The amount of data and information that passes through the Internet every day is – for lack of a better term - enormous. And truth be told, sometimes we are sharing information that we don’t want to get into the wrong hands, whether it be via email, instant message or other communications. Think: credit card information, personal information (name, address, social security number, etc.), bank account information or sensitive company or financial data.
A secure way to transmit this information is through encryption. According to TechTarget, encryption is “the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.”
The history of encryption, believe it or not, began a long time before the Internet existed and we started sending electronic data. The ancient Greeks and Romans, in fact, sent secret messages by substituting letters that only a secret key code could decipher. In the time of Julius Caesar, he created a cipher by which he shifted letters to the left or right to hide his messages.
The official definition given in TechTarget’s IT Dictionary reads: “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
At the heart of authentication is controlling access to ensure individuals only access the information they need. With stories of password compromises becoming more common it is important to understand the types of authentication factors available and good computing practices.
As part of Information Security Planning, firms should also identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens) as well as any that may require multi-factor authentication.
Following are the three commonly used authentication factors:
In a constantly connected world, the majority of us cannot help but feel reliant on our mobile devices, especially when it comes to battery life percentage.
Whether you’re in the airport, train or just on the go, keeping that effervescent green light out of the red zone becomes a priority, and most will plug into just about anything. With public smartphone chargers on the rise, this resource seems ideal for the battery conscious user. However, prior to plugging in to power up, we suggest proceeding with caution. After all, do you know whose hands that charger was in before?
We recently hit our 500th post here on Hedge IT! To commemorate, we are hosting our annual blog awards! We've gathered the most thought-provoking, popular articles according to our readers and included a few of our personal favorites, as well.We hope you enjoy!
Two months into 2015 and already there have been changes within the financial service industry. From global security breaches, to the demands for increased investor transparency, to start-up funds launching and competing with their enterprise counterparts, the hedge fund landscape is as turbulent as ever. From a hedge fund technology perspective, there are a couple major trends that have started and will definitely continue to play out during the rest of 2015.
Zeroing in on these trends, today we released our new whitepaper aptly titled Four Trends Shaping Hedge Fund Technology. Read on for a sneak-peak of the topics covered in the paper and be sure to download the complete paper HERE.
In case you missed it, earlier this week we hosted a webinar during which our resident cybersecurity expert and SVP of Technology, Steve Schoener, answered questions regarding the results of the recent SEC cybersecurity exams and identified the top takeaways with meaning to hedge funds and investment management firms. Here’s a look at our Top 10 Takeaways from the recent exam findings. If video is more your style, you can watch the full webinar replay here.
1. WISPs are well adopted.
A WISP, or Written Information Security Policy, was found to be employed by 93% of broker-dealers and 83% of registered investment advisers. What is typically included in a WISP document? Similar to business continuity plans, WISPs identify scenarios firms need to be aware of from a security perspective as well as preparedness measures to address those scenarios. Both administrative and technical safeguards are identified, giving firms a complete picture of what to protect and the processes in place to do so.
In this Opalesque.TV video interview, Bob Guilbert and Vinod Paul from Eze Castle Integration discuss the cybersecurity landscape of the investment community, specifically the risks facing hedge funds and alternative investment managers in 2015. Both spend the majority of their time educating their client base on internal and external risks, protecting them against the “Activist Hacktivists” looking for any means of entry into funds.
These hackers will spend weeks, months, and sometimes even years trying to get access, most often with the goal of triggering illicit wire transfers out of the fund.
Today, the usual efforts of employees to avoid clicking links or opening files and password protocoling aren't enough. Everyone should be aware of new techniques employed by hackers like “spearfishing” and “whaterhole” attacks which, with more institutional dollars flowing into hedge funds, will become more frequent. Unless funds have the right Written Information Security Policy (WISP) and processes in place, together with true intrusion detection that monitors what is coming into the firm and what data and information is going out of the firm, they can be at risk of a cybersecurity attack.
This month (February 2015) The Financial Industry Regulatory Authority (FINRA) issued a Report on Cybersecurity Practices to assist firms in responding to the growing threats of cyberattacks. The report centered on seven (7) “key points” as defined by FINRA.
Our team regularly counsels clients on how to address these cybersecurity practices. So in the interest of sharing, here is a high level snapshot of how Eze Castle Integration addresses the key points in the report.
Key Point 1: A sound governance framework with strong leadership is essential. Numerous firms made the point that board- and senior-level engagement on cybersecurity issues is critical to the success of firms’ cybersecurity programs.
Eze Castle Integration has an appointed Chief Information Security Officer and an established Computer Security Incident Response Team (CSIRT). CSIRT members have predefined roles and responsibilities, which can take priority over normal duties. The CSIRT team is overseen by the Chief Information Security Officer (CISO), and comprised of individuals from various groups such Network Operations, Client Services, Cloud Services, Project Management, and Human Resources.
In its 2015 priorities, the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed cybersecurity as a key focus area in its risk-based assessments. Then on February 3, 2015, OCIE released summary findings from its Cybersecurity Examination Sweep.
OCIE’s sweep focused on written documentation for their assessment and conducted "limited testing" of the accuracy of the responses. They did not review the technical sufficiency of the firms’ programs either. OCIE’s reliance on documentation highlights the importance of complete Written Information Security Policies.
Following are noteworthy items Eze Castle Integration observed in reviewing the findings.
Most firms adopted written information security policies, but 43% of advisers did not conduct periodic audits to determine compliance with these information security policies and procedures.
49% of advisers did not discuss mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident in their written business continuity plans.
The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, only 32% of advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
In the Written Information Security Plans (WISP) Eze Castle Integration creates for clients, we include service provider risk assessments as a standard element.
With a new year comes new regulations for hedge funds and investment firms. Earlier this week, Eze Castle Integration hosted a webinar during which Ricardo Davidovich, partner at Haynes & Boone LLP shared his insight into the Securities and Exchange Commission’s (SEC) new examination priorities as well as reoccurring themes firms should expect to see play out through the year.
What’s New in 2015
One priority for examinations this year is the focus on retail investors. Davidovich says that “hedge funds, which in [the SEC’s] mind have historically been an exclusive and private club, are being sold to the retail and consumer client base.” Meaning they will be taking a closer look at the types of fees being sold, the sales practices and the suitability analysis. Firms should focus on making sure no information released is misleading and that there are provisions against fraud. There should be a real emphasis on policies to create guidelines that can be shown and proven to the SEC.