Wondering how to protect your investment management firm in a changing cybersecurity environment? Use this straightforward assessment to make sure both your firm and your vendors have the right protections in place to guard against modern threats.
Ridgeline is not exclusively a security platform, but, as the industry cloud platform for investment management, it is part of the value we provide customers. We feel strongly that no business can be successful anymore without holding itself to the highest standards of security to protect their customers and data. Ridgeline has prioritized and invested in security since day one and considers ourselves security-obsessed - not only because it’s sensible but because it’s critical to adequately serve our customers and enable their growth.
The investment management industry is facing an increasingly threatening reality around data and cybersecurity and they’re not alone: a whopping 83% of researched companies have already had one or more breaches.1 The current climate of geopolitical and economic uncertainty makes for greater threats and more unknowns. Investment management is highly susceptible to risk because it is built on data and intellectual property; data is both your most valuable and most vulnerable asset.
Asset managers are also uniquely exposed given the degree of leverage and complexity of systems and partners. Most firms rely on a large number of technology partners to operate their business and to move quickly. It's a common practice but one that creates opportunities for exploitation given the complexity of integrations, data transfers, and compatibility. This underscores the need to maintain an active stance in security preparedness and thorough vetting of vendors that process or store your data.
You have probably taken steps in the right direction already. Maybe you even have a Chief Security Officer. But security can no longer be relegated to a single department or role at your firm. Whether you oversee critical vendors, handle sensitive data, or support regulatory compliance, security vigilance is a shared responsibility that is increasingly critical to your firm's success.
Research supports that a culture of security is good for your firm’s bottom line: companies that have few regulatory compliance failures see a 51% reduction in security-related costs related to a breach event.1 Here are four key ways that security can be a significant contributor to growth.
1. Changing Regulatory Standards
The SEC recently approved a new cybersecurity regulation that is out for public comment.2 The proposal would require all covered entities to implement policies to address cybersecurity risks. This includes preventing and detecting unauthorized access, taking measures to identify and remediate vulnerabilities, and publicly disclosing adverse security incidents.
“The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age.” - Gary Gensler, SEC Chair
There’s also a vendor oversight component. Advisors will be required to have an understanding of their cloud service providers, know the risks of those services, and be able to conclude whether the service provider is able to effectively manage risks related to protection of data and prevention and detection of cyber security threats.
Going forward, firms may have to conduct periodic due diligence of vendors and report them on Form ADV-E. If approved, this regulation will have great significance and implications for the industry. And, while there’s a lag effect as governing bodies catch up to new technology, it surely won’t be the last regulation to impact investment managers. To thrive in a competitive industry under strict oversight, you need to stay ahead of the standards and be prioritizing security in all decisions, from internal guidance to vendor selection.
2. Operational Risk
There has been a significant increase in the volume and cost of cyber attacks as technology gets more sophisticated and industries are increasingly reliant on third party software. We’ve seen a 57% increase in the number of attacks on US-based organizations.3 These have resulted in an average cost of nearly $6M for incidents impacting financial services firms.1
While the volume and cost are increasing, the most common attacks continue to stem from familiar weaknesses like phishing, software vulnerabilities, and cloud misconfiguration. Vendors can be a point of significant vulnerability for their customers because of their access to sensitive data. At Ridgeline, we believe you’re only as secure as your least secure vendor and it’s critical to not only understand but challenge your vendors around their security capability.
The time to think about security isn’t during or in the aftermath of a security breach; it’s important to get ahead of the risks so you can weather them with confidence. The industry’s reliance on third party software partners will continue to be attacked by bad actors. An attack on a vendor who has access to your data becomes, unfortunately, an attack on you and your clients. But if you’ve done the proper diligence up front to ensure partners are abiding by stringent security protocols on a continuous basis, you reduce the operational risk of being impacted by an outage or breakdown anywhere in your vendor network.
3. Higher Client Expectations
What clients are looking for in an asset manager is evolving. Investors expect an increasingly high level of service, accessibility, and transparency. They also need to know that your firm has impeccably high standards when it comes to their data and assets. As they look for the right partner to protect their financial future, they want to know that you’ll be there for the long-term and have the best systems in place to collectively meet their needs. In the due diligence process, it’s more and more common to be asked directly whether your vendors have been independently audited against industry standards, such as SOC 2 Type 2, which is a comprehensive framework for data security, availability, and confidentiality. Being able to say yes can be competitively differentiating for your firm and builds trust with clients.
Additionally, by using top-notch vendors who are taking security concerns off your plate, your team will be unburdened from that day-to-day worry. That frees them up to spend more time cultivating healthy investor relationships and driving meaningful value for your firm.
4. Reputation Risk
Investment management is an industry largely based on trust and a firm must be perceived as a worthy steward of its client’s money. If you’re not secure, nothing else matters.
In today’s world, security threats may be difficult to avoid, but there’s plenty you can do to prepare and mitigate any impacts to your business and reputation.
On average, it takes 277 days for a breach to be identified and contained.1 That’s nearly 9 months of potential data loss and operational impact – all of which may need to be publicly reported to authorities, regulators, and your investors. A recent hacker ransom incident at a financial data firm caused problems across the global financial ecosystem when it disrupted trading and clearing of exchange-traded derivatives. It led to headlines all over the world and that company will forever have a stain on their reputation as a result. Any leader can appreciate that that is a situation they want to avoid.
Even if you can’t fully prevent an adverse event at your firm, it’s critical that you have taken proper precautions and have the right partners in place to minimize negative outcomes. So, how do you start?
Ridgeline has put together some basic questions to help assess the health of your firm’s existing security practices and evaluate your vendors’ resiliency in our free Security Assessment Guide. It will give you specific actions you can take to strengthen your security posture and instill the expectation at your firm that security is everyone’s job.
Ridgeline welcomes the opportunity to speak with you about how security can be part of your firm’s growth strategy. You can reach us at firstname.lastname@example.org.
1 “Cost of a Data Breach 2022,” IBM, July 27, 2022.
2 “SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets” SEC.gov, March 15, 2023.
3 “Check Point Research Reports a 38% Increase in 2022 Global Cyberattacks,” Check Point, January 5, 2023.