The SEC last week provided even more clarity into its growing focus on cybersecurity at broker dealers and registered investment advisers. A key takeaway in a Risk Alert issued on April 15, 2014, is that the Office of Compliance Inspections and Examinations (OCIE) will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.
In order to help compliance professionals prepare and assess their firms’ responsive cybersecurity preparedness, OCIE has created a sample cybersecurity request document that outlines the types of questions firms can expect. OCIE is good to point out that these questions should not be considered all inclusive of the information that OCIE may request. OCIE will alter its request for information as it considers the specific circumstances presented by each firm’s particular systems or information technology environment.
You can find the Risk Alert and questions HERE.
Earlier this week, it was reported that Nasdaq was reconsidering its Amazon-based cloud product, FinQloud. According to the Financial Times, FinQloud has failed to gain significant traction in the marketplace amongst financial services firms including broker-dealers and exchanges. If Nasdaq pulls out of the deal with Amazon Web Services (AWS), it would be a major disappointment to Amazon, who is actively pitching AWS to large financial institutions and enterprises.
Whether the limited adoption of FinQloud is a sign of a product flaw or a larger industry trend, we feel it important to draw attention to a longstanding debate within the financial services industry – a debate that we’ve shared our thoughts on here on Hedge IT many times: public vs. private clouds.
It’s certainly possible that the slow adoption of FinQloud is a result of concerns over mass public cloud usage – a stern reality for many financial services firms who expect and demand that their critical applications and data be stored in a highly secure and available environment. Hedge funds and investment firms, in particular, cannot afford unexpected downtime, and unfortunately, we’ve seen several public cloud providers experience major outages in recent years. Just last week, Dropbox users logged in to find the service was unavailable, and Amazon and Google have both found their services in the headlines in recent years over very large and public disruptions.
Back in October of last year, we learned that Microsoft was ending support for its XP operating system – a move that would force users to upgrade to its more current software. Fast forward to today, and more than 29% of PC users are still using XP (according to NetMarketShare). In an interesting move, Microsoft announced recently that it will continue to provide updates to its antimalware signatures and engine for Windows XP users through July 14, 2015. Microsoft did caution that its research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited.
We can assume this is a move at least partly fueled by slow adoption of software upgrades, based on the figure NetMarketShare has provided. Beyond private PC users, however, there may lie an even greater reason for extending security support. Reports suggest that more than 90% of ATMs across the United States are operating with Windows XP – a potentially crippling situation if hackers were able to breach the operating system. Last year, “a high-profile criminal group in Europe took advantage of a security vulnerability in XP that allowed them to use flash drives to infect ATMs with malicious software, emptying the machines of cash one-by-one. Researchers estimate that they may have gotten away with millions of Euros."
Is Dropbox becoming a noun? For the sake of this article, let’s say it is.
With over 200 million users, Dropbox (and similar services) is gaining popularity based on its ability to allow users to share files and sync data between devices. These capabilities are very appealing but rely on a public cloud platform that can introduce security and compliance concerns for hedge funds.
Dropbox made headlines last year when it was discovered by security researchers that the service opens some files once they are uploaded. While Dropbox provided an explanation, this can be a serious issue for businesses where employees are using Dropbox to share sensitive company and investment data.
So are your employees using Dropbox? Probably. A study conducted by Gigaom of 1,300 business professionals found that one out of five use public file sharing services, such as Dropbox, with work documents. And, half of those users know their companies have rules against it. This raises the question, how do you give employees access to a valuable tool in a way that meets compliance and security protection obligations?
It has been said that cyber weapons can be as dangerous as weapons of mass destruction. To emphasize this, at last night’s FBI Citizens Academy seminar on cyber security in financial markets, the speaker noted that if you take out an industry (think financial, teleco) you can cripple an entire country.
But just how would this happen? What’s in a hacker’s tool kit? Quinn Shamblin, executive director of information security at Boston University, provided a glimpse into the cyber security underworld.
Targeting Your Favorite Device
Let’s start with Mobile Device Security. Hackers are shifting their focus and resources to mobile devices. They recognize that a user’s life is virtually encapsulated on his/her mobile device. From contacts and email to documents, passwords and banking apps, mobile devices now hold as much as or more personal information than PCs or laptops. And most devices do not have anti-virus/malware software installed.
Just last Friday, Apple released a critical update to its iOS 7 operating system after a flaw was identified that could give an attacker with a privileged network position the ability to capture or modify data in sessions protected by SSL/TLS (aka public key encryption). Following that announcement, researchers at a cyber security firm (FireEye) published a proof of concept for a surveillance app that, if created and distributed by hackers, could capture every tap on an iPhone’s screen. The information captured, including passwords and credit card numbers, would be accessible to the attacker. These are just two examples of the cyber security threats facing mobile devices. Users need to be aware that these threats exist and practice smart computing on all devices.
In honor of our 400th post on here on Hedge IT (400 - wow!), we are celebrating with our annual blog awards. We've gathered the most popular articles according to our readers and included a few of our personal favorites, too.We hope you enjoy!
Have you been enamored by the coverage of the Winter Olympics the last two weeks? We sure have. And watching all of these great sports we don’t normally get the chance to witness got us thinking – there are a lot of similarities between technology and Olympic sports. They’re both complex in many ways and require experts (engineers and athletes) who are the best of the best at what they do.
One of our favorite sports to watch is curling. And we couldn’t help but notice that Olympic curling and the private cloud are a lot alike. Don’t believe us? Take a look.
Both are safe and secure.
Let’s be honest: curling clearly presents the least amount of danger and lowest risk for injury at the Winter Olympics. Skiing and snowboarding? We’ve seen our fair share of wipeouts this year. Bobsled, luge and skeleton? Those are terrifying enough just as a spectator. Even figure skating poses a risk when skaters are leaping and twizzling left and right.
But curling? Extremely safe. Athletes can be fairly certain – whether they are curling or sweeping – that they will come out of the event unscathed.
Investment risk plays an important role in the life of a hedge fund manager, but technology risk should not. When it comes to your firm’s technology systems and operations, you want things to run efficiently, not add more stress to your already crowded plate.
Mitigating technology risk is a critical step to ensuring your hedge fund operates smoothly and successfully. Following are a few areas to keep in mind as you evaluate your firm’s technology risk:
Layers of Redundancy
One way to reduce your firm’s technology risk is to add layers of redundancy throughout your infrastructure. Whether you’re utilizing a cloud infrastructure or an on-premise environment, your servers, networking and telecomm lines should feature N+1 availability, a configuration in which multiple components have at least one independent backup component to ensure system functionality continues in the event of a failure.
Notice anything different? That’s right, your favorite hedge fund technology blog got a facelift, and we didn’t stop there -- we overhauled our corporate website too. Our goal with the overhaul was to make it even easier for visitors to get the valuable information they expect from the industry’s technology leader (us!). We hope you like it.
Now on to today’s hot topic. The U.S. Securities and Exchange Commission (SEC), at a recent industry event, said that they plan to examine the cybersecurity policies and procedures asset managers have in place to prevent and detect cyber attacks.
Specifically, according to Reuters, SEC national associate director Jane Jarcho said, “We will be looking to see what policies are in place to prevent, detect and respond to cyber attacks [and] we will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors."
Some have indicated that the SEC cybersecurity exams could be coming by late-September 2014. In many cases they will be conducted as part of the SEC's routine examinations of investment companies, however, Jarcho advised that inquiries could be done as separate exams.
Last week, we kicked off our 2014 webinar series with our first topic, “Security Incident Response Priorities: How to Prepare Your Firm Before a Breach Occurs” featuring our own VP of Technology, Steve Schoener, along with eSentire’s Chief Technology Officer, Eldon Sprickerhoff. Topics discussed included common threat actors and potential security scenarios to be aware of as well as the importance of planning a response to such attacks.
A Quick Brief
In 2012, IBM reported that companies were attacked an average of 2 million times per week, and unfortunately, the statistics aren’t declining anytime soon. It’s no longer “what if” a security breach or cyber-attack occurs, but when and how it will occur. With targeted attacks that are bypassing existing security infrastructures, the topic of security has become even more important to all firms.
The most common security threat actor lately has been attacks from criminal organizations, most notably international occurrences. Criminal organizations are out for profit and the most difficult to track down, especially in international instances. There has been less impact from Nation States, but these are still threats to be cautious of, along with insiders and hacktivists.
Categorized under: Security