Look Ahead: Cybersecurity 2024 Predictions for Investment Management Firms
As a new year quickly approaches, we would like to take a look back at the cybersecurity trends of 2023 and use them to inform our expectations for 2024. Coupling our proprietary data with insights from reputable industry reports, we are here to ensure you are well informed and ready to face the challenges coming with the new year.
The 2023 Agio Cybersecurity Hedge Fund Report sheds light on the nuanced challenges investment management firms faced in the past year as a result of increasing cyber-attacks. McKinsey and Company suggests a similar increase in cybersecurity threats in the upcoming years. Their data shows that cyber-attacks are expected to cause $10.5 trillion in damage annually once 2025 approaches.
According to a Chartered Alternative Investment Analyst Association (CAIA) member survey, from 2003 to 2018, alternative investments doubled their global market share, and their success is expected to grow from 18 percent to 24 percent by 2025.
Financial Analysts aren’t the only ones who see the success alternative investment firms are having. All this success means investment management firms face a distinctive set of cybersecurity challenges as they become the target of today’s most prolific threat actors. In this post, we will cover how threat actors attacked investment managers in 2023, what we expect to continue in 2024, and how firms can keep themselves safe amid increasing pressure.
What’s Expected for 2024
Security Supply Chain
Threat actors focused on exploiting vulnerabilities in the software commonly used by alternative investment firms in 2023. Security tools (like FortiNet network devices), remote access tools (like Citrix NetScaler), and file sharing tools (like MoveIT) were all causes of data breaches this year. Attackers know that the software supply chain we rely on is rife with vulnerabilities caused by legacy code bases or short development cycles. When a vulnerability is identified, software developers can be slow to fix it, giving threat actors a window to strike. Domain-joined devices that are accessible from outside of your network should be extremely well secured.
To reduce the risk posed by the vendors that store or access sensitive information, firms are implementing formal vendor risk management programs. These programs are designed to identify risks early, and ensure sufficient controls are in place to quickly react if a security risk is announced.
Living Off the Land
“Living off the land” – a tactic in which threat actors use legitimate tools already present in their victim’s environment – is not new, but we have seen a significant uptick in this behavior recently. This approach is particularly challenging to detect because it involves tools and processes that are normally safe and used in everyday operations.
To give an example: If a threat actor is in your network and they want to exfiltrate your data, they can use malware designed for that purpose, or they can use a common tool like TeamViewer. Your security monitoring program will likely flag malware and know that something is amiss, but they may not flag TeamViewer as malicious. This allows the threat actor to operate in your environment for longer – increasing the potential impact they can have.
Agio expects this trend to continue in 2024 as attackers have demonstrated a strong familiarity with the IT infrastructure in place at most alternative investment firms. Combatting the effectiveness of this tactic will require a mature security program that includes just-in-time permissions, allowlisting software, and an established baseline of normal activity.
One positive outlook for 2024: The FCC recently announced rules to urge phone carriers to better protect their customers from SIM swapping attacks. While it remains to be seen if these rules will close this attack path, it is a sign that regulators are trying to address prevalent risks.
SIM swapping is an attack where a threat actor tricks a phone carrier into switching a victim’s service to a SIM card the threat actor controls – allowing them to bypass Multifactor Authentication (MFA) to gain access to sensitive websites – like banks and investment accounts.
The Kids Aren’t Alright
One of the trends we’ve been tracking in 2023 is the change in threat actor motivations and the tactics they use. A new generation of teenage threat actors entered the scene in 2023 looking to make a name for themselves. They certainly did, by stealing source code from large technology companies like Microsoft, Samsung, and Uber. They’ve found success by blending social engineering with a strong understanding of the cloud infrastructure underpinning most alternative investment firms today.
A concerning development with these new players is that they’ve appeared to have teamed up with known Russian ransomware groups. In many of their early breaches, they gained access to sensitive data, but they were unable to profit from it, as most victims were unwilling to pay to keep the data private. The recent partnership with Russian ransomware groups means these teenagers can use the existing ransomware ecosystem to profit from their breaches more easily.
As part of an increased focus on cybersecurity in 2023, regulators have charged security executives directly in several cases – Uber and SolarWinds are examples. In the case of SolarWinds, the SEC cites evidence that internal employees were raising concerns about the company’s security practices well before hackers compromised their software, infecting over 18,000 customers.
Just recently, Twitter’s recently released head of security filed a lawsuit claiming he was released for refusing to take measures he believed would violate FTC requirements and endanger public safety.
As regulators continue to focus on cybersecurity risks – and award whistleblowers – Agio expects to see more cases of employees being quick to share their concerns with regulators.
Generative AI in the Wrong Hands
Generative AI, making headlines for its simplicity and innovation, holds promise but raises cybersecurity concerns at the intersection of innovation and risk. As AI advances, its widespread adoption increases the risk of accidental data disclosure and may empower threat actors with creative new attack types.
The SEC has told firms to avoid “AI washing” – or making unfounded AI claims to the public – which highlights a business risk associated with the rapid adoption of AI. By making claims to the benefits of a technology that is not yet fully understood, firms could open themselves to future regulatory actions. For a glimpse into what future AI regulations may look like, MIT recently released white papers to help guide regulators in governing AI effectively.
How Firms are Protecting Themselves
Insourcing to Outsourcing
Reflecting on the past year regarding surveyed investment management firms, Agio’s 2023 Cybersecurity Hedge Fund Report reveals a compelling trend where 95 percent of these firms initially opted to insource their cybersecurity programs. Interestingly, all surveyed firms initially opted for in-house cybersecurity management but are now planning to switch to outsourcing within the next 24 months.
Regulatory pressure is anticipated to be a significant factor in outsourcing in 2024, with 47 percent of Chief Technology Officers (CTOs), 48 percent of Chief Information Security Officers (CISOs), and 58 percent of Chief Compliance Officers (CCOs) citing external pressure as a reason for their switch in cybersecurity management strategy.
The impact of these decisions to outsource is evidenced in the increased frequency and severity of attacks, with 77 percent of firms primarily insourcing reporting heightened attacks, 87 percent noting increased severity, and only three percent experiencing a decline in attacks. Our data also showed that larger firms were hit the hardest, as firms with over $5 billion AUM and those with more than 75 employees were more likely to report increased attacks and severity.
Consolidating Managed IT and Cybersecurity
Agio’s 2023 cyber security survey series underscores a notable trend in the investment management sector, with all respondents expressing a strong consensus that consolidating cyber operations, cyber governance, and managed IT significantly enhances defense readiness.
This sentiment is echoed across diverse roles in investment management firms, including 52 percent of CISOs, 41 percent of firms that primarily insource, and all of Agio’s cybersecurity survey respondents boasting AUM exceeding $5 billion. This unanimity suggests a strategic shift towards recognizing the symbiotic relationship between cybersecurity and managed IT services.
Informed Use of Generative AI
At Agio, we see the many benefits of Generative AI, but we also take any threats associated with AI very seriously and are dedicated to staying ahead of the curve when it comes to protecting our clients.
As we look ahead, Agio’s cybersecurity survey series notes more than half of firms that outsource said artificial intelligence is an essential capability their MSP should have. An MSP, like Agio, that provides proper education, proactive threat hunting and pen testing, and effective monitoring and incident response, helps mitigate any risk that may be associated with AI.
Evolution of the CISO Role
The role of Chief Information Security Officers (CISOs) is also pivotal to consider in the world of cybersecurity. Gartner’s foresight into the changing roles of cybersecurity leaders and regulators underscore a shift in decision-making dynamics, with a heightened emphasis on holding executives accountable for cybersecurity.
The accountability for cyber risks is expanding beyond the confines of IT, with boards recognizing cybersecurity as a business risk rather than merely a technical IT problem. Thus, a reputable and communicative CISO will be pivotal in the establishment of higher-quality cybersecurity teams, and perhaps cybersecurity-specific board committees. In all, with extra focus on training a CISO, cybersecurity teams will be more organized and better prepared to combat tomorrow’s cyber threats.
As we approach 2024, we must ensure our defenses stay a step ahead of our adversaries. While the topics discussed above provide a window into the challenges, we are sure to face in the new year, firms that focus on the basics of cybersecurity should avoid the majority of threats. By continuing to pair threat intelligence with the results of risk assessments to make risk-based decisions, firms can limit their cybersecurity risk and empower their investment strategies.
Here at Agio, we are ready to prepare you for the uncertainties and ambiguities of 2024. Get in touch with us today to find out how you can elevate your cybersecurity to be protected against all impending threats.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.