As hedge funds and investment management firms shore up security practices in an effort to comply with the SEC cybersecurity expectations and other industry and investor standards, it can become overwhelming to sort out what's required and how firms should go about achieving compliance. It can also be easy to make mistakes. We asked Eze Castle's Business Continuity and Data Privacy Manager, Lisa Smith, to tell us about some of the common information security mistakes she witnesses firms make and how to avoid them in the future. Here are some of the key questions Lisa answers:
Where are you seeing the most deficiencies in cybersecurity preparedness?
What goes into an effective Written Information Security Plan?
What common mistakes do you find firms are making when it comes to information security safeguards?
Take a look at Lisa's answers!
How important is day to day communications within your company/firm? If an incident or disaster occurred today, how would your organization respond? Do you have a team or group designated to develop messages for both internal (employees, vendors, third parties, building management) and external (public, employee families, media) contacts? Have they practiced? When the pressure is on, is your organization prepared if a disaster or event suddenly puts your firm under the microscope with an onslaught of internal/external calls, questions, requests, emails, social media messages or media requests?
Crises and disasters continue to happen across borders and industries. Let’s not forget some of the more recent large scale disasters such as Hurricane Katrina, Typhoon Haiyan, Deepwater Horizon, Fukushima, Hurricane Sandy, and, of course, the ongoing major data breaches, just to name a few. That list doesn’t include more common events that may not make the major news networks such as utility failures, office fires, and systems outages. Smaller events like previously mentioned can cause minimal to significant disruption to business operations. This is why developing and practicing a variety of communications is vital in an organization’s response to an incident.
Some of these events can be predicted in advance, giving an organization time to make decisions, analyze other organization’s responses, consider impacts, and communicate a message or action. Sometimes events are sudden, such as an earthquake or active shooter. These events require immediate actions, decisions, and communications to be made. In either case - an immediate or delayed event - communication is critical to demonstrating proper leadership and providing employees with proper direction, especially if the event is centered specifically on your organization.
When it comes to cybersecurity defenses, this isn’t a fantasy league. The threats are real and growing in sophistication for the hedge fund and alternative investment industry. In today’s blog, we will discuss how to prepare your firm’s defense for external attacks and internal breaches.
Cybercrime works like a defensive team that studies their opponents and plays and can make midgame adjustments. The only true way to thwart an incident is to establish a layered security program to safeguard against attacks and vulnerabilities of all kinds. Football teams share a similar composition, as there are defensive tackles and ends, cornerback and safety roles. You need to ensure your infrastructure is highly secure and cannot be penetrated by external attackers or easily manipulated by internal threats.
Preparing for Ebola: A Review of the Outbreak, its Economic Impact, and Business Continuity Considerations
This year’s outbreak of Ebola in West Africa is the worst that has ever been recorded. The disease typically occurs in outbreaks in tropical regions of Sub-Saharan Africa. In the short span of a year, the virus, which is affecting Guinea, Sierra Leone, Liberia and Nigeria, has resulted in nearly 3,500 deaths.
In this article, we will look at where this outbreak started and the economic impact it has had both in Africa and internationally. We will also highlight the issues that businesses need to consider as this epidemic continues to expand.
Where Did Ebola Come From?
A report published in the New England Journal of Medicine suggests that Ebola’s Patient Zero (the initial patient of an epidemic) was most likely a 2 year-old boy living in southern Guinea. Unfortunately, the boy became very ill and died on December 6th 2013. Several close relatives died shortly thereafter. After the funerals, some of the attendants became ill. Following established patterns of close contact with the sick, the disease began spreading to other villages, then across the borders into Liberia and Sierra Leone. It wasn’t until March 2014 that the international aid agency MSF (Doctors Without Borders) became aware of the new Ebola outbreak and immediately got involved. In early August, the World Health Organization (WHO) declared “an international public health emergency”. On September 30th, the first case of Ebola was diagnosed within the United States.
At this time, the CDC is making both “best-case scenario” and “worst-case scenario” predictions of the total number of cases expected through January 1st 2015. Unfortunately, the predictions range from 11,000 to well over 1 million cases.
The North American Securities Administrators Association (NASAA) recently released survey results of cybersecurity practices of 440 registered investment adviser firms across nine states. The purpose of NASAA’s pilot project was to better understand cybersecurity practices of state-registered investment advisers, how they communicate with clients and what types of policies and procedures they currently maintain. Of those surveyed, 47% have assets under management of less than $25 million, 37% manage more than $25 million and 16% do not manage assets. In today’s post, we will share our favorite graphics and findings from the organization’s survey.
Client Contact via E-mail and Use of Secure E-mail
NASAA's survey reported 92% of investment firms contact clients through e-mail and/or other electronic messaging and only 54% of that group utilizes secure email. While 14% were unsure, a staggering 30% responded that they did not utilize secure messaging whatsoever.
In Part One of Tips to Prepare Your Investment Firm for a Power Outage, we shared 21 key steps from one of Eze Castle Integration's Business Continuity Experts, Matt Donahue, which can help firms to develop a Business Continuity Plan (BCP).
In Part Two, we discuss measures that individuals and families should take to prepare for a power outage or blackout.
19 Tips to Prepare You and Your Family
During an outage, it pays to have yourself and your family prepared. Take time and talk to your family about outages and what to do when they happen. Consider impaired or elderly family members and neighbors that may need assistance during an outage. Do research on your town's or city's emergency preparedness plans. Learn how they will identify shelters, warming/cooling stations, and announce their opening.
Extended power outages and blackouts have the potential to impact not only businesses but also our personal lives. Without electrical power, some business functions may cease entirely, resulting in the loss of valuable data and production time.
With Hurricane Season here and Tropical Storm Cristobal brewing in the Atlantic, we are running a two part series contributed by one of our Business Continuity Experts here at Eze Castle Integration – Matt Donahue.
In today’s article Matt looks at the steps or actions investment firms and other businesses can follow in order to mitigate, prepare, respond, and recover from an extended outage or blackout. Then Thursday’s article will focus on these same topics but for individuals.
21 Tips to Prepare Your Business
During an outage, investment firms risk data losses, experience logistical issues and experience unfavorable or impossible working conditions. Heavy reliance on technology items, IT systems and software can put businesses in a difficult situation during an outage, especially if they have not pre-planned or completed a Business Continuity Plan (BCP). Other mitigation activities such as purchasing alternative or back up power sources such as batteries or generators are good ways to ensure power for essential items.
Here are some other helpful steps and precautions investment firms should consider.
If there’s one thing we’ve learned over the years when it comes to security, it’s that there’s a whole lot more to creating a secure hedge fund (or any business for that matter) than robust technology. Before identifying infrastructure components and implementing operational policies, a firm must first be clear on what its attitude is toward security. This attitude will filter through the company from the top down, and will therefore dictate how employees and the business as a whole operate on a daily basis.
To give you a clearer understanding of what we mean, we’ve created three security profiles that cover a wide spectrum in terms of security attitudes and practices.
Under the Radar: Low Security
If you’re attitude toward security is low, odds are you’re barely scraping the surface in terms of what practices and policies you should be employing to maintain proper security firm-wide. You likely rely on quick fixes to solve problems instead of looking at the bigger picture and thinking strategically about how security can both benefit and protect your business. You’ve employed minimal preparedness efforts and could be in for a difficult task if faced with a serious security incident. You probably take a “it won’t happen to me” attitude and don’t take security seriously enough – a stance that could endanger your firm in the long term.
Categorized under: Security Launching A Hedge Fund Cloud Computing Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics
The last five years has seen an increase in reliance on technology among financial institutions. IT outsourcing has become more attractive to the financial services industry - but against the backdrop of increased reliance on complex IT systems and operations is the heightened risk of cyber-attacks and system disruptions.
In June 2013, the Monetary Authority of Singapore (MAS) issued the Technology Risk Management Guideline (TRMG), which addresses existing and emerging technology risks within financial institutions.
The objective of the TRMG is for financial firms to establish a sound and robust technology risk management framework, strengthen system security, reliability, resiliency, recoverability and deploy strong authentication to protect customer data and systems.
In today’s blog article we will take a look at some of the key guidelines covered in the guide:
When most people envision Business Continuity Planning (BCP) and testing, they conjure up images of conference rooms, hardcopy documents, projectors and key personnel. But the real world is a different reality.
In recent memory, there have been many situations that have disrupted businesses - be it by natural disaster or as a result of human interference. In either event, people need to be able to reestablish essential business functions, communicate, and make decisions as quickly and easily as possible.
Although many organizations do an annual BCP review, the big question is whether they truly test the process, ease of accessibility, and the time it takes an organization/leadership group to go from unsure about the situation to confidently executing a thoughtful game plan.
What can make a considerable difference in terms of functionality and familiarity with the plans and recovery procedures is to practice -- not only verbally in the conference room setting, but also by taking time to troubleshoot and brainstorm to determine what works and what may need a second look. There is a lot that can be learned from being unplugged and “kicked” out of the conference room and asked to assume a role outside of the comfort zone. This can be done simply by taking away some of the accepted norms during a test. The following scenario illustrates issues that arise when the accepted norms are chipped away.