Cybersecurity is a differentiator for asset management

Strong controls can lead to insurance cost reductions

In the asset management industry, cybersecurity is a way for funds and managers to differentiate themselves from their competitors when attracting investors while protecting themselves from a cyber breach.

It’s often difficult for investors to discern between opportunities, whether they’re planning to work with hedge funds, registered investment advisers, private equity funds or asset management companies. They’re all typically managed by professionals with sterling credentials who were educated at the most prominent universities and have outstanding track records.

 “But if you ask a question about risk and cyber and someone says, ‘Here’s how I increased my controls over the last two years and five years, here’s the insurance policy we have with a well-known insurance company, and here’s how we do our testing and the documentation around the testing’…I think that is definitely going to be a differentiator,” said Michael Patanella, National Managing Partner, Asset Management, for Grant Thornton LLP.

Nonetheless, this is a difficult time for managers and funds in the asset management industry to take a leading role in cybersecurity. Cyber insurance premiums are rising and the demand for new controls is increasing at the same time that the industry is taking a large revenue hit.

The economic downturn is hitting the industry hard, with market losses in the neighborhood of 20% expected for the 2022 calendar year. In this environment, asset management firms are squeezed on costs in everything they do, including cybersecurity initiatives.

One path that asset management companies are reviewing now is to allocate cybersecurity expenses to the funds, if possible. Asset managers should review with counsel the funds’ limited partnership agreements to see if cybersecurity costs are permitted to be allocated directly to the funds.

If allocation is not permitted, the cybersecurity costs will be a direct cost to the asset management company.

“The firms are trying to balance the risk with the cost,” Patanella said. “This is a theme throughout all of the subsectors — asset management, private equity funds, registered investment firms and hedge funds — all in a very challenging investment market with most funds down double digits for the year.”

The advantage of mature controls

Cyber insurance pricing is skyrocketing, with increases of 27% in Q2 of this year, 28% in Q1 of 2022 and 34% in Q4 of 2021, according to The Council of Insurance Agents & Brokers.

Mathew Tierney, Grant Thornton’s Global Insurance Practice leader, said that while Grant Thornton doesn’t perform underwriting, what he’s seeing in the market is that the increased volume of cyberattacks and rising ransomware payments are driving higher premiums. The cost to respond to breaches also is increasing as forensic and legal services are necessary, and the IT replacement cost in the event of a breach also has risen. This is manifesting itself in higher premiums.

“An organization’s lack of security hygiene and incident response plans have a significant impact on premiums,” Tierney said. “The lack of an initial defense plan opens the door to unlimited exposure. The lack of a thorough business interruption plan could be the difference in not obtaining coverage and also mean a significant driver to increased premiums.”

But at a time when asset management funds and managers are eager to cut costs, there are opportunities to do so related to cybersecurity. Reduced cyber insurance premiums may be available from carriers for clients who put certain cybersecurity controls into place.

Without some of these controls, it may be impossible even to find a carrier to provide coverage. Controls that may reduce premium rates include:

• Multifactor authentication (MFA). 
• Endpoint detection and response (EDR) along with managed security services. 
• Incident response plan (IRP). 
• Secure backups. 
• Endpoint protection. 
• Privilege access management (PAM). 
• Local administrator rights management. 
• Email security. 
• Penetration testing. 
• Remote access management. 
• Employee training and anti-phishing campaigns.

“If you have mature security controls in place, you could probably see a potential 20% premium reduction from where you are,” said John Pearce, Principal, Cyber Risk Advisory Services for Grant Thornton. “If you look more challenged and have some basic controls in place, but maybe not fully enabled and operationalized, you can see premiums jump upwards of 50%. If you don't have the basic controls in place, you're potentially uninsurable by a market-leading carrier.”

While the larger asset management companies are likely to already have fairly robust controls in place, investing in stronger controls may be an opportunity for smaller asset managers and private equity portfolio companies to generate savings on insurance coverage.

Meanwhile, cybersecurity and cyberinsurance should be critical considerations during M&A transactions, Tierney said.

“Asset management and PE firms should perform a detailed review of the prospective investment’s cyber controls during due diligence,” Tierney said. “This includes a control evaluation for gaps, client/vendor contract review, applicable regulatory compliance, and a review of program loss history.”

Insurance carriers won’t issue a premium quote without evaluating all the elements of cyber defense in a transaction, Tierney said. He said M&A transactions may require a combination of due diligence; representations and warranty insurance; and cyberinsurance.

“However, cyber policies will have a ‘change in control’ provision so the target company’s coverage will not transfer to the acquiring party,” Tierney said. “The acquiring party’s existing coverage will have ‘change in operations’ provisions that require notice of the transaction to the carrier. The carrier will likely ask for details of the target company exposure and may assess for an increase in premium as a result.”

The board’s role

Working with cyberinsurance carriers is a management duty, but a board’s fiduciary responsibility requires a level of oversight in this area. Boards have increasingly become involved in risk oversight over the past several years, and cyberattacks represent arguably the most pervasive type of enterprise risk companies face in the current environment. The board’s ability to ask probing questions about cyber insurance is essential.

“They should be asking, ‘What is the nature of our insurance coverage for a cyberincident?’ ” said Johnny Lee, a Principal and National Practice Leader of the Forensic Technology Practice at Grant Thornton. “ ‘What would not be covered? How does coverage apply to key vendors that may be integrated into our environment?’ ”

For items that aren’t contractually protected, Lee suggests that boards ask more probing questions, including:

• What is being done to mitigate such risks? 
• Does the organization have an incident response program, and is that program exercised regularly? 
• Has the firm or fund invested in EDR technology? 
• Are key specialists (such as outside counsel and forensic specialists) under contract in advance of a cyberincident? 
• Does the organization have an established IT asset management function? 
• Is it clear to the board where the “crown jewels” are housed within the organization, and how they are to be protected in a potential system compromise?

Regulation on the horizon

While cyber attackers modify their methods, firms strengthen their controls and insurers provide a backstop, regulators are continuing to play their part in the cybersecurity landscape. New rules are on the horizon for registered investment advisers and funds as a result of regulations proposed in February by the SEC.

The final rules haven’t been issued yet, so it’s impossible to predict which of the SEC’s proposals will become requirements. But key elements of the proposal, if approved, would:

• Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. 
• Require advisers to report significant cybersecurity incidents to the SEC within 48 hours after breach discovery. 
• Enhance adviser and fund disclosures related to cybersecurity risks and incidents. 
• Require advisers and funds to maintain and retain certain cybersecurity-related records.

Some of these proposed requirements address actions that advisers and funds already should be undertaking. For instance, after years of growing cybersecurity threats and risks it should be a given that advisers and funds have written policies related to cyber risks. It’s also imperative to conduct response practice sessions with all the important personnel to maximize resilience in the event a breach should occur.

But the proposed requirements enhancing transparency will represent a significant change for registered investment advisers because the success of the sector is based on an element of secrecy. Are you buying Apple shares? Selling Tesla shares? Keeping this information confidential can be a key to a competitive advantage. So although the breach reports to the SEC will be confidential, the transparency of reporting to the SEC and enhancing disclosures related to cybersecurity risks and incidents  may require an evolution for some managers and funds.

Being proactive is essential

Despite the uncertainty over what the SEC’s ultimate requirements will be, Patanella suggests that moving proactively on the proposed requirements can help managers and funds protect themselves and comply more easily when the final rules are issued.

“These are some very specific things you can do today to protect yourself and get ahead of the regulation curve,” he said.

In particular, Patanella said, Grant Thornton clients are working diligently to test their cybersecurity controls, and some of them are getting assistance from third-party experts. Some clients are contracting to have penetration testing performed on their systems and even their workplaces.

Penetration testing can include attempts to hack into systems virtually and to physically access offices that are supposed to be secure. Testers may even sit outside an office building and surreptitiously photograph employees’ laptops as they leave the building. A photo of a laptop might provide a hacker with clues about the processors and systems a company uses, which can help them gain access.

“Having individuals or third parties manage some of this risk is going to be important,” Patanella said. “The SEC proposals are going to ask what your plan is and how you are going to test your controls.”

Creating an advantage

In lean times, getting the funding for these essential cybersecurity elements — stronger controls, testing of those controls and cyber insurance — won’t necessarily be easy.

But the benefits to the asset management firms and funds that do spend on these items may very well be a competitive advantage. And when the economic conditions turn more favorable, the investors and clients that may be won through trust in cybersecurity can deliver strong results long into the future.