Secure your assets

November 20, 2019

With more money and competition than ever before, asset management firms are increasing their focus on cybersecurity to meet market pressure and consumer demand.

“The more ways to analyze data the better given the sophistication of cyberattacks.”

As the asset management industry matures, it is becoming more and more difficult for firms and managers to differentiate themselves, says Chad Astmann, a senior client partner and global cohead of the Asset and Wealth Management practice at Korn Ferry. Recently, for instance, brokerage firms such as Charles Schwab, TD Ameritrade, E-Trade, and Fidelity Investments all announced plans to eliminate the fees they charge clients to execute stock trades.

But with only so much firms can do to differentiate themselves on pricing, and only so much disparity between investment products and advisory services they can offer without confusing customers, asset management leaders are looking for other ways to stand out to attract investors. Increasingly, they are turning to cybersecurity as their calling card.

“Substantial, highly capable cybersecurity operations can certainly differentiate firms and help evolve their business models to meet market pressures and consumer demands," says Astmann.

Unreliable reporting

One of the biggest issues with assessing the number and scope of cyber breaches is timely reporting by organizations. As the chart below shows, breaches have clearly increased since 2005, though one can safely assume the number of actual incidents is even larger than what’s been reported.

unreliable reporting graphic

According to the World Economic Forum, 82% of the leaders surveyed for its latest Global Risks Report believe cyberattacks leading to financial theft or data fraud will increase this year, citing the “deepening integration of digital technologies into every aspect of life.” To be sure, with trades and portfolio management being executed more and more via mobile devices, every tap on a smartphone increases the chance of a security breach.

The combination of digital advances and changing consumer behavior means asset management firms are dealing with a multitude of outside vendors. The more partners involved, the more vulnerable firms are to breaches, which means they need to do more vetting of vendors and put more protocols in place to oversee them. Korn Ferry’s Stephenson says the complexity of oversight means cybersecurity leaders need to work in unison with previously isolated and disparate functions to mitigate threats. One way to foster collaboration is through the development of “fusion centers” like the one in downtown Manhattan.

“These centers sit a layer above cybersecurity by fusing together siloed functions to create better intelligence gathering, faster response times, and more accountability,” says Stephenson, noting that such centers are growing rapidly throughout the financial services industry. They also serve as a nice “differentiation factor” to show off cybersecurity capabilities to attract or retain clients. The downtown Manhattan center, for instance, not only allows for easier collaboration with internal and external stakeholders across the organization, but also invites clients to tour the facility when in town, showing off the firm’s focus on safety and security.

More importantly, from a talent perspective, bringing together this wider range of experience and skill sets creates diversity in how the same data is viewed. “The more ways to analyze data the better given the sophistication of cyberattacks,” says Stephenson.

“Highly capable cybersecurity operations can certainly differentiate firms to meet consumer demands.”

Go phish

According to the 2019 Economic Report of the President, despite being the most valuable industry among Fortune 500 companies measured, more than 40% of financial firms lack basic protocols to authenticate whether an email message is legitimate or a spam or phishing attempt.

go phish graphic

The best evidence for how big of a concern cybersecurity in banking has become came on April 10, 2019. On that date, roughly a decade after the financial crisis, the CEOs of the seven largest banks in the United States appeared before the House Financial Services Committee. During the nearly six hours of testimony, ostensibly about how the banking system has evolved since its near collapse, the issue of cybersecurity upstaged all others, being mentioned literally hundreds of times during the proceedings. When asked what was the most prominent threat to the financial system, for instance, most CEOs cited cybersecurity. State Street Corp. CEO Ron O’Hanley called cyber risk a “clear and present danger” that requires banks and regulators to cooperate.

But while bank CEOs testifying before Congress about cybersecurity risks conjures up images of state-sponsored attacks meant to bring down the financial system, in reality the clearest threat is among employees. Across industries, current employees commit 34% of all cybersecurity breaches, and former employees commit 29%.

Many breaches result from the most basic of mistakes, such as opening a phishing email that downloads malware on the firm’s systems or sending sensitive or classified data over text or internal group chats. “The most important protection is training,” says Daniel Longmuir, chief technology officer at Cohen & Steers, an asset management firm of more than 300 people and $70 billion in assets. Longmuir says phishing exercises are an absolute must, for instance, and the more frequent and sophisticated the better. “We need to constantly monitor how our people are behaving and communicating electronically,” he says.

Korn Ferry’s Astmann says there is a major push among asset management firms to drive talent at all levels of the organization to own cybersecurity personally. “Firms realize they can’t rely solely on the cybersecurity team and that they have to build a security culture,” he says.

“We need to constantly monitor how our people are behaving and communicating electronically.”

To be sure, PineBridge Investments’ Francisco says anyone who designs a piece of software needs to have a security framework in mind. And he has a test to see if they indeed do. He says during the interview process he always asks candidates to tell him how they would secure the systems they build. It’s a seemingly simple question, but Francisco says the open-ended nature of it allows him to assess how much and at what level a candidate thinks about security.

“Some will say they don’t think about it, that the operating and cyber teams will provide support, while others will say it is critical to the design process,” says Francisco, whose firm employs around 700 people who manage roughly $100 billion in assets. “The question can go anywhere, and the answer gives insight into the candidate’s mindset around security.”

From a leadership perspective, Korn Ferry’s Stephenson says firms are also putting a lot of focus on broader change-management efforts. Historically, cybersecurity talent is siloed, with a lot of deep experience in one particular area but not much across functions. To be effective today, however, cybersecurity leaders must be able to assess technology risk across ever larger and more complex ecosystems. In order to get potential leaders that necessary experience, firms are increasingly employing rotational assignments. Moving talent through a variety of functional domains—e.g., from the network team to the business continuity team to the action and response team—helps to rapidly evolve culture and establish common goals and objectives. “Rotations help give potential cybersecurity leaders the enterprise perspective necessary to manage in highly dynamic environments,” says Stephenson.

For more information, please contact Craig Stephenson at or Chad Astmann at