Digital Lunch Talk "Cyber Security in Asset Management": It can happen to any company!

Of course, fear is not a good advisor, but one must definitely deal with the topic: the danger of becoming a victim of a cyber attack. It can happen to anyone, as shown by the recently much-discussed attack on the booking portal Booking.com.

In the financial sector, which is increasingly relying on digitization, cyber security is also an important issue. Therefore, our digital Lunch Talk took place on June 19th.

The following panelists discussed the topic from various perspectives:

• Nur Demir, Senior Sales Managerin, Legal & General Investment Management
• Christian Eibel, COO UBS Asset Management Switzerland AG / CEO Credit Suisse Asset Management
• Jan Pohle, Partner at DLA Piper
• Nadine Schmitz, Partner, KPMG

The discussion was moderated by Fondsfrau Anke Dembowski.

No Small Change
When it comes to cyber security, it's not about small change. Estimates suggest that the cost per attack is around 4.5 million US dollars. Furthermore, it is suspected that damages will increase by about 15% annually since 2020, reaching 10.5 trillion US dollars by 2025.

The discussion addressed questions about the current threat landscape for the asset management industry, how to build resilience (as best as possible), and how a company should respond if it becomes a victim of a cyber attack.

One thing is clear: for asset managers, extortion is likely the most important category of cyber attacks, where data is encrypted and the entire IT infrastructure is paralyzed.

Key Learning from the Discussion: Cyber security is not just a matter for the IT security officer; the entire organization must be involved.

Relevant Regulations
Because the issue is so serious, legislators have already responded concretely. The second EU directive on network and information security (NIS-2 Directive) was published in the Official Journal of the European Union on December 27, 2022, and must be transposed into national law by October 2024.

Additionally, there is DORA, the "Digital Operational Resilience Act." This EU regulation on digital operational resilience in the financial sector will apply from January 17, 2025. It is a financial sector-wide regulation covering cyber security, ICT risks (information and communication technology), and digital operational resilience.

The following questions were addressed in the Digital Lunch Talk:

The Threat

• - From which direction are cyber attacks feared? And what exactly do the attackers want to achieve? (Espionage or ransom demands?)
• - Is the asset management industry interesting to hackers at all? Isn't there more money or more sensitive data to be found at banks or insurance companies?
• - Conversely, when asset managers analyze and select companies, does it matter how well those companies are protected against potential cyber attacks?

Building Resilience

• - Where is the threat greatest for asset managers? In their own operations, in the use of cloud computing? Or rather with their suppliers?
• - How can asset managers protect themselves? Where do you start? What is the 2nd and 3rd step?
• - What do emergency plans look like? What are the first things every company should do to prevent total chaos in case of an emergency? Who calls whom, and how – since the data is not accessible!

If an Attack Occurs

• - Companies don't want to broadcast such attacks. At what point is a cyber attack reportable / subject to immediate disclosure?
• - Do you pay the demanded ransom? If so, how exactly?
• - Is an attacked company allowed to simply pay the ransom? It might be a terrorist organization.

Every listener realized: This is a current and very exciting topic that almost every company in our industry is currently working on. We thank the panelists for their excellent contributions, ideas, and advice!