Asset management: Find value in cyber spending


Maintain investor confidence — without going over budget


The close relationship that asset management firms have with customers and investors creates additional  urgency related to cybersecurity in the industry.


Headshot of John Pearce

“In a competitive industry, cybersecurity can either help attract investors or serve as a negative.”

John Pearce

Grant Thornton Cyber Risk Advisory Principal

Investors place large quantities of funds in the care of their asset managers with the intention that they will grow and always be available for review.


“Part of being in asset management is safeguarding the assets,” said Grant Thornton National Managing Partner for Asset Management Michael Patanella. “If the assets are compromised, you’re going to lose investors’ confidence, so an attack can have a very big impact.”


The trust that investors place in their asset managers to protect their precious assets and data is enormous. That’s why strong cybersecurity protections can be a difference-maker for asset management firms — and why breaches can be catastrophic.


“In a competitive industry, cybersecurity can either help attract investors or serve as a negative,” said Grant Thornton Cyber Risk Advisory Principal John Pearce.


The good news for asset management firms is that their cybersecurity protections tend to be strong, in part thanks to the influence of two factors from outside the industry. First, cybersecurity insurance providers now demand specific, high-quality controls before insuring a client. Secondly, asset management firms commonly use third parties for many of their technology needs such as cloud infrastructure and fund processing. These third parties also typically require strong cybersecurity protections from their clients.


Even with these strong protections already in place, Pearce suggests continued investment from managers in two areas; immutable backups and incident response exercises.


Immutable backups increase the resilience of asset management systems by maintaining customers’ access to their investments even in the event of a cyber incident. Incident response exercises are scenario planning activities in which an asset manager will gather all the right people for a simulated run-through of the actions they would take if a cyber event were to occur.


Overall, because protections have been significantly strengthened in the past few years, Pearce said spending on cybersecurity in some industries has begun to level off. Although asset management and banking CFOs see cybersecurity initiatives as critically important, their resources are not infinite.


“The question they’re facing is, where do they decide to invest when you consider the overall global financial challenges they’re facing,” Pearce said.




The cost of security


Data is a growing part of the proprietary value of companies today, so data security is essential. But it can also be expensive. How much do you need?


“You could potentially spend a huge amount of money on cybersecurity, but it might not be the best decision for your organization,” said Grant Thornton Cyber Risk Advisory Services Managing Director Don Sheehan.


To optimize security, you need more than just spending — you need strategic spending. “You can reduce cybersecurity cost, and improve response and operations, at the same time,” Sheehan said. “It takes some management direction and dedication, but you can actually reduce your spending and improve your effectiveness. It really is possible.”


As digital threats continue to grow, it’s important to get the most out of your cybersecurity investment. In a recent Grant Thornton webinar, more than 700 attendees indicated that cybersecurity automation, processes and strategy held the greatest opportunity for improved returns.




Related resources




One of the most pressing priorities today for asset management firms is finding ways to capitalize on artificial intelligence capabilities, including generative AI, to streamline business processes, provide more customized information to investors and even to inform more successful investment strategies.


There’s pressure to implement AI quickly, as competitors are also racing to take advantage of the technology.


Headshot of Michael Patanella

“If the fees are the same, investors will be more attracted to asset management firms that have this technology and these capabilities, which help them provide a superior investor experience.”

Michael Patanella

Grant Thornton National Managing Partner, Asset Management

"If the fees are the same, investors will be more attracted to asset management firms that have this technology and these capabilities, which help them provide a superior investor experience.” Patanella said.


However, introducing this new technology may create new cybersecurity vulnerabilities that need to be considered carefully. Many organizations plan cybersecurity based on technical factors without adequately considering their business goals. Likewise, many organizations make business decisions without adequately considering cybersecurity implications.


“We want to make sure that cybersecurity and the business are aligned,” Sheehan said. “People have talked about this for years, but we really need to build that bridge right now.


We need to make sure that we're aligned in the right direction and supporting the business as it moves forward. Whether it's the primary goal of the business, a supporting goal or internal functions, there are different IT and security functions that can align there.”


“Securing everything” is expensive, slows response time, and creates constant alerts that make it more difficult to spot real threats. Instead, make sure you set priorities in line with the business goals. In business terms, your cybersecurity spending should focus on reducing the risks and empowering efficient responses that are most important to maintaining secure business operations. This risk management perspective can help you understand how to balance costs. It can also help you set priorities for the data, assets, people, processes and technologies involved.




Data management


Asset management firms typically possess huge amounts of sensitive information about their investors as well as their loved ones — the beneficiaries who have been chosen to someday inherit their possessions.


A breach that compromises an investor’s data is incredibly serious. But if a cyber incident exposes their spouses' and children’s data too — including possibly their Social Security numbers — the investor’s frustration may rise to the level of wrath.


As organizations acquire new solutions and data, many adapt their cybersecurity processes along the way. This can lead to a disjointed cybersecurity strategy that sets the wrong priorities or even leaves unprotected gaps. Effective and efficient cybersecurity needs to align with your business data priorities. “Do an analysis of what you have, and then you can prioritize data in different categories for each level of data and the metadata that goes with it,” Sheehan said.


In a recent Grant Thornton webinar, most attendees indicated they had not integrated a data assessment into their security operations.



“Everyone’s at different stages, but relatively few have actually done the full data assessment and integration,” Sheehan said. “You need to understand that this can impact your data privacy as well, especially if you're subject to data privacy regulations.”


Organizations need to understand where data resides, what restrictions should apply and what the priorities are for the business. This is important not only for security, but also for programmatic efficiency. Sheehan recalled one organization that chose not to do a data assessment because it deemed the assessment would be too expensive at the time. “I watched them spend about 10 times that amount over the next few years, protecting everything instead of putting things into categories and protecting the right information. It’s actually a huge way to save money — to know what you have, know where it is, know where those data points come together.”




Manage your system assets


Effective management of your system assets can enable quicker cybersecurity incident analysis and response, while helping to reduce costs.


“Asset management, while not a cyber function, is key to cyber success. Not everything that improves your cybersecurity has to come from your cyber dollars,” Sheehan said. Asset management tools provide insight into your number of users, assets and other accounts. “It makes sense to reduce the unused accounts, assets and devices, which can reduce your software licensing costs — and your attack surface.”


The more assets and accounts you have live, the more targets for a cybersecurity attack. Unused accounts can be especially dangerous, since new activity might go unnoticed. It’s also important to know where you have old systems or software. “Fairly often, teams will find a threat and release a fix that works for recent versions, like Windows Server 2019 and newer,” Sheehan said. “But what about Windows 2016 servers? How many of those do you have? Or, how many iPhones have access to your environment that are on Version 16 or lower? What system would you have to figure that out?”


Most organizations ultimately need to track a range of various assets and platforms, including various versions — and Sheehan said this diversity can be a good thing. “One answer for asset management is to try to deploy the same device to everybody. But nature usually don’t like a monoculture, and bad things can happen when there’s no diversity. If you have only one operating system, and ransomware or other malware infects that, you may not be able to get into your other SaaS-based tools at all. You may not be able to manage it.”


Sheehan said that a diversity of roles can help improve your cybersecurity, too. “Having different people looking at cybersecurity from different perspectives, seeing different aspects, is fantastic.”


Key board considerations

In their oversight role, asset management boards have a lot to consider related to cybersecurity.


Like companies in other industries, asset management firms are trying to increase their digital footprint and use technology such as artificial intelligence to drive efficiency and better business and investment decisions.


“Boards need to be aware if new technologies are being injected into the ecosystem that may increase or multiply cybersecurity risks,” said Grant Thornton Cyber Risk Advisory Principal John Pearce.


Directors need to ask how these new technologies align with their cyber risk appetite.


Boards also need to find out how their cybersecurity capabilities and maturity compare with those of their peer group.


“If you’re not investing adequately in cybersecurity compared with your peers, it will catch up with you,” Pearce said.




People management


Since everyone plays a role in cybersecurity, it’s important to manage those roles.


“Almost everybody in an organization deals with some relatively sensitive information, to one degree or another,” Sheehan said, including:

  • End users: The vast majority of employees interact with sensitive information on a daily basis.
  • Executives: Leaders are at a higher risk for phishing, since they are often considered  the most likely targets (“MLT”).
  • Developers/clinicians/sales/HR/Finance/Internal audit: These teams are outside of cybersecurity but have a special duty to protect sensitive information.
  • IT staff: IT admins have privileged-access accounts that can potentially halt business operations.
  • Cybersecurity teams: Apart from operations, these teams also include architecture, policy/governance, identity/access management, privacy, and third-party risk.

It’s important to understand the full scope of an employee’s access, because with access comes the potential for mistakes. In a recent Grant Thornton webinar, attendees indicated that accidental employee actions are actually their top cybersecurity concern.


Headshot of Don Sheehan

“A lot of cybersecurity really depends on small decisions — the decisions that employees make every day.”

Don Sheehan

Grant Thornton Managing Director, Cyber Risk Advisory Services


“If you look through annual reports on cybersecurity, accidental employee actions are really key,” Sheehan said. That’s because a lot of cybersecurity really depends on small decisions — the decisions that employees make every day. “The core aspects of cybersecurity hygiene really might have the most pervasive effect on your overall security,” Sheehan said.


Basic cybersecurity hygiene can have the most pervasive effect across the organization, so it’s important to monitor that effect. “There are a lot of things that the cybersecurity team needs to monitor, but they don’t manage or own,” Sheehan said. “Where are all of these things? What is the data you’re monitoring? How are you going to get that data into a place where a group of people can look at it, understand it and provide a context-based and risk-based analysis of what's going on?”


To effectively monitor, manage, maintain and champion cybersecurity that efficiently enables your business goals, you need a central authority that drives, and even automates, the processes behind your cybersecurity strategy.



Insights on this issue from other industries


Processes and automation


Providing information to investors about their accounts and returns is one of the most important duties that an asset management firm performs, and it can be a real differentiator. By presenting data in a visually pleasing way or providing the opportunity for deep dives on performance and possibilities, a firm can stand out from its competitors.


But if a cyber incident disrupts access to that information or permits nefarious actors to view that information, your firm may stand out in the wrong way.




Process alignment


A cybersecurity program can help drive business value by centralizing and coordinating processes.


“You need to have everything in the right place, everything coming together so you can see the big picture, have context for what's going on, and make good analyses of what's going on with what is risky and what is not,” Sheehan said. That might sound like an expensive endeavor, but it usually means coordinating existing activities both inside and outside of typical operations:


  • Solution development: “We reduce risk by designing secure systems. You reduce cost by designing secure systems. You reduce both by considering security up front,” Sheehan said. Solution development and IT architecture and engineering typically approach solutions from the perspective of making sure they’re available, stable and providing service. Cybersecurity priorities are typically confidentiality, integrity and availability. These overlap, but they are not entirely the same, and it’s important to integrate security into the early stages of solution design and development.
  • Solution procurement: The procurement and finance teams need to be coordinated with IT and cybersecurity, to help ensure that new purchases or contracts are aligned with an efficient cybersecurity strategy and support.
  • Identity and access management (IAM): Your organization’s IAM might be managed by IT and audited by cybersecurity, or you might have another structure, but you need to centralize and monitor IAM information so that you can efficiently see if there are compromised accounts. You also need to reduce your attack surface by decommissioning accounts or systems when appropriate. “Please also remember, as you're reducing that number of users, to always have a break-glass function,” Sheehan said. “You need a way to get back in, in case other things happen with your IAM system. And your system should alert you if that account ever gets used.”
  • Governance: The policy and governance teams have a risk management strategy that should be informed by, and coordinated with, cybersecurity needs. Data retention standards, for instance, need to be aligned with the right minimum and maximum timelines that allow for effective and efficient cybersecurity. Policies can also be important to help direct and authorize the organization’s actions. As your employees, contractors and other collaborators gain access to new technologies and solutions, make sure that you have policies in place to address any activities that put your organization at risk to authorize the appropriate action.
  • Internal audit: Internal audit should play a central role in assessing your IT risks, including your cybersecurity risks. The internal auditors usually start by evaluating the organization’s policies but, even when policies exist, they need to go further to ensure that they are being followed.
  • Training: Training can be at the center of driving cybersecurity hygiene, across the organization’s workforce, in an ongoing way. “That human firewall is important — make sure that people have an idea of what to do,” Sheehan said. “You won't stop every click, but you want to make sure they understand the threats and have an awareness.”

“You won't stop every click, but you want to make sure they understand the threats and have an awareness.”



Even with effective cybersecurity processes in place, a growing number of organizations continue to invest in cybersecurity insurance. These insurance providers typically require a number of cybersecurity controls to be in place. These controls can help identify issues that the organization might not have been monitoring, and compliance is usually tied to the cost of the insurance. So better cybersecurity can be directly tied to cost savings.


“One key piece is that whoever signs up for that insurance — the CFO or COO office — needs to communicate with the CIO, CISO, IT and cybersecurity teams about who has it, what it covers and the other details,” Sheehan said.


“Often, executives tell us that they have it, but others on the executive team don't know about it and have no idea what the coverages are.” It’s also important to note that policies might have preferred providers and might not cover work from other providers at the same level.


It can even be important to call your cybersecurity insurance provider in the midst of an attack. “They can often help negotiate with the attackers, especially if it's ransomware,” Sheehan said. “They can help negotiate that down because the insurer's paying it, so it's in their best interest.”


Effective process alignment can help you improve security while also saving costs. Plus, when a cybersecurity program can look at centralized processes, it can more effectively identify tasks that are standardized, repeatable and time-consuming. These can be excellent candidates for automation.






The growing complexity of cybersecurity for AI solutions and other evolving technologies has pushed some organizations to consider automation. Many have considered or implemented security orchestration, automation and response (SOAR) tools, but it’s important to recognize that these tools, or any automation, will still require some coordination and work from your teams.


“Be aware that automation is going to take some engineering resources,” Sheehan said. “That's not bad — it's just that you want to make sure you're doing a full cost/benefit analysis as you consider it.”


Well-planned automation can save significant cybersecurity costs over time. To analyze your opportunities for automation and plan the right approach, consider the following factors:

  • Complexity: There will be process exceptions, architecture limitations, business requirements and other complexities that limit which processes are candidates for automation, so plan to analyze and understand those before you plan the areas to automate.
  • Budget: Automation (especially an initial implementation) will typically require engineers, analysts or both. It’s important to budget for and allocate the right number and ratio of knowledgeable resources to achieve success.
  • Customization: SOAR tools have significant potential, but they can require implementation or customization that you should anticipate in your planning. They also might require time to build a baseline of normal activities so that they can provide valuable feedback about anomalies.

The best opportunities for automation are often in the ongoing analysis of alerts or threats as they come in. From there, you can consider whether there are repeatable actions that are also candidates for automation.


“You can really make sure that the alerts which come up for humans to review are really the important things that are anomalous or take some fuzzy logic or complex correlations to evaluate,” Sheehan said. “That's what humans are good at doing. We can pick out and remember disparate things, and it can be hard to automate that.”


Although improved market returns over the past several months have provided a path to better revenue for asset management firms, the highest profits will be turned by the firms that continue to manage costs as effectively as they did during the recent market downturn — and those that continue working to discover new cost efficiencies. In cybersecurity, costs can be a complex issue. However, it’s important to recognize that streamlined efficiency can both save cost and improve the organization’s security. To explore those opportunities, you need to start with a discussion.


If you're not a cybersecurity expert, ask about some of the core strategic, process and automation concepts to bridge the gap. Understand that cybersecurity is about reducing risk and setting the right priorities.


“Your cybersecurity is not set up to block everything,” Sheehan said. “It’s similar to physical security. We don't know who's stealing Bob's sandwich out of the company refrigerator because we don't have physical security standing at the refrigerator checking on sandwich access. IT is going to be the same way. Nobody's going to advocate spending $200 to protect a $100 asset. It breaks logic at that point. However, you need to know exactly where you’re spending your money, how you're securing your organization and how you’re enabling the business operations.”


Your cybersecurity strategy, processes, automations and costs don’t necessarily need to be larger. They need to be right-sized, coordinated and focused on the right areas. They need to be part of everyone’s cybersecurity hygiene.


“That’s the human firewall. You need your people to be helping you do this,” Sheehan said. “Let's make sure we right-size effective cybersecurity for the organization.”



Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.


Learn about cybersecurity ROI in other industries




Our asset management featured industry insights