Cybersecurity is one of the hottest buzzwords in the industry right now – but it’s also a serious concern for hedge funds and investment firms. So much so that the Securities and Exchange Commission has taken formidable steps in 2014 to assess the cybersecurity landscape and provide guidance to registered broker dealers and investment advisers around what policies and technical safeguards should be in place to protect them.
With so much information being shared and so many industry changes around this topic, we asked our cybersecurity experts – Steve Schoener and Lisa Smith – to talk us through what’s happening in the world of hedge fund cybersecurity and provide direction for firms looking to comply with the SEC’s latest guidelines. Following is a brief recap of a webinar we held earlier this week doing just that. To watch the full replay of the event, click here or watch below.
Industry Update: How did we get here?
Before we dive into what expectations the SEC has for registered firms in regards to their cybersecurity practices, let’s first take a look at how we got to this point. Among the host of high-profile security incidents we’ve seen dominate the news of late, these few resonate the most:
Dec 2013: Target data breach results in customers’ personal data stolen
April 2014: Crytolocker ransomware holds data hostage
April 2014: Heartbleed vulnerability poses potential data exposure threat
April 2014: Internet Explorer vulnerability puts technology at risk, leaves PCs open to being hacked
As a result of these and other security concerns, the SEC has taken steps to ensure hedge funds and investment firms are prepared for the next incident. In a Risk Alert issued last month, the SEC announced it will perform examinations of at least 50 registered firms and also provided a lengthy sample questionnaire for firms to use as a guide in their preparations. The seven-page document addresses various aspects of a firm’s technical infrastructure and corporate policies and sets expectations that firms should meet a set of standard criteria in order to comply with the new guidelines.
A Sample Look at the SEC’s Cybersecurity Questions
To help firms gain a better understanding of what information the SEC is looking for within its request for information document, following are a few questions from the document and some helpful information for firms starting to draft responses.
Category: Identification of Risks/Cybersecurity Governance
Question: Please indicate whether the Firm conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences. If such assessments are conducted: a) who conducts them and in what month/year was the most recent assessment completed? and b) please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.
If you’re not familiar with what exactly a risk assessment is, let’s start there. A risk assessment looks at a firm’s systems and data and evaluates the potential level of risk and impact to that firm if a security incident were to occur. We recommend risk assessments be conducted on an annual basis as well as in the event of major business changes (e.g. expansion, adding new applications, etc.). Third-party vendors, such as our partners at eSentire, are well-versed in conducting vulnerability assessments for financial services firms.
Category: Protection of Firm Networks and Information
Question: Please indicate if the Firm maintains a written data destruction policy.
Keep in mind that a data destruction policy does not only apply to electronic information. Your firm should employ a policy that addresses the destruction and/or removal of all data and records including, but not limited to, portfolios, subscription information, employee personnel files, hard drives, servers, and tape backup.
Another consideration to think through is what third parties your firm is engaged with and which of them have access to your company’s data or infrastructure. For example, if you are working with a cloud provider, there should be a contractual obligation on the part of that vendor to remove any client data and either destroy it or return it to the client in the event the relationship is terminated. With the cloud, obviously physical infrastructure is not destroyed, but firms should ensure their data is removed from the cloud environment if and when the client migrates off the platform.
Category: Detection of Unauthorized Activity
Question: Identify and explain how and by whom the following practice is carried out – identifying and assigning specific responsibilities, by job function, for detecting and reporting suspected unauthorized activity.
With this line of questioning, the SEC is looking to see that firms are putting thought into their cybersecurity preparations and assigning specific ownership to firm personnel. Firms should identify a person or team of persons to oversee policies and procedures around the firm’s security practices as well as to lead the charge in responding to any types of security incidents that occur. In many cases, this role is taken on by a Chief Technology Officer or Director of IT.
The Importance of Written Information Security Plans (WISP)
The most effective way for a hedge fund or investment firm to respond to the SEC’s examinations is with a written information security plan (WISP). A WISP is a carefully crafted document firms should create as a means to identify and implement both administrative and technical safeguards to protect a firm’s sensitive data and infrastructure. Key elements of a WISP include:
Define confidential data
How is it protected?
Where is it located? (Shared drives, emails, CRM systems, etc.)
Who has access? Do they have a business need?
Roles and responsibilities (Is there a person or team in place to manage this?)
Communication procedures (Who needs to be notified? e.g. investors/regulators)
Assessment of technical safeguards (e.g. penetration testing, encryption software, etc.)
Implementation of additional safeguards, as necessary
As a final thought, firms should work with their internal IT staffs and/or outsourced technology providers to review the SEC’s questions and customize responses according to their specific infrastructure configurations and data requirements. In cases like these, unfortunately, one size does not fit all, and firms will find that their written information security plans will need to include detailed specifics relative to the firm.
Eze Castle Integration’s WISP team is actively working with clients to respond to the SEC inquiry and develop comprehensive written plans to satisfy regulatory and investor demands. If you would like to learn more about Eze Castle’s WISP service or speak with a sales representative, please don’t hesitate to contact us.