Eze Video Debut!
Ever wonder about the layers of security encasing our Eze Managed Suite solution? We thought you had. That's why we created this video, which outlines not only the security protections but also the extensive services available to investment firms and hedge funds that move to our premier cloud solution.
Watch, learn and then contact us for more details.
The following article is part of our Hedge Fund Insiders Article Series and was contributed by Willis Group Holdings Ltd. Read more articles from the Series HERE.
The Cyber risk landscape is rapidly evolving. Governments are facing an unprecedented level of Cyber attacks and threats with the potential to undermine national security and critical infrastructure. Similarly, businesses across a wide range of industry sectors, particularly those in the health care, retail and financial services industries1, are exposed to potentially enormous liability and costs as a result of Cyber incidents and data breaches.
Given the risk landscape, it is no wonder companies of all sizes continue to be subject to increasing data breach liability, both in the form of single plaintiff or class action lawsuits and regulatory investigations and proceedings. Negligence, breach of fiduciary duty and breach of contract are just some of the allegations that a company may face as a result of a systems failure or lax security that compromises the security of customers’ personal information or data.
Plaintiffs in data breach class actions typically allege that businesses failed to adequately safeguard consumer information and gave insufficient and untimely notice of the breach. Companies may also face class actions from banks and credit unions seeking damages for administrative expenses, lost interest, transaction fees and lost customers.
Settlements of data breach class actions can be exorbitant. For example, 25 class action lawsuits were settled in the wake of a retailer’s 2007 data breach involving the theft of data related to over 45 million credit and debit cards. The settlement included: up to $1 million to customers without receipts; up to $10 million to customers with receipts ($30 per claimant); $6.5 million in plaintiffs’ attorneys fees; and three free years of credit monitoring, with total costs reportedly up to $256 million. More recently, in 2014, two major retailers reported that the total costs of data breach and related class action lawsuits (less expected insurance recovery) was estimated at $63 million and $191 million, respectively. And, this year, two major health care companies are separately facing several lawsuits as a result of data breaches that reportedly exposed the personal records of 80 million and 11 million people, respectively. While these matters have yet to be resolved, the anticipated costs of litigation and settlement may set records.
The following article is part of our Hedge Fund Insiders Article Series and was contributed by Haynes and Boone, LLP. Read more articles from the Series HERE.
Cybersecurity risks pose an increasingly significant threat to investment advisers. In early 2015, the Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations (“OCIE”) identified its annual adviser examination priorities which reflect certain practices perceived to present heightened risk to investors and/or the integrity of US capital markets, one of which was cybersecurity compliance and controls. In April 2015, the SEC’s division of investment management (the “Division”) issued guidance (the “Guidance”)  reinforcing cybersecurity as a priority for advisers and suggesting that advisers implement cybersecurity risk assessment plans, response strategies, and written policies and procedures. Included below are measures advisers should consider (some of which are directly from the Guidance) when addressing cybersecurity risks relating to their operations:
Risk Assessment. Advisers should conduct assessments of: (1) the nature, sensitivity and location of information that it collects, processes and/or stores and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the adviser’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should its information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk.
As summer officially approaches its halfway point, we at Eze Castle Integration hope that everyone is enjoying the beautiful weather. We also want to take this opportunity to remind folks to be mindful that your firm can still be vulnerable, even when the weather is warm and sunny. With heat and humidity rising, power usage is increased to keep offices cool, leaving firms susceptible to power outages. Additionally, with employee vacations prevalent during the summer and offices less crowded, there are fewer gatekeepers protecting your firm from social engineering threats and hackers. Let’s examine some of these factors a little more closely and offer some business continuity and security tips to keep your firm running at full speed in the summer heat.
Impact of the Heat: Power Outages
You are sitting at your desk and recording sensitive information for one of your clients, when all of a sudden your screen goes black, and the office is completely dark. Your firm has experienced a power outage caused by increased usage during the summer months, and you are not sure if your information and technology is protected.
The months of July, August and September are considered the “blackout season” as major cities use the most power during these months, leaving them susceptible to power outages. According to the Energy Information Administration, electrical power outages, surges and spikes in usage bring about more than $150 billion in annual damages to the U.S. economy.1
We take our thought leadership efforts seriously around here, and we’re always interested in educating our clients and partners about technology issues that can affect them. We’re also fortunate to be invited to speak frequently on a variety of hedge fund technology topics – most recently, cybersecurity. Our own Managing Director, Vinod Paul, participated in a panel session last month in New York dedicated to this topic.
Featuring speakers from Eze Castle Integration, Citrin Cooperman, Akin Gump, and CFO Consulting Partners, the panel spoke candidly about how the cybersecurity landscape is evolving for financial services firms and how they can begin to comply with recent recommendations from the SEC and FINRA. Following are some highlights from the event. If you’d like to listen to the podcast of the panel, click here.
Many firms question whether they need to do anything to comply with SEC cybersecurity recommendations. The answer is yes. And it’s more than technology firms need to employ.
Cybersecurity governance is a critical component. Who is in charge beyond the IT team? Someone at the firm needs to take accountability for this process and interface with various functions to ensure compliance. Ideally, a Chief Compliance Officer or Chief Information Security Officer should handle.
So we all know hedge funds and investment firms don’t want their important information drifting around free file sharing services like Dropbox. Heck, even Dropbox’s Chief Operating Officer says they still have to convince businesses that “the enterprise features that [they’ve] built satisfy [business] security requirements and [business] needs.1”
With security threats multiplying exponentially, satisfying security requirements isn't enough - vendors need to be one step ahead. That’s why for secure file sharing Eze Castle Integration offers the Varonis' DatAnywhere product as a standard feature within our Eze Managed Suite. Varonis' DatAnywhere offers users seamless and secure collaboration and file sharing across devices.
Beyond security, Varonis DatAnywhere is easy to use. Users receive the same drag-n-drop experience as shared network drives or a cloud sync folder, which means no need for training on complex user interfaces and collaboration workflows. Additionally, data is automatically backed up and version controlled.
We created a video training series for our Eze Managed Suite clients on using DatAdvantage. While I can’t share all the videos (unless you are an Eze client!), here’s the intro video to give you a taste of this great feature.
Hedge fund outsourcing is not a new trend, as buy-side firms have long dispersed the responsibility of many functions to third-party service providers more adept and accomplished at said functions. Technology, for example, is an area where many firms choose to leverage outsourced providers to manage complete or partial infrastructures, support projects or supplement on-site IT staffs. The benefits to outsourcing are numerous, but the true measure of a successful service provider relationship comes when an investment firm’s level of risk in using that provider is low.
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third-party is enormous. Not only is the firm relinquishing control to an outside company, it also takes on the added burden of managing that company, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
Last week, we partnered up with law firm Sadis & Goldberg to host a webinar where we discussed the Securities and Exchange Commission’s (SEC) Division of Investment Management’s latest cybersecurity guidance recommendations and offered firms clear direction on satisfying these new requirements from both a legal and technology perspective. Featured speakers included John Araneo, counsel, and Lance Friedler, partner at Sadis & Goldberg, as well as Eze Castle Integration’s Managing Director Vinod Paul. To watch a full recap of the webinar, click here or scroll down.
Cyber Threats Across the Industry
The cyber threat landscape is changing rapidly, and our speakers shared examples of how developed hackers are targeting all industries, not only financial services. Araneo gave two examples of data breaches from two companies that were recently penalized by the SEC for failure to meet requirements. The first example was from a firm that failed to use strong passwords and allowed access to systems after long periods of computer inactivity, resulting in a penalty and mandatory independent security consulting for two years. The second firm failed to enforce the use of anti-virus software, leading to an unauthorized trade from a customer’s account and resulting in fines totaling over $100,000.
Beyond mismanagement of internal cyber controls, phishing and ransomware are other targeted approaches our speakers noted they are seeing across the industry, as hackers are targeting executives by sending fake emails to try to phish sensitive information or attaching files that could infect entire systems. In the case of ransomware, if a user opens an email that is infected, it will lock down files and the only way to recover the files is to buy a key from the hacker. As the sophistication of cyber hackers increases, firms are expected to shore up securities and employ best practices to protect sensitive company information – a goal the SEC is targeting with their most recent cybersecurity guidance recommendations.
Security, security, security. It’s all anyone can talk about. From spear-phishing schemes to cyber extortion plots, hackers are reaching new levels of sophistication in their attempts to confiscate sensitive material and, in many cases, access monetary funds. But while we’ve trained ourselves to be more aware of these elaborate cybersecurity schemes, we often forget that the gateway to much of our information is only secured by one teeny, tiny little feature: a password.
Whether you’re safeguarding your work PC or personal mobile device, password security is the first and arguably most important step you can take to protect your sensitive information. And unfortunately, users often don’t put the necessary effort into creating strong, secure passwords, thereby leaving that sensitive information in peril and potentially easily accessed by intelligent hackers.
Password creation sounds like a simple task, but it is far from it, especially in today’s security-heightened marketplace. Following are five hallmarks of a strong password to help get you started:
In the context of information technology, social engineering refers to the act of tricking people into divulging confidential or sensitive business information, and breaking security policies. This form of attack infiltrates companies by targeting their weakest access point, which predominantly is a firm’s employees.
The Art of the Phishing Con
Let’s examine a popular technique for social engineering known as phishing. In a phishing scheme, the hacker broadly disseminates a fraudulent email with aim to acquire sensitive data, such as, login credentials, IT resources or banking information. The message may request the recipient to submit personal information or to click on a link embedded with malware. Although this approach rarely dupes sophisticated users, a distracted employee could make one mistake and compromise a firm’s entire network.