During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.
Read on or scroll to the bottom to watch the full, 30-minute replay.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
In the context of information technology, social engineering refers to the act of tricking people into divulging confidential or sensitive business information, and breaking security policies. This form of attack infiltrates companies by targeting their weakest access point, which predominantly is a firm’s employees.
The Art of the Phishing Con
Let’s examine a popular technique for social engineering known as phishing. In a phishing scheme, the hacker broadly disseminates a fraudulent email with aim to acquire sensitive data, such as, login credentials, IT resources or banking information. The message may request the recipient to submit personal information or to click on a link embedded with malware. Although this approach rarely dupes sophisticated users, a distracted employee could make one mistake and compromise a firm’s entire network.
In its 2015 priorities, the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed cybersecurity as a key focus area in its risk-based assessments. Then on February 3, 2015, OCIE released summary findings from its Cybersecurity Examination Sweep.
OCIE’s sweep focused on written documentation for their assessment and conducted "limited testing" of the accuracy of the responses. They did not review the technical sufficiency of the firms’ programs either. OCIE’s reliance on documentation highlights the importance of complete Written Information Security Policies.
Following are noteworthy items Eze Castle Integration observed in reviewing the findings.
Most firms adopted written information security policies, but 43% of advisers did not conduct periodic audits to determine compliance with these information security policies and procedures.
49% of advisers did not discuss mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident in their written business continuity plans.
The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, only 32% of advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
In the Written Information Security Plans (WISP) Eze Castle Integration creates for clients, we include service provider risk assessments as a standard element.
As technology changes, it can become overwhelming to keep up with. That’s why we’ve decided to take a step back in today’s blog article to go over some of the basic vocabulary involved in cloud computing. Here are 10 terms to get you started:
Services or applications that are hosted in a web-based repository known as the “cloud”; the service is often hosted by a third-party provider who then provides access to that service to users on an on-demand basis via a network connection. This alleviates that firm from having to purchase and maintain costly infrastructure in-house.
A facility used to house computer systems and associated components, such as telecommunications and storage systems; typically includes redundant or backup power supplies, redundant communications connections, environmental controls and security features. The Update Institute classifies data centers into four tiers based on the percentage of availability and uptime.
Like David bravely dueling with the larger Goliath, small and mid-sized investment firms are often faced with insurmountable odds when competing against larger (and better endowed) funds. With more experience and more assets, larger firms have the advantage when it comes to soliciting investor allocations. But do these inherent shortcomings equal certain failure? If David can emerge victorious, can’t smaller hedge funds?
Earlier this week, we gathered a panel of experts in San Francisco to discuss this topic at length. Following is a brief synopsis of the topics they covered.
Today, we're excited be hosting the 2013 London Hedge Fund Cloud Summit at the Prince Philip House in London. The event features a variety of industry experts participating in thought-provoking panel disccussions focused on the cloud adoption trends shaping the investment industry. Conversations will touch on everything from the differences between public and private clouds to cloud security and application hosting.
In honor of this event and to provide a visual to help encapsulate the many benefits that come from leveraging a private cloud, we have published a new infographic entitled “You Might be a Private Cloud User If…” Check it out to see the top 10 signs that you are likely a private cloud user. For more information and details on the 2013 London Hedge Fund Cloud Summit please visit the event page. Also, be sure to look out for a recap of the event here on the Hedge IT blog next week!
Yesterday our VP of client technology, Steve Schoener, presented on a California Hedge Fund Association webinar about building an institutional infrastructure at today’s hedge funds. A lofty topic (so consider this a basic primer), Steve focused on four key discussion areas, which we’ll recap here. They were:
Investor Expectations of IT
On-premise & Cloud solutions: Which is right?
Security Risks & Best Practices
Disaster Recovery How-Tos
You can watch the 30-minute webinar now or keep reading below.
The latest HFR Global Hedge Fund Industry Report found that hedge fund assets increased by $60 billion in the fourth quarter of 2012, bringing total industry capital to a record $2.25 trillion. With hedge funds posting performance gains and the new year upon us, we expect to see new hedge fund launches take off.
Technology is just one of the many areas to consider when starting a hedge fund. To help jump start the process, below is a list of some commonly asked questions we receive.
Where do I start in creating a technology budget for my hedge fund?
It is important to note that whether a firm selects to go with an in-house IT solution or cloud computing there will be implications on technology budgeting. Once in-house versus cloud is evaluated, it is important to think about the workflows and systems you use to complete your work – be it email, reports, phones, market vendor applications, and/or risk systems. You can find a technology budgeting worksheet here to help with your planning.
Last month our friends at eSentire published a Cloud Security Checklist to provide hedge funds and alternative investment firms a guide when evaluating a cloud provider such as Eze Castle Integration. The Checklist asked the question, “How can you know if your Cloud Service Provider has your best risk management interests in mind?”
Since here at Eze Castle Integration we are big proponents of secure cloud computing, we thought we’d be the first cloud service provider (that we know of!) to complete eSentire’s checklist.
1.0 Physical Security: Does the cloud provider have a rigorous physical access protocol?
Yes, yes and yes. Eze Castle has detailed Access Control and Premise Access policies that extend from physical to virtual environments. Following are some of the key physical access control protocols we have in place:
24x7x365 manned lobby with visual verification of identity
Two-phase authentication of visitors (card and biometric)
Secured access at all entry points, including doors and elevator banks
Monitored security cameras as well as door, motion and camera sensors
Visitor logs closely monitored and escorts required at all times
Key-locked cages and cabinets at all data center facilities