Cyber security: Who are the threat actors and what are their targets?

A guidance on how investment managers can approach cyber threats

Read the interview and learn about:

The threat actors and their targets
How the cloud can protect against cyber threats
Building resiliency against the dynamic nature of cyber-attacks
Developing an industry security ecosystem and cyber threat intelligence
Protecting your digital assets and their data

Sailesh Rajendran
Security Architect, Director, SimCorp

The financial sector has featured as one of the top 5 industries attacked by various cyber threat actors for a number of years. While security is taken very seriously by most organizations, a few still view this as another compliance task. Cloud transformation could provide a path to resiliency against the dynamic nature of cyber-attacks. This article gives some guidance as to how investment managers can approach strategic cyber threats.

Cyber security incidents are increasing at an alarming rate and impacting the investment management industry. Cyber security has moved from being a technology problem to be a board-level and senior-management concern. The threat landscape is becoming more and more sophisticated and it is no longer spotty teenager related activities, but complex well-funded organized cybercrime. It will be key to develop a security ecosystem within the investment management community as any downstream supply chain would affect the security posture.

Who are the threat actors and what are their targets?

Based on reports collected from multiple organizations who specialize in data breach investigations and cyber incident management and response, the primary threat actors can be split into cybercriminals, hacktivist, and advanced persistent threat (APT) groups. Cybercriminals seek financial account data or other valuable data that they can monetize and use for further fraudulent transfers. Hacktivists look to gain publicity by causing disruption to activities. The most complex threat actors are the APT groups, who use a range of tools and tactics and take direction from nation states to steal information or conduct attacks to pursue their targeted objectives.

Protecting digital assets depending on importance and location

Organizations’ digital footprint is expanding faster than ever before, and shadow IT is becoming a growing concern. An option is to make use of tools like ‘digital asset management’, which gives organizations the ability to identify digital assets that need to be protected and shielded against cyber threat actors. A paradigm shift is happening towards a risk-based security model where security controls are applied based on the criticality of the digital asset’s data. Most organizations already use business-critical software-as-a-service cloud applications like CRM and HR management systems where the data resides outside the organization’s perimeter. So, focus should be on data-centric security controls rather than perimeter-based security controls.

From a security perspective, investment managers are concerned about the confidentiality, integrity, and the availability of business-critical data and information.Sailesh Rajendran, Security Architect, Director, SimCorp

With the wider adoption of hybrid cloud services, they are facing further challenges. Authentication and access of key information from corporate-approved locations should be considered carefully to help mitigate threats like changed destinations for money transfers and market manipulation.

Services like ‘single sign-on’ makes it easy for the user to traverse multiple applications without having to re-authenticate, which also enable external intruders to travel further once they have infiltrated into the corporate infrastructure and gained access. There are few practical defenses against that, so the focus should be on minimizing the impact, primarily through application of the principle of least privileges.

Quantum computing

Quantum computing is a fast nearing practical reality. The security threat here is that once nation state hackers have the technology available, they will be able to decrypt widely used encryption like SSL and thus turn a large part of the internet toxic. Luckily, there are already quantum-safe encryption tools available today. No need to rush out today to get this, but this is an area to prepare for. It should also be noted that any encrypted data exchanged today could be siphoned off and stored for later decryption, thus spilling today’s secrets tomorrow – which may or may not matter in specific cases.

Keen to stay up-to-date with insights from industry-leading experts?

Sign up today and receive notifications about engaging Journal articles, research-packed reports, insights from the world’s top asset managers as well as upcoming live webinars, all sent directly to you.

Regulatory demands

There is a growing regulatory demand on investment managers to provide assurances that the critical infrastructure supporting the financial transactions have all the necessary security controls in place. This would often require additional investment, however, firms could consider cloud transformation which already supports all the security controls required to comply with regulatory needs.

Industry threat intelligence and cyber-event reporting

Investment management organizations should look to build a cyber threat intelligence within the industry, which organizes, analyses, and refines information about potential or current attacks that threaten the financial sector. The primary purpose of threat intelligence is to help firms understand the risks of the most common and severe threat actors such as the ones pointed to above. Cyber-threat intelligence sharing may not always be an explicit regulatory requirement, but it is strongly encouraged by regulators for all investment management firms to participate.

In addition, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) has established a Customer Security Programme (CSP), which requires that participating investment management firms share all relevant information as soon as possible if they have been targeted or breached.

Cyber-event reporting is another common regulatory practice. Depending on jurisdictions, there may be specific requirements for the regulatory reporting of cyber-events, subject to materiality or events posing risks to the critical systems.

The knowledge derived from threat intelligence used to anticipate and respond to sophisticated cyber-attacks and from cyber-event reporting, is needed to understand attacker motivations, intentions, characteristics, and methods. This understanding can help plan risk mitigation, bolster incident response efforts, and enhance the overall security.

Building resilience toward growing attacks

Statistics from financial regulators over the last 12 months state that the UK national cyber security center recorded over 1,100 reported attacks in this period. 590 of these incidents were regarded as significant, with 30 attacks requiring action by government bodies – some of these hitting the financial sector.

It is key to understand that we do not operate in a zero-failure environment and cyber-attacks will actively adapt to penetrate through the protective defense layer. Cyber resiliency becomes key, and it is vital to build effective cyber resilience capability, implement effective accountability, and be prepared and able to enter recovery at any time.

Cloud transformation as an enabler of cyber resilience

Cloud computing has been one of the key innovations that is changing the landscape of technology and driving transformation across the investment management industry. Lower cost of ownership, improved business agility, innovation, and enhanced client experience are some of the reasons why the cloud has attracted many organizations.

Security is a critical design component at the start of a firm’s cloud transformation, so that when new systems and environments are on-boarded, security controls are already in place. Digital transformation, which is another key trend among with investment managers along with cloud transformation, has also provided opportunity for security teams to collaborate across functions, enabling a coherent and optimized cyber security setup.

In the past, organizations often hesitated to implement cloud computing due to security concerns. However, the reverse situation is now true, and more companies are embracing cloud solutions for security reasons. They are adopting them because they see the cloud as safe, secure, and a way to enhance their cyber-resilience. Cloud security has built-in secure-by-design as a core principle for the digital transformation. Securing the cloud services, secures the digital services that are onboarded. So, if you are looking to onboard cloud services, your vendor must provide the required security assurances before you embark on your journey to the cloud.

Tackling cyber security and embracing the cloud go hand in hand

For investment managers, tackling cyber security and embracing the cloud go hand in hand. Cloud transformation provides an effective way of complying with the growing regulatory needs as well as pragmatically dealing with the sophisticated threat landscape. Working together as a security community within the investment industry and sharing knowledge about the current threat landscape will take the investment management industry a long way into responding to security incidents in a timely manner.

About the author

Sailesh Rajendran
Security Architect, Director, SimCorp

Sailesh is an experienced senior security professional, with a multitude of sector experience. He holds number of industry recognized security certifications including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Auditor (CISA) and Certified Ethical Hacking (CEH).