, will be:

\r\n
• Require consultants and resources to adopt and implement written policies and procedures reasonably designed to address cyber risks.
\r\n
• Require advisers to report significant cybersecurity incidents to the SEC within 48 hours of discovering a breach.
\r\n
• Increase advisor disclosure and funding for cybersecurity threats and incidents.
\r\n
• Require consultants and funds to maintain and preserve specific cybersecurity-related records.
\r\n

Some of the proposed requirements relate to actions that advisers and funds are already required to take. For example, after years of increasing cyber security threats and risks, suppose that advisers and funds have written policies on cyber threats. It is also necessary to conduct response drill sessions with all relevant employees to maximize resilience in the event of a breach.

However, the proposed transparency requirements will represent a significant change for registered investment advisers, as the success of the industry relies on an element of secrecy. Buy Apple stock? Are you selling Tesla stock? Keeping this information confidential can be the key to your competitive advantage. Thus, while reports of breaches to the SEC will be confidential, transparency in SEC reports and increasing disclosures related to cybersecurity risks and incidents may require changes for some managers and funds.

Being proactive is essential

Despite the uncertainty surrounding the SEC's final requirements, Patanella suggests that proactive handling of the proposed requirements can help managers and funds protect themselves and more easily comply with the final rules.

"Here are some very specific things you can do today to protect yourself and stay ahead of the regulatory curve," he said.

In particular, Patanella said, Grant Thornton clients are working diligently to test their cybersecurity controls, and some of them are getting help from outside experts. Some customers take it upon themselves to perform penetration testing on their systems, even at their workplaces.

Penetration testing can include attempts to actually break into systems and physically access offices that should be secure. Testers can even sit outside an office building and secretly photograph employees' laptops as they leave the building. A photo of the laptop can give a hacker information about the processors and systems the company uses, which can help them gain access.

"It will be important for individuals or third parties to manage some of that risk," Patanella said. "The SEC's proposals will be about your plan and how you test controls."
\r\n

Creating an advantage

In challenging times, obtaining funding for these key elements of cybersecurity – stronger controls, testing of those controls, and cyber insurance – will not necessarily be easy.

However, the benefits for asset management firms and the funds they spend in these positions may well be a competitive advantage. And when economic conditions become more favorable, the investors and customers that can be gained through trust in cyber security can pay off well in the long run.

Strict controls can lead to lower insurance costs

In the asset management industry, cybersecurity is how funds and managers can differentiate themselves from the competition in attracting investors while protecting themselves from a cyber breach.

Whether they plan to work with hedge funds, registered investment advisors, private equity funds or asset managers, it is often difficult for investors to differentiate between the different options. All are usually managed by highly qualified professionals, educated at top universities and with excellent track records.

"But if you ask a question about risk and cybersecurity and someone says, 'This is how I've increased my control over the last two and five years, here's the policy we have with a well-known insurance company and this is how we do it.' with testing' ... I think that's definitely going to be a differentiator," said Michael Patanella, national managing partner for asset management at Grant Thornton LLP.

However, it is a challenging time for managers and funds in the asset management industry to take a leadership role in cyber security. Cyber ​​insurance premiums are rising and the need for new controls is growing, while the industry is experiencing a significant drop in revenue.

The economic downturn is hitting the industry hard, with market losses expected to be close to 20% in calendar year 2022. In this situation, asset managers are under pressure in everything they do, including safety initiatives in cyberspace.

One option that asset managers are currently exploring is to spread cyber security spending across funds where possible. Wealth managers should work with fund advisers to review their limited partnership arrangements and see if the costs of cyber security can be charged directly to the funds.

If allocation is not allowed, the cost of cyber security is a direct cost to the asset manager.

"Companies are trying to balance risk and cost," says Patanella. "This is a topic being discussed across all sub-sectors - asset management, private equity, registered investment firms and hedge funds - all in a very difficult investment market where most mutual funds have lost double-digit percentages this year."

The advantage of mature controls

According to the Council of Insurance Agents & Brokers, cyber insurance prices are skyrocketing: in the second quarter of this year by 27%, in the first quarter of 2022 by 28% and in the fourth quarter of 2021 by 34%.

Mathew Tierney, global insurance practice leader at Grant Thornton, said that while Grant Thornton does not cover insurance, it sees in the market that increased cyber attacks and rising ransomware payments are driving higher premiums. Breach response costs also increase as forensic and legal services are required, as well as IT replacement costs in the event of a breach. This is reflected in higher premiums.

"The organization's lack of security hygiene and incident response plans has a significant impact on insurance premiums," Tierney said. “The absence of a first line of defense opens the door to unlimited exposure. Not having a solid business interruption plan can leave you uninsured and can also be a major factor in higher premiums.”

However, at a time when fund and asset managers are keen to cut costs, there are opportunities in cyber security. Reduced cyber insurance premiums may be available from carriers for customers who have implemented certain cyber security controls.

In fact, without some of these checks, it can be impossible to find an insurance provider. Controls that can reduce premium rates include:

• Multi-Factor Authentication (MFA).
• Endpoint Detection and Response (EDR) with Security Management Services.
• Incident Response Plan (IRP).
• Secure backups.
• Endpoint protection.
• Permission Access Control (PAM).
• Management of local administrative permits.
• Email security.
• Penetration test.
• Remote access management.
• Employee training and anti-phishing campaigns.

"If you have mature security controls, you're likely to see a 20% reduction in premiums compared to where you are today," said John Pearce, general counsel for cyber risk advisory at Grant Thornton. “If you look fitter and have some basic checks, but maybe you're not yet fully active and fit, you'll see your premiums go up by more than 50%. If you don't have basic checks, you may not be insured on the top carrier.”

While larger asset managers are likely to already have fairly robust controls, investing in tighter controls for smaller asset managers and private equity portfolio companies could be an opportunity to create insurance savings.

Meanwhile, cyber security and cyber insurance should be key considerations in mergers and acquisitions, Tierney said.

"Asset management firms and PEs should conduct thorough research on the cyber screening of a potential investment during due diligence," Tierney said. "This includes auditing for gaps, reviewing customer/supplier contracts, regulatory compliance and reviewing program loss history."

Insurers won't quote a premium without evaluating all the cyber defense elements in the deal, Tierney said. He said mergers and acquisitions may require a combination of due diligence. representative and surety insurance; and cyber security.

"However, the cyber policy will include a 'change of control' provision so that coverage from the target business is not transferred to the buyer," Tierney said. “The buyer's current insurance coverage will cover a change in operating regulations that requires notification of the transaction to the carrier. The carrier will likely ask for details of the target company's involvement and may appreciate a premium increase as a result.

The role of the board of directors

Working with cyber insurance companies is a managerial job, but the board's fiduciary responsibility requires some oversight in this area. In recent years, executives have become increasingly involved in risk oversight, and cyberattacks are perhaps the most prevalent type of business risk facing companies in today's environment. Management's ability to ask specific questions about cyber security is essential.

"They should ask themselves, 'What is the nature of cyber incident coverage?' says Johnny Lee, director and national practice leader of Grant Thornton's Forensics Technology Practice. “What is not covered by the warranty? How does insurance cover key suppliers that can be integrated into our environment?”

Lee suggests that for items not covered by the contract, boards should ask more probing questions, such as:

• What actions are being taken to reduce this risk?
• Does the organization have an incident response program and is this program regularly implemented?
• Has the company or fund invested in EDR technology?
• Are key professionals (such as external consultants and forensic experts) contracted prior to the cyber incident?
• Does the organization have an established IT asset management function?
• Is it clear to management where the "crown jewels" are located in the organization and how they should be protected in the event of a potential system compromise?

Recipes on the horizon

As cybercriminals adapt their methods, companies strengthen their controls, and insurers provide a safety net, regulators continue to play their part in the cybersecurity landscape. Following regulations proposed by the Securities and Exchange Commission in February, new rules for registered investment advisers and mutual funds are on the horizon.

The final rules have not yet been published, so it is impossible to predict which proposals will become SEC requirements. However, the main elements of the proposal, if approved, will be:

• Require consultants and resources to adopt and implement written policies and procedures reasonably designed to address cyber risks.
• Require advisers to report significant cybersecurity incidents to the SEC within 48 hours of discovering a breach.
• Improve information disclosure by advisors and funds about cybersecurity threats and incidents.
• Require consultants and funds to monitor and maintain specific cybersecurity records.

Some of the proposed requirements relate to actions that should already be taken by advisers and funds. For example, after years of increasing cyber security threats and risks, you should assume that advisers and funds have written policies on cyber threats. It is also necessary to conduct response drill sessions with all key employees to maximize resilience in the event of a breach.

However, the proposed transparency requirements will be a significant change for registered investment advisers, as the success of the industry relies on an element of secrecy. Are you buying Apple stock? sell tesla stock? Keeping this information confidential can be the key to your competitive advantage. Thus, while reports of SEC violations will be confidential, transparency in reporting to the SEC and improved disclosure of information related to cyber risks and incidents may require changes for some managers and funds.

Being proactive is essential

Despite the uncertainty surrounding the SEC's final requirements, Patanella suggests that a proactive approach to the proposed requirements could help managers and funds protect themselves and more easily comply with the final rules.

"Here are some very specific things you can do today to protect yourself and stay ahead of the regulatory curve," he said.

In particular, Patanella says, Grant Thornton clients work hard to test their cybersecurity controls, and some of them use outside experts. Some customers perform penetration testing on their systems, even on their own workstations.

Penetration testing may involve attempts to actually break into systems and physically access offices that are supposed to be secure. Testers can even sit outside an office building and secretly photograph employees' laptops as they leave the building. A photo of a laptop can give a hacker information about the processors and systems the company uses, allowing them to gain access.

"It will be important for individuals or third parties to manage some of that risk," says Patanella. "The SEC's proposals will be about your plan and how you test controls."

Create an advantage

In challenging times, obtaining funds for these key elements of cybersecurity—tighter controls, testing those controls, and cyber insurance—will not necessarily be easy.

However, the benefits to asset managers and the funds they actually spend for these purposes may well be a competitive advantage. And as economic conditions improve, investors and customers who can be gained through trust in cyber security can expect significant returns in the future.