Traditionally, investment managers use spreadsheets to manage their data. However, over the past few years, investment managers are more aware of spreadsheet risk and most are keen to reduce their reliance on spreadsheets. When we ask them about spreadsheet risk, most raise the prevalence of errors in spreadsheets.
Many can quote statistics like “94% of spreadsheets have errors” or “98% of people have seen an Excel error cost their employers’ money”. It is these statistics that result in headlines such as “Microsoft’s Excel Might Be The Most Dangerous Software On The Planet”.
The other aspect of spreadsheet risk that investment managers are concerned about is key person risk. But what about the dangers associated with emailing spreadsheets within an organisation. We never hear that one.
Another type of spreadsheet risk
Yes—emailing spreadsheets. Hands up if you have emailed a spreadsheet with sensitive data in the last week? How many of you did that without considering the risks?
In May 2022, an Australian superannuation fund suffered an information security breach resulting from unauthorised access to a mailbox. The fund was a victim of email phishing activity. In that mailbox was an email with a spreadsheet attached containing personal details of about 50,000 members. This data breach was not the result of a material security control weakness or technology failure. It was the result of a staff member’s password being compromised by a malicious email.
Emailing spreadsheets is not what usually comes to mind when we ask risk managers about information and data security risk. The recent incident is not a rare event. Other examples include:
- Data breach of thousands after Excel spreadsheet inadvertently attached to survey
- How an excel document could cost the Department of Home Affairs millions in data breach damages
- Icare sends private details of 193,000 workers to wrong employers
- University of Essex data breach being taken ‘very seriously’
A better way to share investment data
Investment data typically lives in multiple systems across the organisation and it is standard practice to email this data between teams in spreadsheets. As we pointed out in our white paper “Spreadsheet risk: the closing bell?”, spreadsheets are not inherently designed as collaboration tools.
Investment managers are aware of the risk of emailing spreadsheets to and from third parties. Most have secure processes to communicate with custodians and other data providers. However, many still rely on spreadsheets to share data internally.
Moving to an enterprise data management (EDM) platform eliminates the need to share valuable data via spreadsheets and ensures that all business uses a common source of truth.