Cybersecurity for Financial Institutions: NYC Panel Highlights

By Kaleigh Alessandro | Tuesday, July 28th, 2015

We take our thought leadership efforts seriously around here, and we’re always interested in educating our clients and partners about technology issues that can affect them. We’re also fortunate to be invited to speak frequently on a variety of hedge fund technology topics – most recently, cybersecurity. Our own Managing Director, Vinod Paul, participated in a panel session last month in New York dedicated to this topic.

Featuring speakers from Eze Castle Integration, Citrin Cooperman, Akin Gump, and CFO Consulting Partners, the panel spoke candidly about how the cybersecurity landscape is evolving for financial services firms and how they can begin to comply with recent recommendations from the SEC and FINRA. Following are some highlights from the event. If you’d like to listen to the podcast of the panel, click here.

Many firms question whether they need to do anything to comply with SEC cybersecurity recommendations. The answer is yes. And it’s more than technology firms need to employ.
Cybersecurity governance is a critical component. Who is in charge beyond the IT team? Someone at the firm needs to take accountability for this process and interface with various functions to ensure compliance. Ideally, a Chief Compliance Officer or Chief Information Security Officer should handle.
FINRA’s cybersecurity report published earlier this year review and detailed suggestions for broker-dealers, though the focus areas are applicable throughout financial services industry. The document examined eight areas: governance, risk assessment, technical controls, incident response planning, vendor management, staff training, cyber intelligence and information sharing, and cyber insurance.
Vendor management is arguably one of the most dangerous vectors for cyber problems at organizations. Service providers with access to your firm’s databases and systems inherently put your firm at greater risk, whether it be as a result of the vendor’s employees or the vendor’s systems getting hacked.
On the cybersecurity training front, your firm’s staff needs to know how to handle what’s coming in. Most security threats these days are disguised as malware or phishing schemes. Information security training should be completed at the board, management and staff levels and should be reinforced periodically.
A hedge fund cybersecurity program is only effective if it is instituted across the entirety of the business. Keeping information is silos and departmentalizing security practices won’t work.
The biggest cyber threat to any business is its employees, whether they be disgruntled (stealing data, executing malicious activity, etc.) or naïve (succumbing to phishing schemes, leaving mobile devices behind, using insecure passwords, etc.).
Know who you are partnering with. Low cost vendors and service providers could be cutting corners. Ensure your vendors have their own controls in place to protect your firm’s data.