When it comes to protecting your investment firm from serious cybersecurity threats, it's safe to say that less is definitely not more. In fact, it takes a pretty heavy arsenal of security measures to combat the ever-growing threats targeting your firm from both the inside and the outside.
But it may not be realistic for your firm to employ every cybersecurity technology/tool and develop and maintain a host of security policies - at least not from day one.
Luckily, we’ve developed a handy cheatsheet to help you assess some of the cybersecurity protections that should be on your list. You’ll notice we’ve divided them by tiers, because, well, you’ll need to decide how much of your time, budget and resources are spent protecting your firm’s assets.
Tier 0: This is the ‘must-have’ list. There is no getting around these security measures.
Tier 1: This tier incorporates a few enhanced features as well as a strong contingency of policies to support your cybersecurity program. Plus – and here’s the big one we keep talking about – employee security awareness training. Tier 1 is typically where most investment management firms fall today.
Tier 2: This can be considered an “advanced” tier, with the incorporation of progressive tools such as intrusion detection/prevention systems and next-generation firewalls. But this is quickly becoming the norm for mid-to-large asset managers, particularly as a means to demonstrate preparedness to institutional investors.
This year an estimated 2.8 million college graduates entered the workforce, most of whom are millennials. Millennials have now become the largest share of the US workforce, and as a result, are placing greater demands on firms that now need to adapt in order to attract new talent. What does this mean for IT? A greater focus on cloud adoption.
Millennials, by virtue of the fact they were born in the last thirty years or so, have spent their adult lives thus far exposed to and surrounded by technology. Being some of the first to adopt some of the newest technologies including social media, smartphones and mobile apps millennials have a lifelong reliance on technology and are used to having information at the tips of their fingers. They have grown up during the advent of the cloud and are not interested in relying on more traditional technology systems and infrastructures that are often more high cost and likely to become outdated. Up-to-date technology is a norm for millennials, and they expect it to be at their disposal.
2017 is already shaping up to be an interesting year. With a new presidential administration taking office and the hedge fund industry coming off the heels of a challenging year, there’s a lot to keep an eye on. We recently hosted a panel with law firm Morgan Lewis to discuss these and many other topics as part of our “2017 Outlook for Hedge Funds: Risk, Regulation and Technology” event.
Read on for some of our panel’s key takeaways.
2017 Regulatory Outlook
While little is known about how a Trump presidency will operate, there could be potential tax savings for managers depending on how the administration chooses to regulate Wall Street.
Firms should expect to see reforms with the Dodd-Frank Act and the Volcker Rule, which could add more competition into the marketplace if limits on bank investments are adjusted.
SEC Focus Areas
Top six areas of focus for the Securities & Exchange Commission will likely be: (1) expenses and fees, (2) trade allocation, (3) material non-public personal information, (4) valuation processes, (5) operating partners and due diligence, and (6) security, privacy, insider trading and business continuity.
Cybersecurity is not necessarily part of every SEC examination, however, the bar will continue to be raised in terms of preparations firms will need to employ.
In 2016, the SEC provided additional guidance on business continuity and transition plan requirements, highlighting the need for hedge fund and financial firms to maintain their fiduciary responsibility to their clients and investors.
Categorized under: Security Cloud Computing Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Outsourcing Infrastructure Business Continuity Planning Trends We're Seeing
Our 2016 Private Equity CTO Survey is packed with insights across four primary areas: business priorities, cybersecurity, outsourcing trends and the evolution of the private equity CTO. These findings include:
70% of PE firms report their organizations have experienced 3 or more cybersecurity issues in the past 12 months
Nearly 90% of respondents identified cloud computing as a planned investment area, with respondents preferring private cloud solutions over the public cloud.
93% of survey respondents believe their firm’s CTO or top IT executive is becoming more important to their business
Checkout out our infographic (below) for a picture of our findings and download the full report here: www.eci.com/pesurvey.
The tide is changing for private equity firms. They continue to grow in popularity – some say private equity is the new hedge fund – but with increased interest comes amplified speculation and heightened expectations.
In technology, private equity firms have found a fierce enabler for continued growth, and one that has shone the light on organizational benefits to be had far beyond the IT closet.
Eze Castle Integration commissioned its Private Equity CTO Survey to more closely examine the evolution of the private equity industry as driven by – and driven to – technology. In reaching the top IT executives and chief technology officers (CTOs) at these firms, the survey highlights their priorities, successes and even failures, and in doing so, sheds light on this industry that has risen to the forefront of the greater financial community.
Our Private Equity CTO Survey encompasses four primary sections: business priorities, cybersecurity, outsourcing trends and the evolution of the private equity CTO.
If one thing is to be derived from the advent of information technology, it is that IT enablement extends well beyond the recesses of the Communications Room. Accordingly, technology decision-making is also impacted by an organization’s business objectives, and the two work in alignment to derive achievements across the firm. In this section of the survey, we’ll highlight areas where business goals have impacted IT budgets and where private equity firms plan to focus their attention in the coming year.
The cybersecurity threat landscape continues to evolve, leaving behind significant operational and reputational harm for financial services firms. Cyber-attacks such as those impacting LinkedIn, Talk-Talk, Yahoo and Sony have forced cybersecurity into the limelight via news making headlines, enough to fill any business with trepidation. We hear and see a lot of information floating around – some of which, unfortunately, can be misleading or, at times, inaccurate. It is imperative that firms understand how to separate the facts from fiction and develop and deploy sophisticated and appropriate approaches to information security.
So, what are these myths exactly? Let’s have a look.
Myth #1 Cyber Security? Just leave it to the IT department.
Cyber awareness needs to be embedded in the culture of the company, not just the IT team. Firms should communicate the importance of managing cyber risk to every employee in order to strengthen and integrate protocols into daily business operations. Never underestimate the effectiveness of social engineering attacks. Educating staff to avoid opening unsolicited attachments or clicking on suspicious links within emails is one of the most important areas for organisations to concentrate on today.
Myth #2 Cyber criminals don’t target small businesses.
This myth can be particularly dangerous. Many small firms believe that because they are small, there is no risk of a cyber-attack. Therefore, there is no reason to take any precaution to prevent such an attack. In fact, the very opposite is true. In the eyes of the hackers, small businesses are often easy targets since they sometimes fail to take necessary measures to protect themselves.
As we prepare our turkeys for Thanksgiving and retail stores of all shapes and sizes prepare their inventory for Black Friday and Cyber Monday sales, cyber criminals are preparing their attacks. Your inboxes are likely already flooded with the newest and most popular deals for this holiday season, but while we all prepare to shop til we drop, it is important to practice safe computing practices while you are out-of-office and in the stores.
Here are some popular scams to watch out for this holiday shopping season:
Phishing emails pose one of the biggest threats to shoppers during the holiday season. Cyber criminals may be spoofing retailer emails with blowout deals on the best toys for your family, and one click on a spoofed email could result in malware or a virus installed on your computer. Another email spoof could appear to be from one of your freqently visited retail sites and ask you to enter personal information to either confirm a purchase or verify payment. To avoid handing your sensitive information over to hackers, be sure to check the sender and any links in emails before opening or taking action on any suspicious emails.
Email isn't the only way hackers can spread the season's "hottest deals". Another new scam being used to gather banking and payment information is phishing texts. Your phone will receive a fake text message asking to verify a payment due to irregular activity. The text will provide you with a number to call and secure your account. Once you call this number you will be asked to verify your home address and social security number for identification. Amidst the flurry of your Black Friday or Cyber Monday shopping spree, you could get tripped up and provide a hacker with all of the information that he/she needs to steal your identity, access your financials or worse.
Operational due diligence meetings have become impactful moments for hedge funds to impress both current and potential investors. Firms have the ability to answer questions, alleviate fears and market themselves in a one-on-one setting that affords more opportunity than a completed due diligence questionnaire and an up-to-date performance sheet.
But how can today’s hedge funds truly set themselves apart and impress investors during these ODD meetings? Here are five ways:
1. Demonstrate your knowledge of and commitment to regulatory compliance.
Increasing regulatory oversight of investment firms has been a consistent trend over the course of the last few years, and it can be a challenge for hedge funds to keep abreast of changing legislation and regulator expectations. Disclosure and reporting requirements under the Investment Advisers Act of 1940, record-keeping requirements under the Dodd-Frank Act, and growing cybersecurity recommendations as part of the SEC’s ongoing inquiry are just a few of the initiatives to keep track of. But demonstrating to investors that your firm has knowledge of these regulations and takes them seriously will serve you well.
Whether your firm is compliant to the SEC, FINRA, NFA, CFTC, FCA – phew! – or another regulatory body, it’s imperative that you take the time to fully understand your firm’s legislative requirements and, in writing, show investors your level of preparedness. For example, if you’re a registered investment adviser with the SEC, are you aware of the proposed rule that would require firms to implement business continuity and transition plans? Have you compiled a document that outlines the SEC’s 28 points identified in its cybersecurity risk alert? Coming to your next investor due diligence meetings with this knowledge and the appropriate documentation will demonstrate that you take regulatory compliance seriously and are equipped to comply with the necessary requirements facing your organization.
The Internet of Things (IoT) is what allows us to connect all of our devices to the Internet - these devices that we use every day to make our lives easier, more efficient and, most of the time, safer. IoT devices can be usually be monitored or controlled from a remote location. For example, we use baby monitors and cameras to watch over our kids and houses, apps to control the temperature and lights in our homes, and webcams chat with long-distance friends or conduct business meetings and interviews. Although there are enormous benefits to streamlining and connecting these devices across both business and personal settings, the Internet of Things can also pose a real threat to the security posture of both an individual and an organization.
Like the recent DDoS attack which brought down major sites such as Twitter, Reddit and Netflix, sophisticated hackers can take advantage of these everyday IoT devices to gain access to networks and sensitive information. For example, hackers can release malicious malware onto the Internet that looks for vulnerable devices, including IoT devices. Once a device or devices are detected, the malware is then able to get into the network and cause disruptions, potentially leading to users losing control of functionality, shutting down of websites, or theft of information.
One concern is that when developers design IoT devices, they often overlook the software needed to protect consumers. In many cases, they may be more concerned with functionality, design and the value said device will bring to users. IoT devices are easy to attack because they usually connect to the Internet by default and use stock code from open source software. Developers also can’t assume that consumers know the risks they face when using IoT devices. While robust security features, such as firewalls, can't truly be installed within IoT devices themselves, in the future designers need to pay closer attention to security to prevent devices from becoming easy targets.
Social engineering schemes continue to grow in their sophistication, and phishing campaigns, in particular, are causing concern as they make their way to employee inboxes. These fraudulent email campaigns (and phone calls too!) appear legitimate and take advantage of employees who are often too busy or simply unprepared to identify a scam. In either case, if the employee clicks a link, downloads an attachment or provides credentials or financial information to a hacker behind the scenes, it is a gateway to potentially very serious scenarios.
And these scams are working. A 2016 study by Verizon found that 30 percent of phishing emails are opened by the recipient. According to the FBI, spear-phishing campaigns between 2013 and 2015 cost companies more than $2 billion.
And while there are next-generation firewall protections and email security features and tools to act as security barriers to targeted attack emails, unfortunately, some of these emails are still going to get through and pose a threat to your firm’s security posture. (Side note: to learn more about each of these cybersecurity defense layers, watch our webinar replay below).