Is outsourcing the answer to rising cybersecurity risks?

By Prashant Singh
8 May 2019

“The threat of cyber security may very well be the biggest threat to the U.S. financial system.”—Jamie Dimon’s Letter to Shareholders, JPMorgan Chase Annual Report 2018[1].

Cybersecurity is far from being just an American problem either. This is a global issue. More than 30% of organizations have already experienced a cyberattack on their operational technology infrastructure[2]. In the UK alone, financial services companies saw a fivefold rise in data breaches in 2018[3].

And the cost of guarding against cybercrime and remediating any attacks that do take place can be crippling—even fatal for many firms. Which is why it could be time for asset and wealth managers to consider outsourcing.

The cost of crime

Financial services bears the greatest burden of any industry. Accenture figures show the sector had the highest cost of cybercrime: an average of $18.3 million per year per company surveyed, compared to $11 million across services in general[4].

A separate report by Cybersecurity Ventures predicts that during 2019 a business will fall victim to a ransomware attack every 14 seconds, rising to every 11 seconds by 2021[5]. Total ransomware damages are expected to hit $11.5 billion in 2019, and $20 billion by 2021.

Financial damage is just the start

It’s not just the financial losses firms can suffer in a breach that make cybersecurity such a high risk/high impact issue. It’s the potential client compensation payouts … the reputational damage … the loss of stakeholder confidence … the prospect of regulatory fines and legal penalties.

Worse, cybersecurity is a never-ending, resource-intensive (and frankly thankless) task.

The cost of implementing robust cybersecurity is high and growing—an expense I’m sure all firms would rather dedicate to more fruitful, revenue-generating activities. In the interests of self-preservation though there is little choice but to grin and bear them.

Regulators are increasingly mandating action too.

The latest move by the Monetary Authority of Singapore is a prime example. In March, it issued two consultation papers on proposed changes to its Technology Risk Management (TRM) and Business Continuity Management (BCM) Guidelines[6]. If adopted, these changes will require financial institutions to implement enhanced technology risk management practices and robust business continuity plans to strengthen their operational resilience.

Can you afford it?

Big breaches against the likes of Equifax and JPMorgan are what grab the headlines. These companies though are most likely to have the balance sheets and brand stability to weather an attack, manage and ultimately overcome the damage, and devote enormous resources to guarding against another.

Most asset and wealth managers are less fortunate.

They don’t have the in-house IT budget to continually implement the latest, most sophisticated cybersecurity protections, nor the financial buffers to bounce back from any hacks that do get through.

Strength of a specialist outsourcing provider

Outsourcing your mission-critical technology infrastructure—plus any non-core middle- and back-office processes—offers a cost-effective way to minimize the problem … provided the service provider has robust cybersecurity protections and protocols in place of course!

Hosted technology platforms let you take advantage of expertise and resources most investment managers simply cannot replicate in-house.

For instance, a recent Cisco report found two-thirds of organizations that constantly upgrade with the best technologies available experienced a lower tally of daily security alerts[7]. Keeping an in-house implementation current can get expensive and disruptive. But with a hosted service, you will always be on the vendor’s latest system versions.

IT vendors also know their solutions better than anyone, and will be best placed to monitor and protect them.

Similarly, any outsourcing service provider worth its salt should be better equipped with strong, up-to-date defenses than the average investment manager. As dedicated specialists working with multiple clients, in theory they will have the:

  1. Scale and dedication to devote investments to the latest cybersecurity technology.
  2. Expertise to recognize and mitigate threats.
  3. Disaster recovery and backup facilities to get back up and running quickly in the event of an attack.

The big concern is whether they will be strong enough. Not all software vendors and service providers offer the same protections, or have the same R&D priorities.

So do your due diligence. Size of provider offers no guarantee against attack, but it does suggest greater resilience. IT budget and investment focus are another guide.

Scope of offering is a further factor. The Cisco report notes that an integrated enterprise architecture approach results in fewer point solutions and the ability to better monitor and manage security alerts. Leveraging an automated front-to-back core IT infrastructure through a single vendor is therefore a clear way to reduce risk.

Transparency and control are further considerations. Operational responsibility ultimately remains with the investment manager, so it’s vital you can understand and control what is happening to your environment day to day.

Don’t go it alone

Cybersecurity poses a huge and growing challenge for the investment management community. But with the aid of a strong and trustworthy partner, firms can increase their odds of staying safe.


[1] Chairman and CEO Letter to Shareholders, Annual Report 2018, JPMorgan Chase,

[2] 60 Must-Know Cybersecurity Statistics for 2019, by Rob Sobers, Varonis,

[3] Cyber attacks on financial services sector rise fivefold in 2018, by Madhumita Murgia and Nicholas Megaw, Financial Times, February 25, 2019,

[4] Cost of Cyber Crime Study, Accenture, February 2018,

[5] Cybercrime Damages $6 Trillion By 2021, by Steve Morgan, Cybersecurity Ventures, December 7, 2018,

[6] MAS Consults on Proposed Enhancements to Technology Risk and Business Continuity Management Guidelines, Monetary Authority of Singapore, March 7, 2019,

[7] CISO Benchmark Study March 2019, CISCO,