In another airline-hedge fund technology parallel, United Airlines recently introduced a new two-factor authentication system for MileagePlus frequent flier program members. Great, right? Well, maybe. Maybe not. The system has been receiving criticism of late from those who don’t consider United’s security practices as true two-factor authentication (2FA).
Here’s how it works.
When a member attempts to log into their account from a device that is not recognized by the airline, a user will be asked to answer two security questions. During account setup, the flyer’s answers must be chosen from a provided dropdown list, meaning the answers are predefined and, hence, not unique to each customer.
To dispel some of the concern, Ben Vaughn, United's director of IT security intelligence, has stated that the dropdown menu options stop hackers from being able to do keystroke logging and automated attacks to gain access to accounts.
Time will tell if United’s 2FA system is successful in preventing security breaches for airline customers, but in the meantime, let’s review the common types of two-factor authentication, since the kind United is using is actually the weakest:
The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often.
Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments.
We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology/security is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
Whether it is your summer interns heading back to school or a full-time employee moving on, an investment firm must have a detailed employee termination checklist for information technology (IT) that is diligently followed.
But what are the key items that must be on your employee termination checklist?
Here’s An Employee Termination Checklist Foundation:
Contact IT Department or IT Provider to terminate or change network or application logins
Ensure subscriptions are either cancelled or changed
Collect employee equipment such as laptops, monitors, mobile devices, etc.
Ensure employee has documented transition procedures
Reset user password and disabled account
Cloud, Cyber Security and Managed Services: Putting Eze Castle Over the Top in Waters Rankings (Video)
We're thrilled to share that Eze Castle Integration has won the coveted awards for Best Cloud Infrastructure Provider and Best Cyber-Security Provider in the 2016 Waters Rankings. Vinod Paul, Managing Director of Eze Castle Integration, spoke with Dan DeFrancesco, Deputy Editor of Sell-Side Technology and Waters Technology about how Eze Castle Integration differentiates itself from other cloud and security providers.
Watch Vinod's video interview below or scroll down for some quick takeaways.
The following article first appeared in Hedgeweek's special report: Cybersecurity for Fund Managers 2016.
Mitigating insider risk is one of the biggest challenges that organisations face when it comes to remaining cyber secure.
One thing we've seen a lot of with clients is their need for consulting support," says Mark Coriaty (pictured), Senior Vice President Strategy & Partnerships, Eze Castle Integration. "They don't necessarily have the biggest IT teams and/or might have been more focused on the engineering side than the cyber side. Consequently, they are spending more time learning about the business, as opposed to just putting a solution in place.
"Cybersecurity comes down to operational and procedural policies as well as employee training, which is by far one of the biggest threats to any firm."
Many of the reasons for internal breaches come down purely to human error, but on occasion it may be the actions of a rogue employee that lead to data misappropriation. To limit the impact, fund managers can put in place permission controls as a way to manage their policies and procedures, this might allow them to shut off a USB drive, protect different file sets on the back-end etc.
"It is important for whomever is managing the overall IT infrastructure to ensure that people only have access to data that they need for their day-to-day responsibilities, and block them from accessing data in other parts of the organisation," says Coriaty, adding that employee training has to be an ongoing process. "For larger firms who hire new employees regularly, managing the process of training them is crucial to maintaining good security. Most hackers target smaller investment managers not to collect credit card numbers, or investor details, but for extortion purposes using the likes of CryptoLocker to pay ransoms.
Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond and mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.
The following article was written by Dean Hill, Executive Director, Eze Castle Integration and first appeared on Hedgeweek as part of their special report: A Guide to Setting up an Alternative Investment Fund in Europe.
There is no shortage of threats to financial services firms, and the list of requirements from investors and regulators alike is growing at a rapid pace. As a startup, it's important to demonstrate to investors that you take your business seriously, hence, investments in operational excellence are required. On the cybersecurity front, that means leveraging technology infrastructure with robust, security-rich features including intrusion detection and ongoing traffic monitoring, regular vulnerability assessments and next-generation software, firewalls and patches to keep hackers out and firm assets secure.
But beyond technology safeguards, today's successful financial firms require the wherewithal to implement comprehensive cybersecurity programmes – whether you're a seasoned firm or embarking on your first investment venture. The most effective cyber programmes will focus on four critical administrative areas: (1) developing comprehensive security policies and plans to prevent external cyber-attacks or internal breaches, (2) training firm employees on said policies and current cyber threats, (3) cultivating a culture of security awareness from Management down, and (4) managing an effective risk programme via external vendor oversight.
Plan: True cybersecurity defence starts with proper planning. To start, funds need to develop written information security plans – comprehensive documentation of the firm's corporate security initiatives. This should include technical and administrative safeguards being employed to secure confidential data. In the development stage, firms will need to identify systems and plans currently being used, technical procedures and systems in effect, employee access controls relative to confidential data as well as user responsibilities for both prior to and in the event of a data breach.
Unless you’re living under a rock, you’ve at least heard rumblings about the newest app craze to hit the market: Pokémon GO. In existence for a mere 6 days thus far, Pokémon GO has already amassed more daily users than Twitter and Snapchat. And we’re not just talking about kids and millennials here. The app seems to be, perhaps unexpectedly, popular with users of all ages.
The potentially big concern to be aware of is the information users are making accessible to the app’s developer, Niantic Labs. To play the game, a Google login is required (unless you have a login with Pokémon), meaning the permissions you grant to the app include giving access to your full portfolio of Google accounts. That means email, contacts, calendar, photos and files. Even scarier, if you use Google Apps for Work, what information are you unwillingly providing to Pokémon GO?
If you’re a public cloud user and leverage Google Apps for corporate purposes, it’s worth taking the time to research the potential privacy and security impacts if your firm’s users also happen to be Pokémon GO users. At just six days old, there’s likely plenty more to be learned from the app, and the developer will likely be sharing more information in the near future on security permissions and settings.
There's a lot to be mindful of when it comes to cybersecurity. Experienced and savvy hackers. Insider threats. Regulatory guidance updates and subsequent enforcement actions. The list goes on. So how do today's hedge fund and private equity firm managers navigate the changing landscape and stay above the fray? It all starts with planning.
If you missed it, our recent webinar with law firm Sadis & Goldberg explores the regulatory climate for investment firms, recaps recent SEC enforcement actions and the variance in how compliance is evaluted, and provides practical and actionable advice for fund managers looking to address insider threats, education awareness and policy gaps around information security.
If you have a free hour, this one's worth your time.
Watch below or read our joint whitepaper, A Fund Manager's Cyber Security Action Plan.
In an alert posted to its website, the U.S. Federal Bureau of Investigation (FBI) stated that phishing email scams requesting wire fraud transfers have cost firms more than $2.3 billion in losses since 2013.
At the root of a phishing email scam is in-depth reconnaissance during which the cybercriminal delves into employees's personal information and the organization’s processes. During this phase, schemers phish languages within email threads and obtain enough information to pinpoint money-managing employees within the firm. Equipped with this insider information, the criminal sends a spoofed email, assuming the identity of the firm’s CEO or other senior executive, to an employee responsible for managing funds and requests an illegitimate wire transfer. Typically, the message will relay a sense of urgency – a key factor in the fraud's success.
According to the FBI, these email scams have increased by 270 percent (%) since January 2015. With the rise of these incipient, sophisticated attacks, the need for fully managed phishing and training programs grows exponentially. Breaches will happen, but when employees are provided with the tools and knowledge needed to recognize fraudulent emails, risk decreases and a firm’s defense system becomes stronger and more agile.