The firm writes that this year’s theme, “Cybersecurity Fundamentals,” explores the pressing need for organisations to focus on essential security practices amidst a landscape of increasing vulnerabilities and evolving technological challenges.

HLB writes that it undertook this research to empower organisations with the knowledge and strategies necessary to safeguard their digital assets. This annual report aims to provide valuable guidance and build a proactive approach to cybersecurity. By understanding the key challenges and trends identified in the report, HLB helps businesses enhance their resilience against cyber threats, ultimately contributing to a more secure and stable digital environment globally.

Report highlights include:

Resilience & basic practices: HLB writes that a staggering 92 per cent of participants noted ongoing cyberattacks, indicating the need for robust resilience strategies and fundamental cybersecurity measures like misconfiguration management and cyber hygiene practices.

Third-party risk & regulatory compliance: With over a third of organisations experiencing vendor-related breaches, the report emphasises the importance of managing third-party risks and adhering to regulations such as NIS2 and DORA.

AI & data protection: While AI offers revolutionary capabilities, it also poses significant security challenges. Only 30 per cent of respondents have implemented additional security controls for AI, highlighting a critical gap in AI governance and data protection strategies.

Amy Spillard, Head of Technology Partnerships says: “Cybersecurity is more than just an IT issue; it’s a business imperative. This report illustrates the urgent need for organisations to adopt proactive security measures and ensure all employees are well-trained.

Despite heightened concerns, the report shows promising trends, with over 90 per cent of businesses considering cybersecurity a strategic priority and more than 80 per cent having comprehensive incident response plans in place.”

Gareth Rees, The Missing Link says: “While 45 per cent of organisations now have dedicated teams focusing on cyber compliance, the findings of HLB’s report demonstrate the true measure of success lies not just in resources but in the effectiveness and real-world application of security protocols.  

Effective security awareness training, regular security reviews and improved third-party vendor security measures, offers a high return on investment in mitigating these risks.” 

According to Zscaler’s latest report, NIS 2 & Beyond: Risk, Reward & Regulation Readiness, which surveyed more than 875 IT leaders across six European markets, 80 per cent of IT leaders feel confident that their organisation will meet the compliance requirements before the deadline – and only 14 per cent claim to have already met them. A little over half (53 per cent) of IT leaders, however, believe their teams fully understand the demand, and even fewer (49 per cent) believe leadership does. CISOs face an immediate need to educate all relevant stakeholders, from board level to section owners and employees across the organisation, to ensure compliance ahead of the due date.

Examining the disconnect between confidence and understanding reveals some friction between how leaders are discussing NIS 2 and how they are acting upon it, the firm says. Respondents indicate that leaders recognise the growing importance of the NIS 2 regulations, with one-third (32 per cent) saying it is a top priority for their leadership and 52 per cent saying it is becoming a higher priority. This does not appear to be reflected, however, in the support offered to company IT teams shouldering the burden of the compliance process. Most IT leaders (56 per cent) feel their teams are not getting the leadership team support they need to meet the compliance deadline.

Brian Marvin, Senior Vice President of EMEA Enterprise Sales at Zscaler, says: “While there appears to be a quiet confidence across the region that businesses will reach NIS 2 compliance by the rapidly approaching deadline, our research suggests this confidence could be built on shaky foundations. If they are not careful, many businesses may find themselves rushing to the finish line and neglecting other cybersecurity processes as a result – something 60 per cent of IT leaders admitted is possible. Leadership needs to act now and give their IT teams the necessary support to avoid missing key steps in their compliance journey and risking serious financial consequences.”

Although the NIS 2 directive builds upon the existing NIS framework, 62 per cent of respondents believe it is a significant departure from what they currently use. To become compliant, IT leaders are having to make the most significant changes in the areas of their tech stack/cybersecurity solutions (34 per cent), educating employees (20 per cent), and educating leadership (17 per cent). When asked about the top three challenging sections of the directive, respondents pointed most often to:

security in network and information systems acquisition, development, and maintenance (31 per cent), basic cyber hygiene practices and cybersecurity training (30 per cent) and policies and procedures around effective cybersecurity risk management measures (29 per cent).

While the NIS 2 directive is positioned as incorporating foundational level cybersecurity requirements, the report suggests many businesses across Europe are not as far along with their cybersecurity standards as they should be.

Only 31 per cent of respondents would label their current cyber hygiene as ‘excellent’. When looking at the survey from an industry perspective, the transport and energy sectors had a far lower level of cyber hygiene excellence, with only 14 per cent of IT leaders in transport companies, and 21 per cent in energy companies, claiming to have achieved this. These figures suggest that too few businesses in some critical infrastructure sectors have been keeping up with security reviews over the past few years, which could pose issues during their NIS 2 compliance checks this year.

James Tucker, Head of CISO at Zscaler, says: “Regulations by themselves will never be the answer to first-class cybersecurity hygiene – particularly given the scale of the cybersecurity challenge. In fact, 53 per cent of our respondents said the NIS 2 regulations don’t go far enough considering what businesses are facing. Rather than a problem to solve, regulations should be viewed as an opportunity to raise foundational security up a rung. Regulations need to become part of an organisation’s ongoing process reviews instead of a separate activity for IT teams to address. Businesses should be using this opportunity to review the scale of their technology stacks as well as find ways to simplify and track their hardware and software through one platform to avoid complexity in their organisational environment.”

The NIS 2 directive emphasises the responsibility of organisations to ensure network and information system security with a culture of governance and comprehensive risk management Zscaler writes. “They must adopt proactive technical, operational, and organisational measures to manage the risks posed to the security of network and information systems.”

The NIS 2 directive is a legislative act that aims to achieve a high common level of cybersecurity across the European Union. Member states must ensure that entities across 15 industry segments take appropriate measures to manage the risks posed to the security of network and information systems, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

The CAMMI survey conducted by Crestbridge revealed that a majority of respondents (71.43 per cent) identified cybersecurity as one of the top concerns investors raised with them during fundraising due diligence processes that took place through 2022. Investment funds hold a considerable amount of financial data, making them an attractive target for hackers seeking financial gain. Investors are increasingly concerned about the potential financial and reputational damage that may arise from cyber-attacks on their fund managers.

Shaun Davies, Director, Client Operation for Crestbridge says: “Cybersecurity is of the utmost importance to investors, regulators and fund managers. By virtue of their resources, larger fund managers are better able to defend themselves from and educate their staff around cyberthreats, but mid-market managers may not be sufficiently scaled to do so to the same degree. Mid-market managers may therefore find it worthwhile working with partners who can offer robust measures to safeguard their data on their behalf and who continuously invest in systems and employee training to stay ahead of any emerging threats.”

Regulators across the globe have recognised the importance of cybersecurity and the potential vulnerabilities within the asset management industry and have implemented various regulations and compliance standards for investment funds. Examples of these are The UK’s Fraud Act 2006 and applicable Data Protection Acts, The Computer Misuse Act 1990, Jersey’s Cybercrime Law 2019 and in the US, the 2021 State & Local Government Cybersecurity Act, the firm writes.

Shaun Davies says: “As the financial services sector continues to embrace digital technologies, the importance of cybersecurity in the fund management industry cannot be overstated. The CAMMI survey results indicate that investors are acutely aware of the potential risks and are seeking fund managers who prioritise cybersecurity. By implementing best practices, investing in employee training, and staying ahead of emerging threats, fund managers can effectively address investor concerns, safeguard sensitive information, and maintain the trust of their clients. Ultimately, strong cybersecurity measures will be a crucial factor in the success and longevity of fund managers across all asset classes and businesses.”

According to Jerome Dilouya, CEO of InterCloud, this culture of increased cooperation will place added scrutiny on financial institutions, who are responsible for protecting large quantities of sensitive customer data. Research from IDC revealed that as of September 2022, 83 per cent of banks are utilising public and private cloud platforms. Dilouya believes that banks and other financial institutions should leverage the capabilities of multicloud environments to effectively meet new challenges, and must ensure that they carefully interconnect environments in a safe and coherent way.

Dilouya says: “Financial institutions face an ever-changing threat landscape in their pursuit of digital transformation, with the industry’s growth hinging on the success of this transition. Consumers and businesses alike now favour more remote and digital interactions, and the digital transformation of other sectors is driving the need for banks to modernise their customer service.”

“Common barriers to cloud adoption include the complexity of legacy systems, trust and skills gaps, regulatory uncertainty, and the fragmentation of compliance requirements. Banks also face technological challenges associated with infrastructure, applications, processes, data, and customer engagement, as they grapple with the ever-increasing amount of data they collect while simultaneously pivoting to counter cyber threats.”

“Some leaders at businesses we work with in the banking, financial services and insurance industries have recognised these obstacles and are adopting an open, hybrid multicloud approach, which can help to balance innovation with security and compliance requirements.” 

There is an element of risk to the transition to cloud, which Dilouya acknowledges, but he also highlights the importance of embracing network autonomy and favouring an agile cloud environment.

Dilouya says: “While the cloud offers great promise, it also presents a danger for banks who could get caught-out by shifting to the cloud too hastily and without due preparation. An overzealous approach often exposes vulnerabilities, as sensitive data is transferred not only ‘to’ the cloud, but also ‘in’ and ‘across’ multiple cloud environments. 

“However, refusing to change based purely on potential challenges will lead to stagnation or worse, especially in light of research from the Bank of England last year, which revealed that cyberattacks are the biggest risk to the UK financial system. Financial institutions relying solely on Internet service providers (ISPs) relinquish all control over network availability, security, and confidentiality. If malicious third-party networks manage to intercept traffic or if the network suffers a denial-of-service attack, this poses a risk of losing the connection needed to allow certain applications to function properly. 

“More complex needs require the more agile and dynamic use of a variety of routes – all credentials of a multicloud environment. Financial institutions, therefore, should implement secure interconnection interfaces and adapt this infrastructure to combat new businesses challenges.”

Dilouya concludes: “In the current climate, where customer behaviours and expectations are continually evolving, flexibility and adaptability are key. Banks looking to accelerate their digital transformation will benefit from a multicloud environment, but only if they also pay attention to how they interconnect their environments in a smarter, more secure way.”

George Ralph, Global Managing Director of RFA, is here to make that better. Ralph says: “Realistically without saying we do everything, we do everything that a CTO or CISO (chief information security officer) would be responsible for.”

Ralph started in technology 26 years ago, and joined RFA as a partner eight years ago, preparing clients for due diligence group audits and working as an outsourced CTO/CISO, giving strategic advice.

RFA has 13 offices around the world, with the largest in London and New York, with 400 staff globally, around 850 clients and an equal focus on hedge funds and private equity firms (as well as Investors, Wealth Management, Family Offices and Fund Admins). Assets under management service stand at GBP1.5 trillion.

Ralph notes that cybersecurity used to be called information assurance but is now up front as one of the biggest risks for organisations. “People are used to having powerful mobile devices of their own and treat them like a day-to-day thing, without thinking about it,” he says. 

“Because it’s their own they think its secure but if you have a rogue app or a phishing attack, they are in your device – it’s about the education of people. Training is really important.”

The situation has worsened due to Covid and the whole work from home growth, Ralph says. Also, from event driven situations, such as the recent death of the Queen of England, which make people more emotional and not thoughtful in terms of what they are viewing online, Ralph says.

“There are no more attacks than there were, but more people are getting caught out because of these scenarios, electronic communication volume and emotions,” he says.

RFA offers an e-learning platform to teach staff about cybersecurity and then regular testing, every three months, with emails to check that they are still observing good cybersecurity techniques.

“We also teach them about the repercussions if they have a breach and we can lock their machine for 10 minutes to make them realise there are repercussions,” Ralph says.

Having worked in training and in mergers and acquisitions in the past, Ralph notes that an event such as a merger can see lots of new, rather disoriented staff, with higher emotions which impacts on their practice of good cybersecurity techniques. “The pass rate of our testing drops off a cliff,” he says.

He recommends testing as often as possible. “If someone is in your phone, they have all your contacts, so the issue becomes a public relations one as well – if it goes into the media, then there is a risk of a drawdown as well. It’s the modern equivalent of leaving a file on the train.”

Ralph says that a lot of cybersecurity techniques are common sense. “The really important bit is the collaboration, especially with disparate working where you can’t lean over and say: ‘this doesn’t look right’.”

Ralph notes that Covid made people more wary about who they start doing business with and having had a breach of security is a bad mark. If a breach happens, RFA brings in an incident response plan. “I’d like to say it’s a when, not an if,” Ralph says.

The firm has invested heavily in r&d creating an AI reporting engine which proactively models behaviour looking for chinks in the armour.

“If someone tries to access their HR folder we get alerts,” he says. “The monitoring of the insider threat is not a big brother activity – it does two things: if someone is fully remote it’s hard to tell if they are happy and we also look at work life balance. We have lots of clients who have burnt out because they are working globally with no breaks and no walk between meetings, no water cooler moment. We notify clients that this person has been working on Excel from six in the morning to midnight and so we are protecting people and the assets of the business.”

Delivered to evaluate how Financial Market Infrastructures (FMIs) are protecting and leveraging data, the paper explores options that firms should consider as they bolster their capabilities, including data recovery, reconciliation and replay.
 
The IWG focused on five key themes:
 
• While the two-hour recovery time objective (RTO) remains a target objective, data integrity issues require trade-offs between speed of recovery and accuracy of recovery.

• Recovery capabilities of existing systems were typically designed with physical and non-cyber outages in mind and may not be as effective in maintaining data integrity during a cyber-attack.

• Interconnections between firms increase the potential impact of a data integrity compromise across the industry.

• Recovery from a data integrity breach requires a high degree of trust in the available backup data copies as well as coordination within the ecosystem.

•When considering the recovery objective, the definition of critical services can vary across FMIs and scenarios.
 
As a result of IWG analysis and to continue to improve capabilities in this area, the paper suggests firms should focus on the following areas:

• Identify tools that are most harmonised with the FMI’s objectives: Each FMI should identify tools that are attainable from a design perspective and focus on the implementation of those tools that provide the most coverage.
 
• Define logical restore points: FMIs should work with their participants and the larger community to identify restore points that make sense for their business.

• Understand legacy technology: FMIs should regularly conduct a comprehensive evaluation of their applications to understand any critical interdependencies and identify opportunities for enhanced resiliency as technology evolves.

Today, there is no standard approach to identifying the types of data that need to be protected, nor the manner in which that data should be protected. When facing a cyber-attack, traditional data replication strategies designed for physical or non-cyber disruptions have the potential to spread corrupted data to backup databases, including those within data bunkers and backup data centres. To tackle this challenge, the IWG sought to identify tools to address data recovery and validation issues, draw out key lessons and principles for using those tools, and identify areas that would most benefit from further industry collaboration.
 
The paper highlights the need for greater industry collaboration around: the creation of design principles for housing critical data sets in data bunkers and third-party sites; the need for further guidelines for minimising contagion; the adoption of common standards for assessing third-party risks to the ecosystem; the delivery of industry-wide cyber exercises by an independent party; and a common, yet flexible, definition of service criticality and its prioritization around resumption.
 
Rachel Tyler, Executive Director, Business Resilience at DTCC and Chair of the Industry Working Group, says: “The operation of FMIs is based on the use and trust of data, and to perform effectively, FMIs must keep their transaction and position data, configuration data – which is needed to run systems, and application data protected and intact. Firms must consider how they can continue to improve data protection and validation capabilities to best defend and recover from cyber threats. We are pleased to have engaged with our peers on this paper, and look forward to seeing these efforts progress.”
 
Laure Molinier, Director, Business Recovery Crisis Management & Testing at Euroclear, says: “As part of our business resilience programme, Euroclear’s goal is to continuously improve protection, detection, response and recovery procedures in relation to extreme scenarios such as major data integrity issues. As a trusted financial market infrastructure, we are expected to play a leading role in defining recovery protocols working together with the market in scenario analyses and joint-testing. Euroclear encourages industry-wide collaboration including the sharing of experiences and best practices which benefits the wider market.”
 
Rob Cairns, CTO at LCH, says: “Convening this working group is a significant step in ensuring and bolstering resilience among financial market infrastructure providers. The findings of the whitepaper demonstrate the need for greater collaboration and standardisation in approaching the protection of data. We look forward to continuing to contribute to discussion and action on this important issue.”
 
Sarah Harris, Deputy Head, Payments Settlements Department at the Reserve Bank of Australia, says: “Cyber resilience is a key priority for the Reserve Bank of Australia and we welcome the opportunity to collaborate with our international colleagues on the important issues discussed in this paper.”

Bobby Singh, Chief Technology Officer and Chief Information Security Officer at TMX Group, says: “We are very pleased to be part of this initiative with our global industry partners to share best practices and explore solutions to address data protection, recovery and validation issues. As cyber threats continue to evolve in Canada and around the world, we look forward to continued collaboration to ensure our collective FMI cybersecurity objectives are advanced.”

According to IBM, 23 per cent of all cyber-attacks are directed at financial institutions, while the total cost of a single data breach is the second largest among all industries, costing financial organisations USD5.72 million on average.

Another study indicated that 53 per cent of data breaches are financially motivated, so the industry is constantly on the cybercrime radar. In other sectors, malicious users get a foothold through social engineering, credential stuffing, and application vulnerabilities. However, the Finance sector is different as these users primarily compromise internal corporate networks.

The pandemic has accelerated the digital shift, with enterprises focusing on securing cloud environments. Cybercriminals also leverage this change, especially when businesses move to cloud-based platforms. Financial institutions also opt for SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service), and IaaS (Infrastructure-as-a-Service), leaving additional vulnerabilities in a multi-layered environment.

Studies indicate that since the pandemic, banks faced a 238 per cent surge in attacks. They can be devastating to the economy, given their interdependence and daily transactions. The United States Federal Reserve Bank of New York says: “Compromising any of the five most active United States banks will result in significant impacts to other banks,” resulting in USD130 billion of forgone payment activity. Unsurprisingly, the average cost of a data breach in Finance is 52 per cent greater than average — around USD5.85 million. 

The finance sector is strictly regulated and has to comply with complex cybersecurity rules. It makes data breaches even more problematic, as organisations must pay fines and remediation costs, in addition to compensating the lost funds. These requirements call for a holistic approach. 

“Organisations have to strictly authenticate both external and internal users to protect their corporate systems. Financial institutions suffer from internal actors who know the banking system’s inner workings, and state-backed hackers often target them. While cybersecurity automation today cannot guarantee holding off attackers, a reduced surface area can greatly lower the risk”, says Juta Gurinaviciute, the Chief Technology Officer at NordVPN Teams.

To minimsze the cyberattack surface area, financial companies establish secure connections for employees and contractors to reach essential assets. However, unconditional trust can be harmful if malicious users compromise the connection.  

“Today’s authentication is based on a Zero Trust model, meaning that employees and contractors can only access limited resources for a defined period. Even if their connection is compromised in a supply chain attack, hackers won’t do much harm as they won’t reach the rest of the internal network,” says Gurinaviciute.

The organisation can also implement an additional security layer that filters the end-point devices and apps based on their IP address. With IP whitelisting (also known as the allow list), admins can create a set of trusted employee and third-party devices, granting them access to the corporate network. This policy complicates the onset of the cyberattack, limiting its surface area.

However, manually whitelisting particular IPs can be arduous, especially for smaller organisations like FinTech startups. Companies can stay resilient by implementing third-party solutions with a centralised control panel for an efficient addition of new devices and applications. 

Accenture estimates that banks will lose USD347 billion to cybercrime in the coming years. Organisations with strict and robust external authentication shouldn’t overlook the resilience of their internal networks. Cooperation with technology service providers (TSPs), managed service providers (MSPs), and cloud service providers (CSPs) is inevitable. It brings efficiency and scalability but comes with a cost. To neutralise new possible attack vectors, Finance should review their contractors’ and employees’ access privileges — IP whitelisting is an appropriate first step.
 

Executives at some of the world’s biggest banks, insurers and asset managers were asked to choose from a list of potential business, economic, policy, social and environmental threats to growth. They ranked cyber-attacks top (56 per cent), followed by pandemics (51 per cent) and over-regulation (50 per cent). 
 
The prospect of financial institutions being subject to a cyber-attack has grown considerably in recent years. Only 33 per cent of CEOs considered cyber threats the biggest concern for their business five years ago in 2016.
 
John Garvey, PwC’s Global Financial Services Leader, PwC US, comments: “In an increasingly digital world a cyber-attack can be debilitating for any company. In financial services, where lots of sensitive personal financial information is held, it can come with even bigger risks to a company’s reputation.”
 
Despite fears over cyber threats, CEOs in financial services are more optimistic about the outlook for their businesses.
 
Globally, some 36 per cent of those polled said they are “very confident” about their organisation’s prospects for revenue growth over the next 12 months, up from 28 per cent of CEOs in 2020.
 
A positive outlook on growth is showing in the CEOs’ hiring plans. Some 80 per cent of CEOs expect their organisations’ headcount to either stay the same or increase in the next 12 months as the global economy is set to recover from the pandemic.
 
The survey findings show that the US is the No1 market for financial services CEOs looking for growth over the next 12 months at 29 per cent, nine percentage points ahead of China at 19 per cent.
 
“The financial services sector has come out of the pandemic in a strong position. This is reflected in the CEOs’ future growth and hiring plans. For businesses to become more resilient, we are expecting an increasing focus from executives on workplace productivity through automation and technology,” says Alex Petsopoulos, Partner, PwC UK. “This growing dependency on automated digital processes, which creates ever more connections between organisations, is why cyber attacks are now considered to pose an existential threat to businesses. The call to arms is clear and the solution requires a shared response by the financial services industry.”
 

Founded in 2017, Ovex is a cryptocurrency prime broker offering high yield investment products and expertise in OTC (over-the-counter) trading and arbitrage for high net worth individuals and institutions. Ovex is dedicated to improving the efficiency of the digital asset market in the developing world and improving financial market inclusivity. Ovex was initially founded to bring institutional-grade digital asset services to clients in South Africa and is now expanding across Europe, Canada, Dubai and Australia. 

In an effort to elevate security protocols, Ovex will benefit from Ledger Vault’s end-to-end security infrastructure all while allowing clients to be in complete control of their assets from trading to offline storage without ever compromising speed, flexibility, and governance. 

In 2019, Ledger obtained a pooled customised crime insurance programme insuring crypto-assets for up to USD150 million for its Ledger Vault platform led by the prestigious Arch UK Lloyds of London syndicate. All Ledger Enterprise Solutions clients including Ovex benefit from the Ledger Enterprise Solution platform’s custom USD150 million pooled crime insurance.

“There was a natural synergy from the start of this partnership. Ovex provides a seamless experience for high volume traders to buy and trade crypto while the Ledger Vault acts as the platform’s security guard and regulatory counsellor,” says Alexandre Lemarchand, Vice President of Global Sales and Partnerships at Ledger Enterprise Solutions. “As Ovex expands into new markets and territories, we are committed to strengthening this synergy by providing best-in-class security and regulatory guidance.” 

“There is often a trade-off between security and ease-of-use when evaluating digital asset technologies,” sasy Jonathan Ovadia, CEO of Ovex. “The Ledger Vault solution is one of the few platforms where that isn’t an issue. We look forward to our continued partnership with the team at Ledger as we expand into new regions.” 

Launched in March, Ledger Enterprise Solutions offers products and services specifically engineered with the needs of enterprise and institutional clients in mind. With Ledger Vault being the core product, Ledger Enterprise Solutions customises operations at speed and scale for enterprises in need of a battle-tested security partner.

This project is the result of a partnership and advisory agreement between Nemesis Asset Management and Mihai Ivascu, CEO of Modex.

Global cyber warfare is playing an increasingly important role in the current state of geopolitics. The new reality leads to massive spending both in offensive and defensive cyber solutions, most of them being provided by the leading US listed cybersecurity companies. After months of analysis, the joint team selected a strong mix of high performing cyber tech companies as part of the Nemesis Cyber One portfolio.

Pier Alberto Furno CEO of Nemesis Asset Management, says: “The world will be massively influenced by cybersecurity in the coming years and worldwide spending for cybersecurity will increase exponentially. It’s a pleasure to be partnering and co-managing this project with Mr Ivascu who has a tremendous knowledge and entrepreneurial experience in this area.”

Serial tech entrepreneur Ivascu the CEO of data protection company Modex says: “As 90 per cent of the world’s data was produced in the last 24 months, the need for data and critical infrastructure protection is becoming a top priority for executives and governments around the world and a new reality in the tech industry. We have designed the Nemesis Cyber One product as a constructive mix between our applied experience of building companies and products in the cybersecurity space, and the proven expertise of Nemesis, one of the leading global asset managers with a very smart approach towards the fastest growing area of tech.”