Under the Lens The Asset and Wealth Management Sector Cyber Threat Operations Q2 2020 Contents Introduction 2 COVID-19 impact 3 Timeline of attacks 4 Incident themes 5 Case studies 9 Conclusion 12 Introduction The Asset and Wealth Management (AWM) sector plays a data, such as investment algorithms and models could vital role in managing the world’s financial capital, dealing in seriously undermine business operations for those in the significant transactions across many industries. It is sector. estimated that by 2025 the AWM sector will be worth approximately USD 145 trillion globally.1 With such large The COVID-19 pandemic has heavily reduced the amounts of wealth being handled by the sector, it garners operational capability of all sectors. In stark contrast, PwC much attention from threat actors of all motivations, has observed cyber activity rise, with threat actors particularly those seeking financial gain. leveraging this period of disruption for their own gain. As many organisations within the AWM sector have adapted to Over recent years, many financial institutions and regulators virtual working environments, there is a need to be more have noted the substantial surge in attacks on the financial vigilant than ever when it comes to cyber security sector as a whole - 2018 saw a 500% increase in data awareness. With so much capital at stake, in a sector that is breaches across the wider financial sector over the guided fundamentally by risk appetite, it is vital that preceding year according to the UK’s Financial Conduct organisations within the sector maintain and uphold a Authority (FCA).2 The significant funds managed by the robust, secure environment, as well as have the capability AWM sector are likely to attract threat actors seeking direct to detect and respond to attacks such that the business monetary gain, where high-value fraud attempts via impact, if any, is minimised. business email compromise (BEC) and ransomware attacks remain popular attack vectors. This report provides an overview of the most common cyber threats facing the AWM sector in order to generate The sector is becoming increasingly competitive, with rising awareness and illustrate the motivations behind such costs and new players in the market putting pressure on attacks, as well as support intelligence-led defence. individual organisations to survive. As one of the more mature sectors in terms of technological innovations, many Our analysis is informed by our own in-house intelligence state-of-the-art technologies developed by successful datasets maintained on cyber attacks and targeting from a organisations, including “Fintech”, large scale data variety of threat actors, intelligence gleaned from our modelling, and new technologies surrounding virtual incident response engagements around the world, as well currencies, are potentially of great interest to those in a as publicly-available reports on attacks in the sector. competitive scenario. Furthermore, the theft of specialised 1 PwC, ‘Asset & Wealth Management Revolution’, 2 ‘Cyber attacks on financial services sector rise fivefold in 2018’, Financial https://www.pwc.com/gx/en/industries/financial-services/asset- Times, https://www.ft.com/content/6a2d9d76-3692-11e9-bd3a- management/publications/asset-wealth-management-revolution.html 8b2a211d90d5 (24th February 2019) PwC | Under the Lens – The Asset and Wealth Management Sector | 2 COVID-19 impact The consequences of the COVID-19 situation have hit all following through on their threats, releasing the victim’s sectors to varying degrees, with the AWM sector being no confidential files onto ‘leak sites’. As of 20th May 2020, PwC exception. Alongside the economic downturn, organisations has observed over 150 organisations around the world face a juxtaposing increase in activity from threat actors of having had their data leaked in this manner by multiple all motivations. threat actors. Whether it be espionage actors operating on behalf of Whilst it is difficult to directly attribute this activity to the interested parties with economic interests at play in a time COVID-19 pandemic, the statistics support the hypothesis of turmoil, or organised crime groups looking for new that the increase in publicly known threat actor activity is a sources of income with consumer spending being down, direct result of the current economic downturn. Of the illicit cyber activity is on the rise. incidents observed by PwC, over 60% of these occurred after the World Health Organisation’s (WHO) declaration In particular, PwC analysts have seen a rise in human- that COVID-19 was a pandemic. Of these, over 80% of operated ransomware and data exfiltration attacks.3 These incidents occurred after the UK went into an official are attacks where the threat actor - usually motivated to lockdown on 24th March 2020. extort the victim of cash payments in the form of cryptocurrencies - will not only deploy ransomware on the With the AWM sector being a lucrative target before target, but will stage a lengthy reconnaissance process individual countries began instigating their national beforehand, extracting valuable and oftentimes confidential lockdown policies, the abrupt adoption of remote working information from the target. technologies alongside threat actors growing more emboldened, presents new cyber security challenges at this This information is used as leverage against the target once time. the ransomware is deployed, with threat actors now 3 PwC, ‘Why has there been an increase in cyber security incidents during COVID-19?’, https://www.pwc.co.uk/issues/crisis-and-resilience/covid-19/why-an- increase-in-cyber-incidents-during-covid-19.html PwC | Under the Lens – The Asset and Wealth Management Sector | 3 Timeline of attacks The AWM sector has seen consistent targeting over the past decade; in the timeline graphic below, we detail some of the ‘The Financial and Insurance more recent and pertinent attacks to the sector. sector has always had a target on its back due to the kinds of data it Within the AWM sector sit many confidential and high-profile collects from its customers.’ assets, all of which attract the attention of threat actors. The threat actors targeting the sector range in their motivations, Verizon DBIR Report, 2020 but also vary in sophistication - from individual, insider threat attacks that could be classed as “low resourced”, through to persistent, highly targeted state-sponsored threat actors which seek to obtain information from specific organisations. A detailed explanation on how we categorise threat actors by motivation is located in Appendix 1 of this report. PwC | Under the Lens – The Asset and Wealth Management Sector | 4 Incident themes Based on past incidents and sector trends, we assess that One of the most prominent attack methods used to target the AWM sector is primarily a target for attackers motivated investors is known as a Business Email Compromise (BEC). with criminal and espionage intent. Historically, the sector This involves a threat actor either imitating or hijacking a has been the target of espionage attacks due to the amount legitimate email account in order to defraud individuals or of non-public information that can be used by attackers to organisations through spear phishing. BEC is effective increase their own profits, often using this information to because it is often difficult to differentiate illegitimate emails manipulate the markets. In this way, the AWM sector is or fraudulent transactions from the legitimate ones: unique in that an attacker’s motivation can be somewhat interchangeable between crime and espionage. • In May 2020, a Norwegian wealth fund was targeted by a threat actor using an account in the However, with the threat of ransomware increasing across name of a Cambodian microfinance institution, all sectors, as well as the AWM sector being subject to successfully managing to extract USD 10 million in multiple Business Email Compromise (BEC) attacks over “funding” from the target;4 and, the more recent period, it is PwC’s assessment that crime • In December 2019, a social engineering intrusion poses the largest threat to AWM-based organisations. spanning over eight years was disclosed by a court in New York, whereby the attackers tricked day Criminal traders and their financial advisors into liquidating securities and wiring cash from brokerages to them With the AWM sector being responsible for significant through a BEC attack.5 capital, many organisations that sit under its umbrella make attractive targets for cyber criminals. Financial gain is a In addition to this, it is also possible for threat actors to primary motivation for criminal threat actors, however, there bypass direct interaction with the use of “credential phishing” are a multitude of means through which this can be achieved in order to obtain company credentials that could help them - whether that be financial crime, or the theft of data that can facilitate an illicit transaction. This technique has been be easily monetised. The ‘cyber’ element of such attacks observed within the AWM sector in the past, with allows them to be conducted with lower risk, higher reward organisations having their employees’ details used in order and variable modus operandi. to extract funds from their clients, under the guise of legitimate transactions.6 The shift to new technologies within the sector, such as the increased turn towards virtual currency, has created new These credentials can be obtained through multiple vectors, and innovative avenues for cyber criminals to exploit. The the most common of which are the use of spear phishing, overall rise in ransomware activity across 2020, with a credential reuse or brute forcing, as has also been observed particular spike observed during the COVID-19 pandemic, is in recent cyber intrusions within the AWM sector.7 a threat that must be considered for all sectors. Direct financial gain Exploiting the customer Many of the organisations that exist within the AWM sector As threat actors have evolved, they have also established include those that handle significant monetary transactions sophisticated methods for obtaining customer credentials, (e.g.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages16 Page
-
File Size-