Earlier this week we presented at a Wells Fargo Prime Services breakfast briefing on cybersecurity. During the discussion, Stuart Levi of Skadden reminded attendees that the SEC has clearly defined (and communicated) its cybersecurity expectations. He recapped the following six areas advisers must have covered to demonstrate preparedness to regulators.
1. Risk Assessments
4. Access Control
5. Vendor Management
6. Information Sharing
Here's Eze Castle Integration's take on these focus areas:
#1 Risk Assessments
The April 2015 SEC Cybersecurity Guidance Update goes deeper into risk assessments expectations. Here are some key cyber risk assessment takeaways:
Define what confidential data is and determine how it's protected.
You must also understand where your data is located, how it is collected and who and what technology systems have access to it.
Registered investment advisers should have a clear understanding of the threat landscape, including potential internal and external risks as well as unique vulnerabilities specific to the firm. Evaluate a variety of potential scenarios as well as their likelihood to occur.
Once firms understand the risks facing their organization, they must conduct assessments of the existing controls and processes to ensure they account for the risk landscape and put the appropriate safeguards in place.
Be sure to understand the potential impacts of various cyber risk scenarios and outline specific protocols for incident response and quick resolution. The impact of cybersecurity incidents can range from financial to technological to reputational.
Finally, testing and assessing the governance structure, including administrative and technical safeguards, is key to ensuring effectiveness.
Gone are the days of management simply outsourcing responsibility to third-party experts and trusting them blindly. Telling the SEC, “we hired the best security consultant,” won’t cut it. Today management must understand their firm’s security posture and be able to outline the safeguards that are in place to minimize risk.
Additionally, management must instill the importance of security preparedness in all employees by making it a top-down priority.
Mobile devices have transformed the way we manage our everyday lives: from how we track our bank accounts, to interacting with friends and family to booking travel, and so on. Everything you need is at your fingertips, but are you taking the proper security measurements to protect your device? Below are a few tips to help keep your smartphone’s data safe.
Set a Password: When you do not set a password to lock your phone, anyone who obtains possession of the device has instant access to all of your apps that automatically log-in upon launching. This is a simple security measure to take and yet, according to Consumer Reports' annual State of the Net Survey, only 36 percent of smartphone owners have a passcode. From a business use perspective, any device that accesses corporate email or networks should have a complex password and be managed by mobile device management tools such as AirWatch or Good Technology.
Mobile Security Apps: Looking to the future, we expect the adoption of mobile device security apps that provide antivirus, privacy and anti-malware protection to increase. And for good reason. According to the June 2014 McAfee Labs Threat Report, mobile malware has increased by 167 percent in the past year alone. Companies, such as AirWatch, aim to ensure your enterprise mobility deployment is secure and corporate information is protected with end-to-end security.
If you’re one of the seemingly few firms who has yet to make the move to the cloud, it could be for a variety of reasons. Perhaps you want to maintain total control of your IT environment. Or maybe you’re waiting for a tech refresh to motivate you. Alternatively, it could be that you just haven’t made the proper case to management for switching to the cloud – and many times the one who really needs convincing is the Chief Financial Officer (CFO).
If you’re the Chief Technology Officer (CTO) or IT Manager, your responsibility is determining the infrastructure choices that are going to best suit operations at your firm. But those priorities may not line up exactly with those of the firm’s CFO. IT doesn’t always have insight into the financial ramifications of an operations decision of this magnitude. Instead they are typically focused on the other benefits including personnel reallocation, workflow efficiencies, etc.
The CFO, on the other hand, is ultimately tasked with ensuring the company’s financial decisions are appropriate, and therefore, it’s often advantageous to at least attempt to speak his/her language when pushing for an IT change.
The Financial Industry Regulatory Authority (FINRA) recently issued a notice that it has filed a rule that became effective on November 30, 2015. This rule, known as Rule 4380, grants FINRA the authority to designate member firms to participate in FINRA’s annual Business Continuity/ DR Testing under Regulation System Compliance and Integrity (SCI).
Regulation SCI was adopted by the Securities and Exchange Commission (SEC) in November of 2014 which detailed out specific requirements of FINRA to “establish, maintain, and enforce written policies and procedures that address, among other things, business continuity and disaster recovery." And as part of that FINRA must designate firms to participate in of its BC/DR Plans. The SEC adoption of SCI can be tied to experiences such as Superstorm Sandy which caused the securities market to close for two days.
FINRA Notification Process and Designation Criteria
FINRA will privately notify firms that meet the standards for designation. This will happen at least 90 day prior to the testing date. For the most part the designation criteria is based on volume of activity over a specified time period. For the most this equates to about 5-9 firms designated per system.
The following table provides details on the criteria designations.
Categorized under: Launching A Hedge Fund
A new year, which is just around the corner, brings us endless opportunities to improve. So here’s a list of the top 4 IT resolutions that will help keep your hedge fund safe and sound in 2016.
Traveling with electronic devices puts personal and critical business information at risk. As we embark on the busy holiday travel season, we decided to share some useful tips to help prevent your data and devices from falling into the wrong hands. Here are our top 10:
Back up Your Data Before You Leave: Prior to traveling, back up data that is stored on your device(s) onto media that will not be taken with you on your travels. For example, on a storage card, cloud, or computer, if you are not bringing the latter device on your trip. Furthermore, ensure you do not have social security numbers, passwords, credit card information and other sensitive data stored on your devices. If you do, save this information in a more secure place and remove it from your portable devices.
Travel Light: If you do not need it, do not bring it on your trip. Only devices that are necessary should accompany you while traveling.
Here at Eze Castle Integration we have a pantry full of thoughtful policies that help ensure we keep everything in tip-top shape. In past Hedge IT articles, we’ve shared our recipes for creating security incident policies, BYOD policies and social media policies.
Today, we are going to share our recipe for creating an Acceptable Use Policy, which governs how a company and its employees use computing resources. The SANS Institute, which has policy templates galore, also has an Acceptable Use Policy template that you can find HERE and is the foundation for our award-winning recipe.
First, define the purpose and scope of your policy by answering questions including:
Why are the rules in place (i.e. protect firm from virus attacks, compromising of the computing network, etc.)?
Who does the policy apply to (i.e. employees, consultants, contractors, etc.)?
Public cloud tools and free file sharing services are wholly owned and managed by third-party providers. Because infrastructure costs are spread across all users who are employing the service, each individual client is able to operate at a low cost. Public cloud tools are typically larger in scale than private enterprise clouds, which provide users with seamless, on-demand scalability.
These factors may seem to support the belief that public clouds and free file sharing services would suffice for a business’s basic infrastructure and file sharing needs. However, upon closer examination, it is clear that there are a number of areas in which these tools fall drastically short of meeting the crucial business needs of investment management firms.
Is your password “123456” or just plain old “password”? If so, you’re not alone. When media company-Gawker Media’s million plus user database was compromised by hackers, the passwords of nearly 200,000 users were decoded and made public. Of those exposed, over 3,000 people used the password “123456” and nearly 2,000 were using “password” as their password.
Think your name is an original password? Apparently lots of Michelle’s and Jennifer’s did because those made the most common password list as well. Check out the complete list to see if you have a popular password.
This past weekend on the dark web hackers were offering to sell 590,000 Comcast email addresses and associated passwords. Of those, Comcast verified that 200,000 accounts were still active and had the account owners reset their passwords. According to Cnet, hackers didn't breach Comcast's computers to steal the information. Instead, they created their list of passwords with information stolen from [people across the web]." Hackers are skilled at tricking individuals into sharing their passwords. Then, since people often use the same password for multiple sites, the hackers have gold.
Gawker and Comcast being hacked are yet more reminders of the importance of having strong passwords and updating them regularly, especially in the hedge fund and investment management industry. Here are some tips to create safe passwords and keep them safe:
First off, passwords are essential but simply having one isn’t enough. Remind users not to leave passwords on sticky notes or under their keyboards. One way to remember a new password is to use it immediately and often.
This post was contributed by Frank Serebrin, president and founder of InCapital Marketing.
If you don’t have a website, you don’t exist.
That’s the takeaway from…well, I can’t cite a study, but it’s my opinion.
Less than a generation ago, few businesses would consider not having their phone number published in the yellow pages. (Remember them?) Today, search engines have replaced phone books as the place most go for research and information. How can your potential new clients search you if you don’t have a website or social media presence?
Yet fifty-five percent of small businesses don't have a website, according to a 2013 survey of more than 3,800 small businesses conducted by Google. That's a slight improvement from the year before, when 58 percent said they didn't have a website.
You may think of yourself as a start-up hedge fund manager, or a Registered Investment Advisor, or a real estate private equity manager. And you’re still also a small business, too, at least as defined by the SBA.
Here are ten reasons why you may not have a site yet, and what you may do to correct the oversight:
1. I Don't Have the Time
Is this you? "I'm too busy trading…I’m on the road making sales calls…my partners and I have full time corporate jobs, too.” With all the demands on your time, a website can help sell your story while you build relationships and multi-task.
2. There’s No Money in the Budget
Is it that you don't have the money, or you haven’t figured out what your marketing budget should be? As a start up, your focus might understandably be on the legal costs of a private placement memorandum, and administrative, accounting, technology, trading, office space, and sales expenses.
How much capital are you looking to raise, and it what period of time? Is it $25 million? $50 million? $250 million or more? And you want to raise that from professional and sophisticated investors without the credibility of a website?