Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Smaller fund managers are easier cybersecurity targets

Jul 07, 2020

There was a time when cyber-attacks were perpetrated by individuals who wanted to show their technical expertise and prowess, a virtual game of capture the flag. Those were the good old days.

Today cyber-attacks are perpetrated by individuals or groups that operate like well-managed businesses, because cybercrime is not an act of rebellion or vandalism … it IS a business. And as any other business, cybercriminals look for the best return on their investments.

Larger businesses present the biggest targets, and biggest payouts, be it in the form of personal, financial or health information, as well as sensitive business information. For example, 2017’s Equifax data breach exposed social security numbers, birthdates and addresses for over 140 million consumers in the U.S.

However, larger businesses also tend to have more mature cybersecurity policies, procedures and controls in place, generally making a successful cyber-attack more difficult. This is where fund managers and administrators come in.

Many investment fund managers are relatively small in terms of their physical presence and staff, with many having five employees or less, or being a single-person operation. However, these firms and individuals manage personal and financial information for a large number of people and, as small businesses, they may not have the resources or expertise to adequately protect that information. Worst yet, many may not know or understand what their cybersecurity risks are in the first place.

Smaller target, meet cybercriminal.

In 2015, the SEC developed its Cybersecurity Examination Initiative, which the National Futures Association (NFA) adopted as its own in 2016.

This cybersecurity framework is divided into six areas:

1. Cybersecurity governance and risk assessments

Identifying and assessing your risks should be the first step in developing internal policies and procedures that help you monitor and control cyber risks. These policies and procedures are also an essential part of employee onboarding and ongoing training.

Having the right policies and procedures in place will help you assess cyber risks and establish governance.  Developing your enterprise risk management system is central to your ability to facilitate timely identification, measurement, monitoring and controlling of risks.

2. Access rights and controls

A process should be in place to assign and document the level of access to customer records and systems for each employee, based on their job requirements. It is equally important to have a process to revoke access when the employee leaves.

3. Data loss prevention

Classifying your data (i.e.: confidential, sensitive, business critical) helps you understand what controls should be in place to restrict and monitor access, and prevent it from being accidentally or intentionally shared with unauthorized individuals.

4. Vendor management

Knowing what to look for in service contracts, what documentation to review, and what questions to ask prospective vendors is essential to identifying potential risks originating from your vendor and their services, and ensuring these are adequately addressed and mitigated before any contracts or agreements are signed.

5. Cybersecurity incident response

It is important to develop a plan for handling cybersecurity incidents, taking into consideration what information could be affected, what business continuity plans are in place, how quickly you could get assistance from a cyber forensic firm, cyber insurance coverage levels, and even requirements from your insurance provider, such as which cyber forensic firms you are authorized to engage.

6. Cybersecurity awareness & training

Most people may be aware of phishing emails and the importance to think before clicking on a suspicious link or attachment. However, in many cases, procedures for addressing other social engineering attack methods such as pretext calling and physical penetration are ineffective or nonexistent. Identifiers like date of birth and mother’s maiden name are widely used to identify customers over the phone, even though this information can be found on the internet for free in a few minutes.

If you are well-versed in the areas above and have implemented the necessary policies, procedures and controls, when was the last time you tested them to ensure they are adequate and effectively protect your firm and your customers?

General IT controls audits address cybersecurity governance, risk assessments, policies, procedures and more.

Cybersecurity training and even some testing can be performed online, and these services are generally very affordable. Social engineering testing, a big part of cybersecurity awareness, takes very little time upfront for planning and adds little to no time to your staff’s workload.

The first step can be a high-level discussion of your needs, concerns and resources. Whether or not we are able to help you with one of our many cybersecurity services and resources, we can at least get you started on making your firm and your assets a target that is harder to hit.

In the meantime, we encourage you to review and share the cybersecurity best practices below, which apply to everyone, whether at work or at home.

  • Protect information that is shared electronically with email encryption and secure file exchange.
  • In addition to protecting sensitive information on your computers, consider hard disk encryption for laptops, and mobile device management for smartphones and tablets, including segregation of work and personal email (sandboxing) on these devices.
  • Understand the cybersecurity practices of your service providers.
  • Use strong passwords that include at least 10 characters and use lower and uppercase letters, numbers and special characters. Passphrases can help you remember longer, more complex passwords. The trick is not to use words or phrases that are commonly used. For example, “R0s3$@r3Gr@y1mC0l0r8l1nd” is a strong password.
  • Passwords should be different for all accounts so if one of your accounts gets compromised, other accounts don’t.
  • Use multi-factor authentication for all your accounts, including social media. Not only does this protect your accounts, it alerts you when someone else is trying to access them.
  • Always lock your computer when you step away from it – even while you are working from home.
  • Do not open emails that are not from trusted sources. Double check the sender since fraudsters may mimic email addresses.
  • Do not click on hyperlinks if you are unsure about the validity of the email, especially when it comes to LinkedIn and other social media requests. Log into the website in question directly to accept invites and respond to messages.


Pedro J. Pinto
View Profile
Get free cybersecurity tips
Get 30 free cybersecurity tips over 30 days during National Cyber Security Awareness Month
Sign up