Hedge funds have known for some time the importance of effective cybersecurity, and regulation increasingly enforces this as a requirement. For any practice to be effective, however, there are a number of factors which need to be considered prior to implementation. Eze Castle’s Lisa Smith recently sat down with HFMWeek Magazine to talk about how to meet and understand the new cybersecurity guidelines advised by the SEC. Following is an excerpt of the article.
The SEC's cybersecurity questionnaire sets the framework and best practices for the financial industry. When you consider the type of information that hedge funds are handling on a day-to-day basis, it's really important that they have security controls in place. The questionnaire is a way for the SEC to ensure that hedge funds, private equity and investment management companies are taking security controls seriously and are aware of what's in place for their company.
HFMWeek (HFM): Within the sample SEC cybersecurity request document, questions were divided into five categories. What is the SEC looking for in these categories?
Lisa Smith (LS): Identification of risk in cybersecurity governance - this involves an analysis of what's in place. So for instance - when I conduct a business assesment I'll focus on what's currently in place versus what should be in place in accordance with the recommendations from the SEC. Anything that is not in place that should be goes into our risk assesssment summary and is categorized as low, medium or high. It's about ensuring that hedge funds have certain controls and security policies in place to protect their environment and data.
The protection of the firm's networks and information - ensuring that your information, whether it's personal, identifiable information or confidential informaton about an investor, employee, the funds, portfolios or strategies of the company, is protected by internal and external policies.
Risk associated with remote customer access and fund transfer requests - this covers any confidential data that's going in and out of the firm as well as any external business partners that have access to the firm's network or infrastructure. You need to assess if information is being encrypted for protection.
Risk associated with vendors and other third parties - this relates to firms which outsource services to vendors, fund administrators or banks. When you outsource, you are most likely transferring some risk to an external business partner and you need to make sure they also have similar best practices in place for protecting your data. You need to ensure that they are following those rules and recommendations when it comes to handling their customer data.
Protection of unauthorized activity - this includes intrusion detection software, vulnerability assessments and technical assessments that scan your network to ensure it's stable, secure and that there isn't unauthorized activity going on or any unauthorized attempts to break into your network.
HFM: Based on Eze Castle Integration's work with hedge funds worldwide, do you believe most hedge funds are prepared for this increased focus on cybersecurity?
LS: I think hedge funds are headed in that direction. Most of them have become very dependent on their IT support providers in order to ensure that these controls are in place and that they're following best practices. Most of the senior management of hedge funds are very busy, focusing on overseeing the day-to-day operations of the firm and so they tend to leave security considerations to those that have the IT expertise, whether in-house or out-house.
The increased focus on cybersecurity is getting those senior managers more involved, increasing their knowledge of what's in place, what needs to be in place and how important it is to make sure the appropriate administrative and technical safeguards are implemented. If they find gaps, they are actively taking the steps to gather the appropriate information and make sure the appropriate controls are in place.
HFM: Many portions of the SEC questionnaire tie back to a firm's Written Information Security Plan (WISP). What should go into one of these?
LS: At Eze Castle Integration, we have been developing and maintaining WISPs for clients since 2009. When putting together the WISP, one of the first things to do is focus on the business assessment by asking questions including:
How is the business set up?
What type of functions are being done internally and within those functions who has access to confidential data or personal indentifiable information?
Where is the data stored, who's using it, and who has access to it?
What level of security is applied to key applications?
For instance, if a hedge fund is using banking or fund administration websites, they should look at what extra level of identifications the sites have in place - are they using security tokens or PC certificates? How are they accessing specific websites or applications? What are the applications accessing? And do they have a business need to access that information?
Another component within a WISP is accounting for hardcopy documentation or information that's on the network shared drives. Again, ensuring that anyone who has access to confidential information has a business need for it and that hardcopy information is being maintained and secured on site and destroyed properly if needed. You also need to identify any external business partners that may be receiving this information, how they are receiving it and whether the information going out to other firms is encrypted. It's about understanding the business processes, where the data lives, who has access to it and how it is being protected.
Another important aspect of the WISP is the technical safeguards a firm has in place. These include anti-viruses, firewalls, Internet monitoring and reporting, intrusion detection systems as well as technical procedures that restrict access to selected drives and monitor who has access to common area shared computers and Wi-Fi.
An additional aspect is creating a Security Incident Response Plan. This plan identifies the key individuals that are responsible for ensuring security policies and procedures are in place, that employees are educated on the administrative and technical safeguards, and that procedures are set and followed for managing a security incident. As part of the security response plan, a firm must identify who is responsible for overseeing any incidents that might occur, ensuring that the incident is controlled and remediated and executing notification steps including when to inform regulatory agencies and clients.
HFM: How is Eze Castle Integration helping firms address the growing security threat landscape?
LS: With our clients, we go through each question of the questionnaire and provide information and guidance based on our knowledge of their technical and administrative safeguards. We also help clients identify potential security gaps and solutions. For example, if a client doesn't have a WISP in place, we can help put that together, which will provide more granular detail about how the firm is protected and any future steps for ensuring that the network is secure and the information within the firm stays in the right hands.
We help and guide our clients through that development and then once the WISP is created, put together a plan to ensure the defined security policies are communicated and that employees are trained. A firm's employees should know what to look for in terms of a potential security risk or breach, how to protect the firm's data and the process for escalating security concerns. Once the plan and training is complete, Eze Castle Integration assists clients with plan maintenance to ensure that as the environment, technology and the business processes change, so does the WISP - given the changing risk landscape, it is essential that a firm's security plan and safeguards accurately reflect whats happening within the business.
To learn more about hedge fund cybersecurity requirements, check out these resources:
- Video: Preparing for SEC Cybersecurity Exams
- Article: SEC Outlines Cybersecurity Questions, Sets Magic Number at 50 Firms
- Datasheet: Eze Written Information Security Plan Service