According to the Privacy Rights Clearinghouse, more than 100 million data records of U.S. residents have been exposed due to security breaches in the last five (5) years. In order for an investment management firm or hedge fund to correctly control and protect its data, you must first have a thorough understanding of what exactly you are storing in both print and electronic documents. Secondly, you must have data loss prevention technology in place to protect the information.
There are three primary questions every investment management firm should first ask itself when it comes to personal information:
What information is being stored?
Where is it being stored?
Who has access to it?
Now let’s look at what an investment management firm should do with the answers to these questions.
Step 1: Data Mapping – Where is your information stored?
Data Mapping is one method that will help you understand what information is being stored within your infrastructure. Data Mapping involves searching your entire organization to determine what personal information is stored and where. Once the data is found, maintaining your organization’s data map is very important. This will help ensure that the personal information remains secure. Maintaining a data map, however, can be a time-consuming and challenging process, and might be a task a firm would want to outsource.
Step 2: Data Loss Prevention: Protect your information
After you understand where your data resides, you will need the proper technology in place to protect it. Data loss prevention (DLP) technology is often one piece of the puzzle. DLP technology, such as GTB Technology’s eDiscovery product, can be used to monitor and protect data at rest, in motion and on the endpoints through deep content inspection and the constant monitoring of transactions occurring across the network. In other words, data loss prevention technology will ensure that any personal information that is stored within your organization does not leave without the proper authorization.
The actual information your firm is storing likely includes a vast array of documents, communications and other materials. Protecting that information, unfortunately, is not a simple task. For example, the types of communications you should be controlling and protecting include email, webmail, instant messaging, peer-to-peer sites, FTP and HTTP. Here’s a diagram to highlight the insider threat many investment firms face:
According to Cisco Ironport, a leader in email and web security technology, “whether it’s email, instant messaging, webmail, a form on a website, or file transfer, electronic communications exiting the company still go largely uncontrolled and unmonitored on their way to their destinations – with the ever-present potential for confidential information to fall into the wrong hands.”
Encryption is another essential component of data loss prevention and web security. In accordance with the new MA state data protection law, firms must encrypt all communications containing personal information that traverse a public network (i.e. the Internet). When looking to encrypt your firm’s communications, there are a few methods to consider.
The first is the most simple: turning on Transport Layer Security (TLS) within your mail environment. If the mail recipient also has TLS enabled, your firm’s email messages will now be encrypted and secured from prying eyes. Additionally, the messages will be able to be archived in clear text for SEC compliance audits.
If this solution is not an option for your firm or you are communicating with individuals who do not have TLS enabled on their mail environment, there are secure mail portals which allow you to send out a notification that there is an encrypted message waiting for them on a hosted portal. The recipient would then log in to the secure portal and view the message. The potential downside to this is that the full message would not be archived for SEC compliance on the recipient’s side.
Even with a fully implemented data loss prevention solution, a financial firm needs to proactively monitor its infrastructure and employees to ensure they are complying with the investment firm’s data loss prevention policies. An investment firm should ideally have control over each piece of data and the people that have access to that data. This should be accomplished through both physical and technical controls as well as corporate policies that the whole organization is trained on and follows.
To ensure compliance to the corporate policies, notification and message termination rules can be set up within your financial firm’s data loss prevention environment. For instance, a rule could be put in place to automatically disallow an email from being sent or forwarded by certain individuals if that email contains sensitive personal information. Another type of rule could prevent the copying of a file from a network shared drive to a personal USB drive. These types of rules could prevent a major data leak and save your firm from unnecessary public embarrassment.
Data Loss Prevention (DLP) technology allows financial firms to comply with data privacy regulations, but it also goes a step further and provides protection from the embarrassment of being publicly scolded and fined for not properly protecting your firm’s personal information. Whether your firm chooses to use DLP or another solution, it is more important than ever that you protect the sensitive personal information of your employees and investors and reduce the risk of a breach by executing carefully thought out and tested safeguards.
Categorized under: Trends We're Seeing