ebook img

Varlık yönetiminde siber mukavemet yaratmak PDF

32 Pages·2017·1 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Varlık yönetiminde siber mukavemet yaratmak

B U I L D I N G C Y B E R R E S I L I E N C E I N A S S E T M A N A G E M E N T MAY 2 0 1 8 2 Building Cyber Resilience in Asset Management 3 CONTENTS FOREWORD .......................................................................................................................................................1 EXECUTIVE SUMMARY ...............................................................................................................................2 1: CYBER SECURITY THREAT LANDSCAPE .................................................................................3 2: BUILDING A CYBER RESILIENT BUSINESS ...............................................................................9 3: COLLABORATIVE ACTION .............................................................................................................15 4: FUTURE TECHNOLOGY DISRUPTORS...................................................................................19 BUILDING CYBER RESILIENCE: ACTION PLAN .....................................................................25 REFERENCES ....................................................................................................................................................26 1 Building Cyber Resilience in Asset Management FOREWORD Cyber crime is a growing global industry Firstly, as we have seen, cyber attacks are real and now estimated to make criminals over $400 are happening to a growing number of businesses billion a year1. Cyber attackers are becoming regardless of their industry. The asset management more determined and more skilled sector’s cousins in banking and insurance can vouch for this, and are generally far ahead in confguring than ever. Highly professional and highly their defences, in part because of the greater motivated, they are continually developing threat they have faced to date. However, asset new techniques and seeking new targets to management frms are not immune to a cyber- attack. With just 39% of asset management attack and are likely to be an increasing target given CEOs consulted in KPMG’s 2017 CEO the signifcant value of assets under management. survey saying they are fully prepared for a cyber event2, now is the time for the Secondly, regulators and authorities are increasing industry to act decisively to protect their their focus on cyber security as an issue and clients’ data and their own reputations. looking for assurances that businesses are taking the necessary steps to prevent breaches. Technology is transforming the asset management The UK government strongly supports the industry at a speed and scale never seen before. Investment Association’s development of an The global regulatory environment for cyber Asset Management Cyber Security Strategy3. security and privacy is becoming more complex It called on stakeholders to “participate in this and fragmented. This combined with the regular work and engage with industry to provide a new cases of high profle breaches being reported in level of protection for asset management and the media, creates an issue that requires attention FinTech frms.” in the Board room. A 2017 review of cyber security commissioned The Investment Association and KPMG have by the US Securities and Exchange Commission jointly written this paper to provide an overview found that asset management frms had generally of the key cyber security risks facing the industry, improved their cyber security standing. The review offer guidance on the steps organisations can found that while most frms had now implemented take to protect their business from cyber-attack, cyber security policies, many did not enforce share thoughts on the power of an industry wide them properly4. response and present cyber security risks around future disruptive technologies. Now is the time for asset managers, as individual frms and as a community, to get serious about There are two key drivers behind publishing cyber security. This paper should help you consider this paper: cyber security risks and the practical steps you can take to protect your business. After all, your customers are putting their trust in you to safeguard their investments and their data. Building Cyber Resilience in Asset Management 2 EXECUTIVE SUMMARY The key messages in this report are: Cyber Security Threat Landscape: Collaborative Action: the sector cyber-attacks are most likely to come needs to work more collaboratively from organised crime groups or from as a community and beneft from the a malicious insider. Malicious data disclosure, economies of scale and pooling of CEO fraud / business email compromise and expertise across the industry. By sharing threat ransomware are particular threats. Risks can intelligence, collaborating to create solutions and materialise across the entire value chain of an asset working together on response and recovery best manager, with particular risks around the theft of practices, we can help everyone improve. client data as well as payment fraud. There are Future Technology Disruptors: also risks to client data processed by third party the speed at which technology is administrators and custodian banks, while the use transforming the asset management of cloud service providers needs to be carefully industry adds an interesting new dimension to the managed. Criminals are becoming more creative in cyber security risk landscape. Digital channels, the how they attack systems including using increasingly cloud, artifcial intelligence and robotics, blockchain automated methods to attack large numbers of – the industry is becoming increasingly dependent organisations using customised malware. on technology at the core of its business. This Building a Cyber Resilient Business: creates fantastic ways for asset managers to there are key actions which help build differentiate their business, grow revenues and an effective cyber security capability. increase profts but also creates opportunities for The Board must be fully engaged and have an cyber criminals. The potential cyber security risks understanding of cyber security issues, and establish need to be understood, managed and mitigated – clear accountability for action. It is vital to map in some cases this will require new and innovative the cyber security risks facing the business, check approaches to security controls. whether the current cyber security capabilities deal with those risks and agree the organisation’s cyber security risk appetite and tolerance levels. There should be the technical ability and processes to detect, respond and recover from incidents; and cyber security risks should be managed effectively across the supply chain. But most importantly of all, employees should be educated around cyber security risks and good behaviours. 3 Building Cyber Resilience in Asset Management 1: CYBER SECURITY THREAT LANDSCAPE The frst section in this paper highlights the BUSINESS DRIVERS broad and growing array of cyber security There are a number of compelling business drivers risks confronting the asset management for proactively understanding and managing cyber industry and the business drivers for security risks. managing these effectively. Cyber security is, perhaps more than anything else, We have produced a cyber security risk radar an issue of brand and reputation. Organisations showing the current threats, identifed the ways that have secure systems and manage customer in which these threats could potentially impact data effectively will uphold their perception in the the asset management value chain and highlighted market as trusted players. By contrast, organisations examples of cyber security incidents that have that have fallen foul of a cyber-attack have often occurred. The section concludes with a view on the suffered signifcant reputational damage. This is future direction of cyber threats. especially the case for businesses that have not managed the fall-out well. Poor handling of communications can further damage customer confdence that has already been dented by the breach occurring in the frst place. Cyber security incidents can also disrupt business operations for a signifcant period of time beyond the initial incident itself. We only need to look at the WannaCry ransomware episode where some businesses were offine for days and weeks afterwards5. Building Cyber Resilience in Asset Management 4 This causes further frustration, anger and loss of Moreover, the penalties from regulators for falling customer confdence, which can be hard to win short are only set to rise. The General Data back. Organisations have to be able to show that Protection Regulation (GDPR), for example, could they have sustainable operations. see fnes of up to 4% of global turnover for lax 6 privacy protection . Looking at other sectors such as banking, some organisations have taken a proactive approach to Organisations that have suffered cyber security increase customer confdence and engagement, breaches may face signifcant fnes from authorities, such as by offering or promoting awareness of compounded by a hit to their share price. anti-virus software products. This extension into Compliance with standards is a licence to do end-consumer territory enhances their own business, not a choice. This can be challenging, standing as cyber aware organisations and shifts especially in the heavily regulated fnancial services their cyber security strategy from brand protecting sector – but the best organisations will rise to to brand enhancing. that challenge. In today’s digital and interconnected world, Quite simply, managing cyber security effectively businesses rely on each other across partnerships can turn a threat into an operational and strategic and supply chains. It is essential that everyone in strength and drive a competitive advantage. the chain can rely on each other and there is a vested interest for all parties to be safe and secure. 5 Building Cyber Resilience in Asset Management CYBER SECURITY RISK RADAR Based on KPMG’s experience and analysis of publicly available incidents we have produced a cyber security risk radar. Figure 1 shows the cyber security risks posed from fve threat actors to the asset management industry. The main cyber security risks originate from attacks by organised criminals or from people within an organisation (e.g. employees, contractors or third parties). Very high operational impact could materialise from a malicious data disclosure, with other high profle impacts coming from CEO fraud / business email compromise and ransomware. Figure 1: Cyber security risk radar Operational Risk Impact LOW Website compromise for cryptocurrency mining MEDIUM Accidental Fake website data loss Intellectual property theft Data manipulation Targeted attacks on HIGH Distributed Denial payment systems of Service attacks Client Ransomware Sabotage data theft Social engineering VERY HIGH CEO Fraud & Business Email Compromise Malicious data disclosure Distributed Denial of Service Malware attacks distribution to clients Social media attack & hijacking Client data theft Website Intellectual defacement property theft Trading strategy theft Social media impersonation Client data theft Intellectual property theft m p Source KPMG International Probability key Very likely Possible Likely Remote C o e di s n I r N t s n o i t a e t a s t H a c k t i v i O e s i n a g r m i r c d e o r e t i t Building Cyber Resilience in Asset Management 6 CYBER SECURITY THREATS TO THE ASSET MANAGEMENT SECTOR This section presents a view on how cyber security threats could potentially impact the asset management value chain. Figure 2 below presents an end-to-end example of an asset management frm’s value chain, with the key cyber security threats overlaid. Figure 2: Cyber security risks to the asset management value chain Distribution Front Offce Middle Offce Back Offce Channels 5 7 1 2 3 Investment strategies Digital client apps Regulatory reporting Human resources & research 5 7 3 6 3 Trading applications Payments and Finance systems & algorithms settlements 1 2 7 4 Customer relationship Marketing and Risk models management for sales social media 1 5 7 Robo-advisers 1 2 8 Portfolio management 1 3 5 1 Third party administrator Retail fund platforms 1 2 3 Custodian bank 1 2 5 7 Cloud 4 5 8 Website and applications 5 Market data 2 3 Data transmission & protocols (e.g. SWIFT / FIX) 5 Financial market infrastructure & exchanges Key 1 C lient data theft 3 P ayment fraud 5 D DoS attack 7 I P theft 2 D ata loss 4 W ebsite or social media attack 6 C EO fraud 8 R ansomware Source KPMG International Some of the key observations from Figure 2 are: • Cyber security risks can materialise across • There is an increased use of, and dependency the entire value chain and in particular there on, infrastructure and market utilities. In are risks around the theft of client data and particular, there are multiple cyber security intellectual property as well as payment fraud. risks associated with the use of cloud service providers to support across the entire value • Given the signifcant use of third parties and chain that should be managed. the complex web of providers, there are risks to client data as this is processed by third party administrators and custodian banks. Infrastructure and Third In-house market utilities parties 7 Building Cyber Resilience in Asset Management EXAMPLES OF CYBER SECURITY INCIDENTS Figure 3 depicts a selection of publicly reported cyber security incidents based on KPMG’s research of online sources. It shows incidents suffered by asset management frms or other closely related industries, and highlights that the overwhelming majority of incidents suffered have involved client data theft or data loss more generally. Figure 3: Cyber security incidents in the asset management and related industries 1 11 2 8 12 10 3 4 9 15 5 13 6 14 7 Source KPMG International A summary of the medium to high severity incidents is provided below: (1) O nline Brokerage: hackers accessed 4.6 million (11) I nvestment Managers: criminals copied names, clients’ personal information including their logos, addresses and created look-alike websites of contact details multiple high-profle asset management frms. 95 dubious website appeared on the Financial Conduct (2) Global Bank – Wealth Management Division: forced Authority’s warning page for clones in the frst nine to pay $1 million fne after an employee stole data months of 2017 about approximately 730,000 customer accounts (12) O nline Brokers: a hacker broke into at least four (8) W ealth Manager: details about thousands of the different brokerage frms to make fraudulent trades frm’s clients were leaked, not stolen, to investigative aimed at manipulating share prices so they could journalists resulting in high-profle news stories beneft from this. The attack caused $1 million in losses for the victims (10) I nvestment Firm: an employee sent $495,000 to a bank account in Hong Kong after being tricked by a spear-phishing email claiming to be from a company executive See Figure 3 references in the appendix Incident Severity Minimal Low Medium High Client data theft Data loss Payment fraud Website attack DDoS attack CEO fraud IP theft Ransomware

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.