Cybersecurity threats are only growing, as new technologies such as artificial intelligence are tapped by bad actors, asset managers say.
For the largest money managers, keeping up with existing and emerging cybersecurity threats means approaching those threats comprehensively. But technologies such as artificial intelligence continue to aid bad actors, sources said, and addressing the ever-changing landscape can be a challenge.
“It’s a cat-and-mouse game,” in which there’s constantly new technology to catch up with, said T. William Roberts III, a partner and co-CEO of GW&K Investment Management, which managed $50.7 billion in assets as of Dec. 31.
“It's a challenge that all firms have to address, and it is constantly evolving. And you have to stay on the forefront of these changes.”
According to Roberts, there are three categories of new cybersecurity threats that asset managers face today: social engineering, imposters and zero-day events. And he has seen a “massive uptick” in all of these.
Social engineering is when a bad actor uses certain tactics, often through email, to get an employee to give up his or her credentials or click on something so the actor can gain access to the system, Roberts said.
GW&K uses outside software to prevent these types of emails, but some do get through, so “we do an immense amount of training from the day an employee starts all the way through to the last day as to what to be on the lookout for,” he said.
In general, addressing cybersecurity effectively requires working collaboratively, sources emphasized.
One way in which GW&K does that is through its cybersecurity committee, which Roberts is a member of along with employees from the information technology, legal and compliance, and client services departments.
The committee, which started more than 10 to 15 years ago, meets on a regular basis and covers “all aspects of trying to prevent bad actors and nation-states from doing things that would harm our business,” Roberts said.
Said John Quan, chief technology officer at Aristotle, “it really is a team effort when we think about how to best approach cybersecurity,” which means working on cyber issues across departments and using third-party experts and system providers. Aristotle’s six affiliates had $90 billion in combined assets under management as of March 31.
“We believe that having a comprehensive program is really our best defense,” Quan said, emphasizing things like governance, engineering and understanding the threat landscape. He added that the company believes “cyber is everyone’s responsibility.”
Santhosh Keshavan, executive vice president and chief information officer at Voya Financial, had a similar view.
“Everybody has a role to play in this,” Keshavan said. “It will take a village to stop because all you need is one weak entry point and your security can be compromised.”
Keshavan said the most important thing that Voya does to address cybersecurity threats is employee education and training, which includes conducting simulated attacks. Voya Investment Management had $321.7 billion in assets under management as of Dec. 31.
NEW THREATS
Besides social engineering, GW&K's Roberts highlighted imposters and zero-day events as the next big threats in cyber.
Imposters are “someone [who] buys a domain name that is very similar to your domain name,” like including an extra vowel, and then uses that domain to try to gain money or credentials, Roberts said.
While GW&K uses software to alert them whenever a similar domain name is registered, “the problem is these domain names are usually registered in foreign countries, and they’re very, very difficult to shut down,” Roberts said.
Zero-day events occur when a software company realizes a vulnerability in its system, posts a patch to fix that vulnerability, and “before [they] have time to put that patch on, … somebody in the dark web will reverse-engineer that patch, figure out what the vulnerability is and then go ahead and sell that on the dark web,” Roberts said. The event gets its name from the speed in which a patch is exploited before companies even get the chance to use it.
To try to prevent those events, GW&K is “in tune with every vendor, and as soon as the patch comes out, we are installing it [that] moment,” he said.
Keshavan also acknowledged zero-day events as a major threat and said Voya works to quickly institute patches as well.
Technological vulnerabilities are not new, Keshavan said, “but the intensity of it has increased, and the threat actors are getting very sophisticated, so it’s becoming harder to sort of identify what’s malicious vs. not.”
AI AND CYBERSECURITY
Aristotle’s Quan said he believes the “primary driver” of new cybersecurity threats is generative AI.
“We can be certain that nation-states, organized crime, opportunistic types of adversaries, … they're [all] utilizing generative AI for more tailored, more specific types of phishing attacks,” he said.
Phishing is a type of social engineering in which an attacker pretends to be a trusted source to trick victims into clicking on links, sharing personal information, sending money or a different action that benefits the attacker.
Generative AI allows for the use of voice and video when phishing, in addition to more traditional texting and emailing tactics, Quan said.
Voya’s Keshavan acknowledged that bad actors can use AI in malicious ways, which means that ramping up protection is important. But on the other hand, “AI has given a lot of benefits to customers and employees when it's done right,” Keshavan said, and Voya’s investment management business has been using it for the past 10 years or so.
At Aristotle, “we are taking a measured approach to how we adopt generative AI,” Quan said, including establishing a strong AI policy.
Specifically, Aristotle is focusing on the data sources that AI uses and ensuring that the company has a closed-off environment, as AI has a “publicly available nature” through things like ChatGPT, Quan said.
The company is also training employees how to properly use AI, as well as using AI for its cybersecurity defense, Quan said.
Todd Conklin, chief AI officer and deputy assistant secretary for cybersecurity and critical infrastructure protection at the Treasury Department, has emphasized the importance of AI for cybersecurity defense.
“You really can't have a modern cybersecurity defense posture without leveraging AI,” Conklin said at the Investment Company Institute’s 2024 Leadership Summit on May 22.
But using AI for cybersecurity defense still requires the help of humans, Quan said.
“AI can streamline a lot of stuff [and] can make things much more efficient, but we feel that it's not a replacement for a human,” Quan said, explaining that cyber engineers are still needed to “apply the right context” to each situation.
MANAGING THE RISKS
On March 27, the Treasury Department released a report warning that financial institutions are increasingly vulnerable to cybersecurity attacks fueled by AI.
The department created the report in response to President Biden’s executive order, issued in October, which called on the Treasury secretary to lay out best practices for financial institutions to manage AI-related cybersecurity risks.
According to the report, “financial institutions should expand and strengthen their risk management and cybersecurity practices to account for AI systems’ advanced and novel capabilities, consider greater integration of AI solutions into their cybersecurity practices and enhance collaboration, particularly threat information-sharing.”
Aristotle’s Quan noted that “cybersecurity starts at the top,” as it’s up to board executives to decide how to allocate resources.
“We're fortunate here at Aristotle to have a board that is focused on technology and is focused on protecting the firm and our clients,” he said.
A 2023 survey from Deloitte found that cybersecurity budgets as a share of total revenue in investment management make up less than 1%, only slightly increasing to 0.49% in 2023 from 0.4% in 2021.
In the retirement world, some plan sponsors are now turning to external cybersecurity firms to supplement their own cyber programs, which Quan said seems to be a trend for money managers as well.
“I think firms of all sizes are recognizing that they can't do this alone [and] that they have to leverage this network of third parties that are out there,” he said.