Cloud security has progressed considerably - which is just as well given how this model has become so dominant. What should wealth managers think about this topic?

Wealth management professionals need no reminding of how important cybersecurity is. The regular news stories about hacking attacks, such as the US energy pipelines, or on banks and hospitals, are all too often news items. Where there are large resources held by banks, family offices and investment houses, for example, there are thieves and attackers waiting to take advantage. 

To address concerns about cybersecurity is Bharat Mistry, technical director (UK), Trend Micro, the Tokyo-based cybersecurity firm boasting $1.5 billion in revenue and employing more than 6,500 staff. The editors are pleased to share these views, and invite responses. Please note that the usual editorial disclaimers apply to the views of outside contributors. Email tom.burroughes@wealthbriefing.com and jackie.bennion@clearviewpublishing.com

Most organisations were hit by a bolt out of the blue when the pandemic struck in early 2020. But those best prepared were investors in cloud-centric transformation projects. Many of these were wealth managers who knew that cloud-native applications and infrastructure would empower them to become more agile, flexible and customer centric. The challenge, like that experienced by their counterparts across the financial services industry and beyond, was that the cloud can also expose organisations to increased cyber-risk. A recent Trend Micro study of IT decision-makers, including those in the financial sector, found a concerning disconnect between their apparent confidence in current approaches to security and the operational reality.

Those concerns are even higher in the context of ever-closer regulatory scrutiny. Reporting data breach incidents may have fallen in the sector between 2019 to 2020, but that was likely to have been more a reflection of improved understanding of legislative small print by corporate lawyers. As the GDPR enters its third year, there is more cyber-risk out there than ever.

Digital growth means digital risk
Global financial services organisations, including wealth managers, have been enthusiastic adopters of digital technology during the pandemic. The vast majority told us that the crisis had considerably (46 per cent) or somewhat (42 per cent) accelerated their cloud migration plans. Most (86 per cent) feel completely, or for the most part, comfortable with their adoption projects.

Yet more digital transformation means more digital risk. That matters even more when you operate in a sector increasingly in the crosshairs of threatening actors. The asset and wealth management (AWM) sector is predicted to be worth $145 trillion by 2025. There are already lucrative opportunities for hijacking accounts and siphoning funds, tricking employees into making big money transfers (BEC), stealing sensitive information on high net worth individuals and, of course, deploying ransomware. PwC claims that several global private equity firms have been extorted by the latter, while in 2020, BEC attackers managed to trick Norway’s sovereign wealth fund out of $10 million. 

For AWM firms with a large cloud footprint, there are simply more workloads for bad actors to target, more accounts and services to potentially misconfigure and more complexity to manage. The sector may have more money than many others to spend on cybersecurity, but it is also a popular target. And the fallout can be greater. Data breach costs in the financial sector are calculated to be the third highest globally - after energy and healthcare - amounting to nearly $6 million per incident. For ransomware it can go many times higher.

Yet most (51 per cent) of those financial organisations which Trend Micro polled believe that cloud migration has in itself focused their minds more on cybersecurity. A majority (58 per cent) also revealed that they have implemented information security training policies to mitigate any risk of user error affecting the business. This confidence extends to the security posture. Most said they feel fully (36 per cent) or mostly (55 per cent) in control of securing the remote working environment, and a similar number (87 per cent) were confident about securing the future hybrid workforce. What’s more, over two-thirds feel certain that they are able to have visibility into data flows as business-critical information is sent from corporate systems to remote workers.

On the other hand
All of this seems pretty reassuring on the face of it. But on closer inspection, there may be more deep-seated challenges for AWM firms. Despite confidence in their security strategy, nearly half (48 per cent) of respondents claimed that privacy and security challenges represent a “very significant” or “significant” barrier to cloud adoption. Only 10 per cent felt that there was no such roadblock on digital transformation. They singled out setting consistent policies, a lack of integration with on-premises security tech and patching and vulnerability management as the top three operational security headaches in this area.

Also of concern, is the shared responsibility model, which defines how far protection from providers (CSPs) extends and what the customer is responsible for. Almost all (99 per cent) of those who were polled said that their CSP provides “more than enough” or “sufficient” data protection. Most (90 per cent) were also very or somewhat confident in their understanding of the model itself. Unfortunately, the reality is somewhat different. Responsibility for data security is 100 per cent the customer’s responsibility in IaaS and PaaS environments.

It is easy to see how such confusion could expose AWM organisations to greater cyber risk. Assuming that your cloud provider is taking care of data security, or any other area for that matter, could lead to under-investment by the customer and critical gaps in protection. On the other hand, it could also mean that AWM firms are wasting money on security controls that duplicate what the provider already offers.

Cloud security is changing
Trend Micro was also concerned to see that a greater number of financial sector IT leaders believe that cloud security adoption makes life more complicated and expensive for them than for those who do not use it. Over a quarter (27 per cent) think that it can also create more siloes, when in fact the right tools can bring IT security and developer teams closer together. Such misconceptions may be based on bad experiences with first generation tools, or simply the result of skills' gaps in responding organisations. 

Fortunately, cloud security has advanced considerably in recent years and there are multi-layered platforms out there today which promise seamless connectivity into the major CSP platforms. That means that powerful, streamlined security and compliance with a high degree of automation will simplify protection whilst mitigating risk, taking the heat off stretched IT security teams. 

The asset and wealth management firms which are the quickest to familiarise themselves with this new reality will be those in pole position for digital-powered innovation and growth as they exit the pandemic. There is no time to waste.