After traditionally using spreadsheets to manage data, investment managers are now becoming increasingly aware of the associated risks, often looking to reduce their reliance on the tool.
When asked about this risk, most raise the high prevalence of errors in spreadsheets. The other clear concern for investment managers is the key person risk that utilising spreadsheets enables.
Many can quote statistics like “94% of spreadsheets have errors”1 or “98% of people have seen an Excel error cost their employers’ money”.2
It is these statistics that result in headlines such as “Microsoft’s Excel Might Be The Most Dangerous Software On The Planet”.3
However, less recognised is the danger associated with internally emailing spreadsheets.
Yes — emailing spreadsheets. Hands up if you have emailed a spreadsheet with sensitive data in the last week? How many of you did that without considering the risks?
In May 2022, an Australian superannuation fund suffered an information security breach resulting from unauthorised access to a mailbox.4 The fund was a victim of email phishing activity. In that mailbox was an email with a spreadsheet attached containing personal details of about 50,000 members.
This data breach was not the result of a material security control weakness or technology failure. It was the result of a staff member’s password being compromised by a malicious email.
Emailing spreadsheets is not what usually comes to mind when we ask risk managers about information and data security risk. The recent incident is not a rare event. Other examples include:
- Data breach of thousands after Excel spreadsheet inadvertently attached to survey5
- How an excel document could cost the Department of Home Affairs millions in data breach damages6
- Icare sends private details of 193,000 workers to wrong employers7
- University of Essex data breach being taken ‘very seriously’8
A better way to share investment data
Investment data typically lives in multiple systems across the organisation and it is standard practice to email this data between teams in spreadsheets. As we pointed out in our white paper, spreadsheets are not inherently designed as collaboration tools.
Investment managers are aware of the risk of emailing spreadsheets to and from third parties. Most have secure processes to communicate with custodians and other data providers. However, many still rely on the tool to share data internally.
Moving to an enterprise data management (EDM) platform eliminates the need to share valuable data via spreadsheets and ensures that all business uses a common source of truth.
1. Panko, R. R. (2005). What We Know About Spreadsheet Errors. Journal of Organizational and End User Computing.