With October being cybersecurity awareness month it is an important time to ensure your firm and employees are aware of and using best practices, and security policies and procedures. Risk mitigation is needed to protect both the firm and its employees from savvy hackers and attacks. Data breaches continue to wreak havoc on businesses, and the cost is continuously rising. According to the Ponemon Institute, the total average cost of a data breach is now $4 million, up from $3.8 million in 2015. Hackers have everything to gain while your firm bears reputational and operational harm.
While companywide policies should reflect long-range expectations and corporate best practices, they should also include tactical recommendations that employees can follow to ensure they are complying with the company’s overall risk strategy. To get started here are just a few pieces of advice we offer our investment firm clients and remember to not only inform employees on what to do, but also what not to do.
As of Wednesday, October 5, 2016, computer models continue to show Hurricane Matthew traveling along the southern eastern states starting in Miami early Friday morning and reaching Norfolk, VA early Monday morning. At this point, it’s too early to determine if Hurricane Matthew will head out to sea once it reaches Virginia or continue up to the Northeastern states.
Whether you’re in the south or north, now is the time to prepare your office and home for a potential impact of the storm. The following is a high level review of continuity steps you should consider:
Communicating with Employees
If you haven’t already, create a communication process to ensure you can notify your employees and/or clients. For internal communications, you can use an employee call tree which can be created in word or excel, create a distribution list in your mobile device or subscribe to an automated notification system. Firms must ensure messages are communicated to employees (or clients) properly and in a timely manner. Using a process will ensure all employees receive the same message immediately via email, phone call and/or text message. Whichever method selected, ensure there is a dedicated employee that is aware of their role and prepared to send the communication when appropriate.
Employees’ Work Locations
If your plan is to have employees work remotely should an incident occur, steps should be taken to ensure that employees will have access to all required resources for performing their daily tasks. This includes checking to see that the company has adequate Citrix licenses and having employees do a test run.
To avoid questions and confusion, work location procedures should be clearly communicated to all employees in advance to ensure that any unexpected challenges are dealt with before any disaster.
Employee Remote Access Test
Before Hurricane Matthew reaches your office or home, validate employees have all of the required resources to work remotely. You can validate this process by having key employees do a remote access test to ensure any issues are addressed before an incident impacts your office. Here are some recommended steps to have your employees follow as part of the testing process:
Validate successful communication to internal and external dependencies
Confirm full functionality of required applications
Perform all critical business functions
Confirm access to vital records (key files and documents)
Ensure employees can receive incoming calls, while working remotely, by activating phone recovery procedures or using phone redirect instructions
Disaster Recovery Activations
Depending on the impact of Hurricane Matthew, some firms may need to activate their disaster recovery systems. We recommend you review the activation procedures now to ensure a smooth transition of the systems, if needed.
The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often.
Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments.
We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
Earlier this week Delta Airlines suffered a major system outage that resulted in more than 740 flight cancellations and thousands of flight delays.
Delta’s Chief Operating Officer Gil West explained that “Monday morning a critical power control module at [Delta’s] Technology Command Center malfunctioned, causing a surge to the transformer and a loss of power. The universal power was stabilized and power was restored quickly. But when this happened, critical systems and network equipment didn’t switch over to backups. Other systems did. [As a result, Delta saw] instability in these systems.”
As with any major “uh oh” moment, there are lessons that can be learned. So let’s take a look at what hedge funds can learn from Delta’s IT mishap.
1. Outdated technology can hurt in a big way. Airlines are saddled with legacy IT systems, complicated by mergers and acquisitions requiring complex integrations. Unlike airlines however, most asset management firms are not relying on technology from 80s or 90s. But that doesn’t give firms a pass when it comes to staying current with technology.
Outdated IT systems insert instability into a firm’s operations and provide holes for cyber hackers to exploit. The reality is that outdated systems will only continue to fall behind in the race of technology, trouble shooting will take longer, future applications will fail to run, or crash the server altogether, and the cost to migrate increases concurrently as the pool of experts shrinks.
2. You can’t ignore the IT industry’s transition to cloud computing. As noted in a ZDNet article, “the big question is why in 2016 airlines are being brought down by single points of failure when cloud services offer resiliency zones, backup options, and redundancy to keep critical systems running.”
Enterprise-grade clouds deliver significant resiliency in both the hardware and data centers, with cloud infrastructures spanning geographically diverse facilities. Beyond hardware, top tier cloud providers (Eze!) have teams of senior engineers managing and monitoring the infrastructure. Additionally systems are upgraded on a regular frequency.
In the investment management industry, it is common to hear investors state they are more comfortable with fund managers utilizing a private cloud rather than keeping IT on premise. At larger funds, the prevalence of cloud-based solutions provides Chief Technology Officers (CTOs) the opportunity to execute more strategic technology initiatives and focus on risk mitigation.
There's a lot to learn about business continuity planning for investment managers. To help, you might want to watch our recent webinar highlighting the SEC's June 2016 business continuity guidance update. You can watch the full webinar replay here. The SEC not only highlights the importance of being able to access critical systems and applications during a disruption, but also the importance of effective communication.
It is vital to communicate with your employees about the procedures of your business continuity plan before, during and after an incident. By doing so, you set the wheels in motion by creating the guidelines for the firm’s recovery.
Effective communication should include, but not be limited to:
Accounting for employees;
Setting workload expectations; and
Providing employees with recovery status updates.
Let’s take a deeper look into those strategies.
Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include all All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company.
Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond and mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.
As hedge funds, private equity firms and other financial services organizations work diligently to develop and maintain organizational business continuity plans, an item often lost in consideration is employee personal planning. While firms should focus on how their businesses will recover from a disaster scenario or disruption, it’s also helpful to be proactive in addressing how employees can recover from these scenarios if family members/friends are affected or if the employee himself is affected outside of working hours. Here are a few tips for employers:
Plans and resources are helpful in getting employees more organized, but for employers, finding time to develop and gather these materials can be difficult. It might be easier to have employees gather together and discuss emergency preparedness techniques and why they are important. Consider providing some resources such as binders or forms where employees can write down contact information of insurances, utility vendors, neighbors, etc. Encourage employees to research local/regional emergency preparedness information as well. Getting the conversation going and providing some resources or relevant websites can better ensure that planning activities happen prior to a disruption.
Alternate locations are not just for the workplace. Employees' family members and roommates should have established meeting spots if evacuating the residence is necessary. Two locations are recommended: one close to the residence and another perhaps slightly father away (e.g. down the street or at a neighbor’s house or apartment), in the event it’s not safe to be at/near the closer meeting site.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
In today's Eze Castle Tech Tip: we're discussing myths about Voice over IP -- or hosted voice -- services.