The following article first appeared in Hedgeweek's special report: Cybersecurity for Fund Managers 2016.
Mitigating insider risk is one of the biggest challenges that organisations face when it comes to remaining cyber secure.
One thing we've seen a lot of with clients is their need for consulting support," says Mark Coriaty (pictured), Senior Vice President Strategy & Partnerships, Eze Castle Integration. "They don't necessarily have the biggest IT teams and/or might have been more focused on the engineering side than the cyber side. Consequently, they are spending more time learning about the business, as opposed to just putting a solution in place.
"Cybersecurity comes down to operational and procedural policies as well as employee training, which is by far one of the biggest threats to any firm."
Many of the reasons for internal breaches come down purely to human error, but on occasion it may be the actions of a rogue employee that lead to data misappropriation. To limit the impact, fund managers can put in place permission controls as a way to manage their policies and procedures, this might allow them to shut off a USB drive, protect different file sets on the back-end etc.
"It is important for whomever is managing the overall IT infrastructure to ensure that people only have access to data that they need for their day-to-day responsibilities, and block them from accessing data in other parts of the organisation," says Coriaty, adding that employee training has to be an ongoing process. "For larger firms who hire new employees regularly, managing the process of training them is crucial to maintaining good security. Most hackers target smaller investment managers not to collect credit card numbers, or investor details, but for extortion purposes using the likes of CryptoLocker to pay ransoms.
Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include all All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent with all parts of the company.
When assessing technology options and evaluating outsourced IT providers, there are a number of questions hedge fund managers should be asking in order to make the best decision for their firms.
As we talk with investment managers – especially those whose firms are considering a move to the cloud – we’re hearing many of these great questions on an increasingly regular basis. One particular area where there tends to be some confusion, however, is the topic of audit standards which govern service organizations and the data centers they manage on behalf of client firms. To help you navigate through the evaluation process, we’ve pulled together a guide to understanding audit terminology and industry standards.
There's a lot to be mindful of when it comes to cybersecurity. Experienced and savvy hackers. Insider threats. Regulatory guidance updates and subsequent enforcement actions. The list goes on. So how do today's hedge fund and private equity firm managers navigate the changing landscape and stay above the fray? It all starts with planning.
If you missed it, our recent webinar with law firm Sadis & Goldberg explores the regulatory climate for investment firms, recaps recent SEC enforcement actions and the variance in how compliance is evaluted, and provides practical and actionable advice for fund managers looking to address insider threats, education awareness and policy gaps around information security.
If you have a free hour, this one's worth your time.
Watch below or read our joint whitepaper, A Fund Manager's Cyber Security Action Plan.
In an alert posted to its website, the U.S. Federal Bureau of Investigation (FBI) stated that phishing email scams requesting wire fraud transfers have cost firms more than $2.3 billion in losses since 2013.
At the root of a phishing email scam is in-depth reconnaissance during which the cybercriminal delves into employees's personal information and the organization’s processes. During this phase, schemers phish languages within email threads and obtain enough information to pinpoint money-managing employees within the firm. Equipped with this insider information, the criminal sends a spoofed email, assuming the identity of the firm’s CEO or other senior executive, to an employee responsible for managing funds and requests an illegitimate wire transfer. Typically, the message will relay a sense of urgency – a key factor in the fraud's success.
According to the FBI, these email scams have increased by 270 percent (%) since January 2015. With the rise of these incipient, sophisticated attacks, the need for fully managed phishing and training programs grows exponentially. Breaches will happen, but when employees are provided with the tools and knowledge needed to recognize fraudulent emails, risk decreases and a firm’s defense system becomes stronger and more agile.
In case you missed it, the SEC just announced this week that it levied a $1 million fine to a prominent financial services firm for failing to adopt written policies and procedures reasonably designed to protect customer data. The SEC also stated it expects “SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Eze Castle Integration and Sadis & Goldberg just published ‘A Fund Manager’s Cyber Security Action Plan’ that covers what the SEC expects from managers. You can download the paper at www.eci.com/cyberplan or read an excerpt below.
Cybersecurity has fast become an imminent and pervasive threat to the investment management industry. Investment advisers, including those managing private funds (“Fund Managers”) are required to disclose and report a higher quantum of more sensitive and meaningful information than ever before, via Form ADV, Form PF, CPO-PQR and (for some Fund Managers) Annex IV. Cyber-attacks can be manifested in a variety of ways from multiple sources and can lead to direct losses (e.g., theft of funds, data or other property), reputational harm, regulatory actions, third party litigation and other forms of liability.
While it’s reasonable to believe that a typical CFO would not respond to a “spear-phishing” email from a fictional Nigerian prince, consider the risks presented by a more realistic cyber-attack wherein a personal email is sent to the CFO, purporting to be from your prime broker, auditor or administrator (information discoverable from your Form ADV), mimicking the patterns and style of previous email communications (discoverable from your email server) and asking for confirmation of a recent wire or some other sinister request. Internal attacks such as this are discussed further throughout this paper, and each one has the potential to cripple a fund and/or damage thousands of investors.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
It’s no secret that investment manangement firms (including hedge funds and private equity firms) have historically been divided over the use of public and private clouds. We’ve discussed it in depth here on the Hedge IT Blog, explaining the differences between the two and why most funds are choosing to go with a private cloud solution.
A case can be made, however, that there’s a time and a place for each cloud platform and both offer their own advantages for financial services firms. We’ve taken a look at some of the key areas firms will consider when looking at public and private clouds and identified which we think comes out on top.
Service & Support
Investment firms demand uptime to ensure operational efficiency and profitability. Public cloud providers, however, do not offer investment-specific IT support and rather have limited customer service representatives troubleshooting the most basic of email and desktop support issues.
Financial services firms are increasingly interested relying on third-party service providers to increase efficiencies and benefit from industry expertise. While outsourcing has grown, however, regulatory bodies such as the Securities & Exchange Commission (US) and Financial Conduct Authority (UK) have begun to evaluate outsourced relationship and provide guidance around how investment management firms should engage and manage these partnerships. In 2015, the FCA drafted a “guidance for firms outsourcing to the ‘cloud’ and other third party services.”
The document aims to ensure that risks associated with outsourcing are appropriately identified and managed. Thirteen key areas of consideration are highlighted below.
Legal and Regulatory Considerations. In undertaking the due diligence process, an investment firm should consider and compare operational risks associated with outsourcing to various providers (e.g. public vs private cloud) as well as any specific legal or regulatory obligations. Firms should identify and record contracts with all service providers, ensuring that compliance with any relevant requirements lives throughout the supply chain.
The information below was originally derived from the expert panelists who spoke at a 2010 Eze Castle Integration event. Given how important this topic is we’ve updated the article to reflect today’s market.
The subject of hedge fund operational due diligence is one that has risen to the forefront for both hedge fund managers and investors in recent years. Prior to the economic downfall in 2008 and high-profile investment scandals made infamous by Bernard Madoff and others, hedge fund due diligence was viewed as an unnecessary assignment.
Historically, there has been a general lack of transparency within the hedge fund industry; larger funds, particularly, used to balk at investor inquiries. They figured there would never be a shortage of investors, so there wasn't a need to spend extra time satisfying their needs.
Due diligence, as a process, did not gain significant importance until recently. in the past, the responsibilities associated with it would often fall under the role of a CFO, CCO or other executive – someone who had very little time to devote specifically to due diligence. But as the industry has evolved over the last several years, so has the need and desire for operational due diligence.
So what exactly has changed?