In case you missed it, earlier this week we hosted a webinar during which our resident cybersecurity expert and SVP of Technology, Steve Schoener, answered questions regarding the results of the recent SEC cybersecurity exams and identified the top takeaways with meaning to hedge funds and investment management firms. Here’s a look at our Top 10 Takeaways from the recent exam findings. If video is more your style, you can watch the full webinar replay here.
1. WISPs are well adopted.
A WISP, or Written Information Security Policy, was found to be employed by 93% of broker-dealers and 83% of registered investment advisers. What is typically included in a WISP document? Similar to business continuity plans, WISPs identify scenarios firms need to be aware of from a security perspective as well as preparedness measures to address those scenarios. Both administrative and technical safeguards are identified, giving firms a complete picture of what to protect and the processes in place to do so.
In this Opalesque.TV video interview, Bob Guilbert and Vinod Paul from Eze Castle Integration discuss the cybersecurity landscape of the investment community, specifically the risks facing hedge funds and alternative investment managers in 2015. Both spend the majority of their time educating their client base on internal and external risks, protecting them against the “Activist Hacktivists” looking for any means of entry into funds.
These hackers will spend weeks, months, and sometimes even years trying to get access, most often with the goal of triggering illicit wire transfers out of the fund.
Today, the usual efforts of employees to avoid clicking links or opening files and password protocoling aren't enough. Everyone should be aware of new techniques employed by hackers like “spearfishing” and “whaterhole” attacks which, with more institutional dollars flowing into hedge funds, will become more frequent. Unless funds have the right Written Information Security Policy (WISP) and processes in place, together with true intrusion detection that monitors what is coming into the firm and what data and information is going out of the firm, they can be at risk of a cybersecurity attack.
This month (February 2015) The Financial Industry Regulatory Authority (FINRA) issued a Report on Cybersecurity Practices to assist firms in responding to the growing threats of cyberattacks. The report centered on seven (7) “key points” as defined by FINRA.
Our team regularly counsels clients on how to address these cybersecurity practices. So in the interest of sharing, here is a high level snapshot of how Eze Castle Integration addresses the key points in the report.
Key Point 1: A sound governance framework with strong leadership is essential. Numerous firms made the point that board- and senior-level engagement on cybersecurity issues is critical to the success of firms’ cybersecurity programs.
Eze Castle Integration has an appointed Chief Information Security Officer and an established Computer Security Incident Response Team (CSIRT). CSIRT members have predefined roles and responsibilities, which can take priority over normal duties. The CSIRT team is overseen by the Chief Information Security Officer (CISO), and comprised of individuals from various groups such Network Operations, Client Services, Cloud Services, Project Management, and Human Resources.
In its 2015 priorities, the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed cybersecurity as a key focus area in its risk-based assessments. Then on February 3, 2015, OCIE released summary findings from its Cybersecurity Examination Sweep.
OCIE’s sweep focused on written documentation for their assessment and conducted "limited testing" of the accuracy of the responses. They did not review the technical sufficiency of the firms’ programs either. OCIE’s reliance on documentation highlights the importance of complete Written Information Security Policies.
Following are noteworthy items Eze Castle Integration observed in reviewing the findings.
Most firms adopted written information security policies, but 43% of advisers did not conduct periodic audits to determine compliance with these information security policies and procedures.
49% of advisers did not discuss mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident in their written business continuity plans.
The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, only 32% of advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
In the Written Information Security Plans (WISP) Eze Castle Integration creates for clients, we include service provider risk assessments as a standard element.
With a new year comes new regulations for hedge funds and investment firms. Earlier this week, Eze Castle Integration hosted a webinar during which Ricardo Davidovich, partner at Haynes & Boone LLP shared his insight into the Securities and Exchange Commission’s (SEC) new examination priorities as well as reoccurring themes firms should expect to see play out through the year.
What’s New in 2015
One priority for examinations this year is the focus on retail investors. Davidovich says that “hedge funds, which in [the SEC’s] mind have historically been an exclusive and private club, are being sold to the retail and consumer client base.” Meaning they will be taking a closer look at the types of fees being sold, the sales practices and the suitability analysis. Firms should focus on making sure no information released is misleading and that there are provisions against fraud. There should be a real emphasis on policies to create guidelines that can be shown and proven to the SEC.
At a time when cyber-attacks are becoming more and more frequent, protecting your company’s information is of the utmost importance, which is why Eze Castle Integration is advising clients to hold-off on downloading Microsoft’s Outlook for IOS and Android.
In December 2014, Microsoft acquired tech company, Acompli, which was known for their mobile mail application. Now in 2015, Microsoft has rebranded the app as an Outlook application for IOS and Android phones. While the product has done well and has a following, many are wary of certain procedures and features that could compromise information moving forward.
How Does It Work?
The application uses ActiveSync (EAS), for the majority of users, and OWA, for advanced functionality. EAS grabs information from Exchange, which then is processed and pushed to the clients. However, each step of the process has potential complications. The platform includes email, calendar features, attachment integration with OneDrive, Dropbox, Google Drive, Box and iCloud, and customization.
This article originally appeared on TABBforum and was contributed by Steve Schoener, senior vice president of client technology at Eze Castle Integration.
Cybersecurity certainly made its mark on the hedge fund and alternative investment industry in 2014. Threats consistently increased in frequency, sophistication and form. With the release of the SEC’s Cybersecurity Risk Alert this past April, firms were forced to react swiftly and leave their outdated security practices behind. 2014 was a reactive year for hedge funds, but we envision a shift in trends for 2015.
Prior to heightened regulations and detailed due diligence and IT security questionnaires, the majority of financial firms were drawing their curtains closed when it came to facing the reality of the threat landscape. But it was only a matter of time until businesses no longer could turn a blind eye to threats and investors knocking at their front doors.
Over the past year we have witnessed an unceasing number of cyber-attacks and potential threats, as well as heightened security regulations placed upon hedge funds. Consequently, we’ve all read the headlines and best practices guidelines when it comes to cybersecurity. While these resources are all helpful, there is an untapped core that lies beneath this hot topic’s surface layer. That is, the ever-evolving future and forthcoming trends for hedge fund information security. So what do we at Eze Castle Integration forecast for cybersecurity in 2015?
It’s officially 2015! With the New Year upon us it is important to set new goals for the future. In today’s post, we offer five resolutions hedge funds should consider to help pave the pathway for another prosperous year.
Resolution #1: Prepare for Cybersecurity
In 2014, hedge funds were revamping their IT policies and upgrading their methods of preventing, detecting and responding to cyber threats. However, this push to overhaul and enhance security was largely reactive to the several breaches we witnessed in 2014. Among those companies affected were Sony, Target, JP Morgan Chase and Home Depot. In 2015, we predict cybersecurity will remain at the forefront of headlines. That being said, hedge funds should prepare ahead of time and have detailed information security policies in place.
Resolution #2: Avoiding Common Cloud Mistakes
When it comes to hedge fund operations and technology, there is no margin for error. Common mistakes range from not sizing bandwidth adequately to business needs to not planning proactively for applications and assuming deep security safeguards are in place. Hedge funds that take the proper precautions and do their research when cloud shopping save themselves from preventable stress and inflated issues down the road.
It’s been quite a year, and as always, it’s hard to believe it’s over. In 2014, Hedge IT continued to thrive in its goal to provide advice and insight into hedge fund technology and operations. The financial services industry is evolving at a rapid pace, and we’re evolving our topics and conversations to keep up. Across 100 blog posts this year (not including this one), almost half of them – 49 to be exact – addressed the topic of security, which is undoubtedly one of the single most important focus areas for hedge funds and investment firms today. In addition to security, we covered everything from tips for starting a hedge fund to avoiding cloud mistakes to hiring for IT roles.
Looking ahead to 2015, we plan to keep the conversations tuned in to what really matters to hedge funds when it comes to technology, and we’ll share as much content as we can in as many formats as we can. But before we get too ahead of ourselves – it’s not quite 2015 yet – let’s take a look back at 10 of our most popular blog posts from 2014.
As we say goodbye to 2014 and look ahead to 2015, we thought we'd pull together some of our top technology predictions for the new year. Take a look below and see if they match up with your expectations.
Cybersecurity was brought to the forefront during 2014, particularly when the SEC introduced its intention to focus on cybersecurity during this year’s round of examinations. Hedge funds have been overhauling their IT policies and upgrading their methods of preventing, detecting and responding to cyber threats. This was further reinforced by the many breaches we witnessed in 2014 including those that affected Target, Home Depot, JP Morgan Chase, and, most recently, Sony. By itself the Sony hack resulted in the release of personal data of both current and former employees, company wage data, communications from upper management and five movies being stolen and subsequently released to the public. As hacks and threats increase in complexity and frequency, we expect that cybersecurity will continue to be a big topic of discussion in 2015.