In an era where cyber threats loom large over every industry, asset managers find themselves in an increasingly precarious position. With substantial assets under management (AUM) and access to sensitive client data, these firms are prime targets for cybercriminals. Yet, many lack the robust defense of their larger financial counterparts.
Why Asset Managers Are High-Value Targets
Asset managers are attractive targets for cybercriminals because of the potential financial rewards they offer. Unlike retail banks, which often have extensive cybersecurity measures in place, many asset management firms operate with leaner teams and smaller IT infrastructures.
Go deeper with GlobalData
“Cybersecurity measures are increasingly becoming a priority for companies across all industries, but specifically for financial services companies. These organisations, namely asset managers, are often more targeted because of the risk-reward potential they represent; cyber criminals frequently target these companies as they have access to significant assets under management. Additionally, cyberattacks on asset managers often expose data of high-net-worth individuals or institutional investors, both of which are attractive to cybercriminals,” Russell Sommers, Principal at Baker Tilly explains.
Adding to this challenge, cyber threats are evolving rapidly. Emerging technologies such as artificial intelligence (AI) are making cyberattacks more sophisticated, harder to detect, and more damaging to business operations.
“Cyber threats across all industries have evolved and advanced due to the introduction of new technology and the increasing danger of threat actors. Artificial intelligence has made cyberattacks more sophisticated, believable, and therefore more dangerous for business operations. In general, new vulnerabilities are constantly being identified and targeted by bad actors.”
Where Asset Managers Are Most Vulnerable
Cybercriminals exploit various weaknesses in asset management firms, but one of the most significant vulnerabilities is human error.
“Hackers exploit multiple vulnerabilities in company systems to access privileged and valuable information and resources. First, and foremost, is an organisation’s workforce and employees. An asset management firm, or any company for that matter, can have the most sophisticated cybersecurity programme and systems in the world and still be susceptible to human error. An effective cybersecurity programme requires employees to be educated on best practices, proper cyber hygiene, potential red flags and escalation procedures. These manifest in common cyber rules like not reusing passwords, avoiding suspicious emails, etc,” Sommers says.
Beyond human error, technical vulnerabilities also present a serious risk. Hackers continuously search for gaps in security systems, leveraging outdated software, weak authentication mechanisms, and unpatched systems to infiltrate networks.
“Every asset manager firm will have different technical vulnerabilities based on the applications they use and how they assess and manage vulnerabilities and patching. A systemic approach to vulnerability identification, remediation monitoring and periodic testing is key.”
To mitigate these risks, asset managers must prioritise both employee training and continuous monitoring of their IT environments. “Vulnerability management is a perpetual process that needs constant attention.”
Vendor Risks: The Weakest Link?
Many asset managers rely on third-party vendors for critical business functions, inadvertently expanding their attack surface.
” Vendors expose asset managers to cyber threats in a variety of ways. Most notably, third parties expand the “footprint” of an organisation, creating more entry points for dangerous cyber actors to firm systems and data,” Sommers explains.
Even more concerning is the rise of vendor impersonation attacks, where cybercriminals use public information about business partnerships to craft highly convincing phishing attempts.
” Many vendors publicise their partners as part of their marketing efforts. Bad actors can use this publicly available information to build more sophisticated phishing attempts modelled as requests from a trusted vendor partner.”
To minimise risk, asset managers must rigorously vet their vendors. Sommers advises firms to select partners that match or exceed their cybersecurity standards.
“. Approaching these relationships with that knowledge allows firms to ask the right questions when interacting with their partners. In general, firms should only choose partners that match or preferably exceed the firm’s minimum cybersecurity program. This may require seeing a trusted report, such as a SOC 2 report, or completing a security questionnaire/assessment to determine whether the vendor meets the minimum cybersecurity standard of the firm.”
Deepfake Technology: A Growing Threat
As AI continues to advance, cybercriminals are leveraging deepfake technology to deceive employees and steal sensitive information.
” Deepfake attacks are becoming increasingly sophisticated because of generative AI’s capability to produce realistic audio and visual content. Companies, including asset managers, are being targeted by this technology through phone and video communications,” Sommers warns.
To counter this threat, firms must emphasise verification protocols. “For example, if you rarely have communication with your firm’s CFO, and you receive a voicemail from your CFO asking for a money transfer, you might consider verifying the message with other members of your organisation. This basic level of detection can often prevent many malicious attempts.”
For more advanced security, firms may implement secret code words or multi-factor authentication to verify messages.
AI-Powered Phishing: The New Frontier
AI has also made phishing attacks far more convincing, eliminating common red flags such as grammatical errors or awkward sentence structures.
“AI has vastly improved the quality of phishing emails requiring enhanced protections and defense mechanisms, as it now eliminates multiple barriers hindering the perceived authenticity of phishing attempts. The technology allows for clear language translation and even tone, general message clarity and sentence flow, which increases the believability and effectiveness of the message.”
Sommers advises employees to critically evaluate email requests for signs of fraud. “Unusual requests to an employee or requests from unusual sources are a common red flag. Detecting these anomalies is essential for preventing any phishing attempt.”
While traditional email security filters still offer some protection, they are not foolproof. “There are a variety of tools that can help detect AI-assisted emails, some of which may be malicious. These tools can be accurate and helpful for detection and provide a constant screening method. However, these tools are not perfect – some AI-assisted text may be able to evade detection meaning overreliance on these tools may be impeditive.”
Building a Cyber-Resilient Future
With cyber threats becoming more complex, asset managers must proactively strengthen their defense. One of the most effective strategies is aligning cybersecurity programmes with industry-standard frameworks.
” One foundational practice would be to align the cybersecurity programme with an industry-standard framework. For instance, the NIST Cybersecurity Framework 2.0 is an industry-standard framework that provides structure guidance for managing cybersecurity risks through a variety of functions. Aligning your firm’s cybersecurity programme with an industry-accepted framework ensures all of the major tenets that a good cybersecurity programme will be considered. Once a robust programme has been built, it is important to run regular maturity assessments and make evaluations to determine ways defenses can be improved.”
Another critical component is ongoing employee training.
” Proper cybersecurity training requires a multifaceted and consistent approach. At a minimum, an annual cybersecurity training can help raise cybersecurity awareness of firm personnel. This annual training should clearly outline the firm’s programme and policy, giving company-specific guidance for employees, as well as, empirical examples of potentially actionable phishing attempts targeted at the firm or competitors, showing employees examples of what to look for and keeping the workforce up to date on cyber developments.”
While AI presents new challenges, it also offers opportunities for improved cybersecurity. Looking ahead, AI-driven defense mechanisms will likely play an increasing role in mitigating cyber risks.
“AI will continue to be utilised to create more sophisticated cyber-attacks and likely increase the impact events as deepfakes and social engineering become more believable and realistic. Asset managers must continue education to better protect their clients and assets.”
As the cybersecurity landscape continues to evolve, asset managers must remain vigilant. A proactive approach—combining advanced technology, robust training, and strong vendor due diligence—will be essential in protecting client data and preserving trust in an increasingly digital world.
