Cyber-security is a very broad subject that continues to bedevil the wealth management industry. The recent Cordium conference in London asked many such questions of asset managers and family offices, ending in a useful summary of the things a compliance officer should be doing.

The conference was held this week at the offices of Bloomberg in Moorgate. The presenters and panellists were Alex Brown, a partner at the City law firm of Simmons and Simmons; Conor Kiernan, the chief technical officer at Marshall Wace; and James Hogbin, the CEO of a 'build over buy shop' called IP Sentinel. Patrick Shea, the head of Cordium US, was in the chair.

The panel session started with a brief overview of the way US regulators were trying to impose cybersecurity on financial firms. Their efforts fell into three categories.
1. Communications and the setting of expectations. The Securities and Exchange Commission's and FINRA's regulations on the subject go back two years. Cybersecurity has been on their list of priorities for most years running recently.
2. The SEC's 'national examination programme' has marked the subject out as an area of concern, with the SEC even going so far as to release its document request list (containing the categories of document that it asks for on visits) twice. Such eagerness is not unprecendented but the panel took this to be a sign that the regulator is are taking the subject very seriously.
3. The concept of testing and fact-gathering. Shea said: "For the past 24 months the team [of regulators] has been out, looking at 50 brokers and investment advisory firms. That was more of a fact-gathering excercise for cyber-security preparedness and data protection programmes. In the next round, they will be testing and starting to set the scene in terms of feedback. I have heard a story of one firm being tested in the first round."

A matter of regulatory principle

And in the UK? In November 2014 the Financial Conduct Authority (FCA) fined the Royal Bank of Scotland (RBS) ₤42 million for an IT outage in 2012 that prevented customers from drawing money from their bank accounts. Indeed, 12 million people were locked out of their accounts for days. The Prudential Regulation Authority (PRA) also fined the bank £14 million, bringing the total up to £56 million. The FCA held the bank to be in breach of 'principle for business' three, which dictates very vaguely that each firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. One panellist said: "If you read that RBS decision, there are layers of governance failure and lots of reporting going on, but not much fixing of issues. There's also a focus on black swan events. You can read RBS's failures across into cyber-security. Finally, you can also read across the issue of IT resilience not being given enough prominence." Others were more sceptical - Conor Kiernen said that "the regulator in the UK doesn't take any notice of cyber-security whatsoever."

One panellist announced: "In last three days, HBOS went offline. It was a denial-of-service attack. Is the FCA going to fine them for some kid in Vietname taking them out? I can't see it."

Patrick Shea thought that it was unfair to say that the FCA did not have cyber-security on its radar at all: "In the UK, the government is educating private business. It's written the 'Dear CEO' letters, saying 'we're not here to protect you - if you want to protect yourself, you should get your game up.' I'd rather have it [a cyber-security policy] when it's grown from the business and not from the regulator. It grows more organically. If the regulator does it, it becomes a checklist. And there's a lot of co-operation across the Pond. Much is investor-driven."

The discussion moved on to whether asset managers were depending on service-providers for their cyber-security or bringing in experts. One speaker thought that a lot of them were bringing in experts. He said that Alternative Investment Management Association (which represents the world's hedge fund industry) and the Hedge Fund Standards Board were issuing guidance. On a sombre note, he added: "Inevitably, you're going to get attacked/owned, but the investor wants to know how you're going to win that last war. Some script kiddy's going to come in."

Shea asked the panel to talk about trends in outsourcing or, alternatively, keeping cyber-security in-house. Alex Brown, with a lawyer's eye for the rules, warned: "The first thing I always feel compelled to say is that you can outsource the function but you can't delegate the regulatory responsibility for keeping the data safe and having safe systems. That's always going to remain with you, so you have to keep an appropriate degree of oversight and control of outsourced functions...and the regulations say that. So do the 'Dear CEO' letters. That means 'due diligence' exercises on the vendor supply chain. You also need proper contracts full of stuff about control – and your ability to exit [the relationship with a vendor], which is very important.

Getting your face ripped off

Another panellist pained a picture of the pitfalls that a start-up business in the industry might face: "So you set up a hedge fund. You're a master of the universe, you're going to be massive. The last thing you want is to touch a computer. You get a firm in to do it and then you find that the FCA has an opinion on how you should be doing it. Then you begin to get into dodgy territory. You can't get [what you suddenly realise that you need] from your delivery parner because your contract doesn't allow you to get the data that the regulators want.

"It's very expensive to hire nerds to put stuff on the cloud in-house, so you're into the 'big boy' outsourcing game. That means that you've given it to some faceless footsy in a data centre. If you've been a bad boy the regulators can arrive at your office and take boxloads of the data away. They go in with the police, lock everybody up and take all the boxes. They expect the cloud to work like that. They think you can give them the information straight way and it doesn't work like that. If you had talked to the big cloud providers six months ago and said that you had to do these things, it would not compute. They'd just say 'you can buy our software or not buy it. So right at the beginning, youcan get your face rikpped off.

"But now they are thinking wow, theyre are some big contracts to be had out there. It's not moving far enough, but it is moving."

Conor Kiernan added: "This is where you see the similarity between US regulators and the FCA - outsourcing. You can't disavow that responsibility. What are those contractual provisions you should aim for? We have a big list of what you should be asking for. One of those contractual provisions states that if there's a data breach, the outsourcers are obliged to contact cutomers. If all ask for it, all boats rise."

Not taking things on trust

The chairman posed the question: "who else besides IT and legal and compliance in the firm is critical to have educated on cyber-security fraud?" Conor Kiernan said that one good way for a firm to educate its people on the subject was to personalise the message and make it relevant to them in their private lives, the better to imbue them with concern for their firm's cyber-security subsequently: "Our education started at a very high level. Something happened to the personal life of a senior person at the firm [that made him sit up and take notice of cyber-security]. We came in and said to the staff "here's what you need to do at home." We taught people (in the same style as Credit Suisse, who educated their employees recently) about that and they were fascinated. Then we taught them about phishing emails.

"In your governance structure, don't leave responsibility for cyber-security purely within IT. Use Risk, use Compliance. Meeting regularly with me keeps them honest. Firms make the mistake of ticking boxes. They get lawyers to draw up policies – these are huge documents. They go straight to policy, which is a mistake. You should start by getting boots on the ground."

Some phisherman on Friday got £1.2 million in a live phishing attack. There's no tool that can stop this stuff. If your employees click on the thing that the phisherman sends them, the battle is lost. There's no IT that you can buy that beats the education. Phishermen play on the fact that humans inherently trust what they see in front of them and trust what they hear. They should be saying to themselves: 'Is this real? Should I question it?' I liken it to the fact that in the airline industry at one time, nobody quesitoned the pilots, the pilots were therefore making mistakes without being challenged about them and planes were crashing. They fixed it by telling stewards and other staff to ask questions all the time and safety improved. So you should be saying: 'Just because it looks as though this email comes from the CEO, I'm not taking this on trust.'"
 
Kiernan went on to say that when the compliance officer or person in charge of cyber-security at a financial firm first begins to formulate policy on the subject, he should ask himself: "What are the three things I shold look for? Where should I start?" The answer, according to Kiernan, was simple.

"They should probably get some help from some backroom nerd. He'll tell you of the dangers that can get you. There's everything from scams and cons to people installing stuff in web pages that steals your Bitcoins. There are many people you can go to - McAfee, Semantec...they all have experts. Every computer has to be fully patched every time a patch comes out, and no excuses. In a recent survey, few [financial firms] had firewalls in the top five of their [cyber-] priorities, and there were many other things they weren't prioritising, but all had patches."

Another panellist added: "You do have to monitor what people are doing these days, rather than have an open, free, sharey, Googly world."

The audience were then asked to vote on a question: "Over the past 12 months has your firm been subject to a cyber-security incident?" The answer was nearly half-and-half, and caused much amusement: 52.2% said yes, 48.8% said no.

Picking up the theme of having to control people's actions much more than before, a panellist observed: "Almost every [cyber-] breach I've been involved in has had somebody doing something stupid or doing something they shouldn't. If you do only one thing, focus on the people in the organisation. Most things [i.e. problems] were about hosting a porn site, or mining bitcoins, so you as an IT professional you're looking for the insider fraudster, but it's acutlly the person in accounts who clicked on CNN and now his computer is mining bitcoins. They think 'I shan't tell IT, I'll just click on that game.'"
 
Kiernan added: "We have lots of fake CEO-to-COO spoof emails going around, eliciting responses. Staff often get an email purportedly from the CEO that says I'm on the road, could you send this? You open something on Adobe but you don't have the latest patch, [then the opening process is unsuccessful and] it looks as though it wouldn't load but actually it downloaded a malevolent load. We were one of the victims. We had to bail over our services to Hong Kong. There have been issues with employees where behaviour is not desirable but then when you look at your internal polices you see that there's not enough in there to let you sack them. There should be no grey line to walk. [You should tell staff:] if you're not allowed to do it, don't do it. Here is my advice to a compliance officer who's just starting out.
(i) Educate yourself. There's a lot of free education out there. If you're an AIMA member, good. Ask questions of your internal IT around the quesitons you've formulated. Have your own story there.
(ii) Ask questions about the governance structure. Who are you reporting to? Governance is the number one thing to cover.
(ii) Look at how other firms are reporting incidents to the Government, to law enforcers and even to each other."

The RBS fine in more detail

In the 'final notice' in which it fined the RBS banking group, the FCA noted that Technology Services (the centralised group IT function which provides IT services to the banks in the group, namely the Royal Bank of Scotland, National Westminster Bank and Ulster Bank Ltd) backed out a software upgrade that its technicians had installed on Sunday, 17 June 2012. (To 'back out' an upgrade is to uninstall the current version of the software and go back to a previous version of it.) The underlying cause of the IT incident was the failure of the RBS stable of banks to operate adequate systems and controls to identify and manage their exposure to IT risks. In particular, they failed in the following ways.

Firstly, Technology Services did not take reasonable steps to ensure that changes to  the  Banks’  IT  systems  were  carried  out  in  a  carefully  planned  and consistent manner.  It did not manage and plan those changes adequately because it did not devise and implement adequate processes for identifying, analysing and resolving IT incidents or even policies for testing software.  

Secondly, the three lines of defence (a nebulous concept that the FCA is very keen on, entailing the division of firms' compliance efforts between the business itself as the first line, risk management as the second and internal audit as the third, all defending the business against an unnamed danger - presumably an FCA fine) did not carry out their responsibilities adequately.
(a) Technology Services Risk, (the risk function within Technology Services), the so-called first line of defence, was responsible for identifying and managing IT risks. It did not carry out its duties adequately because it had a culture of reacting to events and a team with insufficient experience and skills.  
(b) Business Services Risk, the second line of defence, was responsible for reviewing Technology Services' view of risks and identifying gaps in the Group’s view of risk. It did not carry out these duties adequately because it had limited IT skills and it did not sufficiently challenge Technology Services Risk's view of IT risk.
(c) Group Internal Audit, the third line of defence, was responsible for providing independent assurance on the design and operation of risk management and internal control processes. There were weaknesses in the communications between Group Internal Audit and the first and second line of defence. One group board minute stated: "Rather than focusing on backward looking events, consideration should be given to broader risk issues and potential ‘black swan’ events."