For start-ups: Four pillars of cyber security defence
The following article was written by Dean Hill, Executive Director, Eze Castle Integration and first appeared on Hedgeweek as part of their special report: A Guide to Setting up an Alternative Investment Fund in Europe.
There is no shortage of threats to financial services firms, and the list of requirements from investors and regulators alike is growing at a rapid pace. As a startup, it's important to demonstrate to investors that you take your business seriously, hence, investments in operational excellence are required. On the cybersecurity front, that means leveraging technology infrastructure with robust, security-rich features including intrusion detection and ongoing traffic monitoring, regular vulnerability assessments and next-generation software, firewalls and patches to keep hackers out and firm assets secure.
But beyond technology safeguards, today's successful financial firms require the wherewithal to implement comprehensive cybersecurity programmes – whether you're a seasoned firm or embarking on your first investment venture. The most effective cyber programmes will focus on four critical administrative areas: (1) developing comprehensive security policies and plans to prevent external cyber-attacks or internal breaches, (2) training firm employees on said policies and current cyber threats, (3) cultivating a culture of security awareness from Management down, and (4) managing an effective risk programme via external vendor oversight.
Plan: True cybersecurity defence starts with proper planning. To start, funds need to develop written information security plans – comprehensive documentation of the firm's corporate security initiatives. This should include technical and administrative safeguards being employed to secure confidential data. In the development stage, firms will need to identify systems and plans currently being used, technical procedures and systems in effect, employee access controls relative to confidential data as well as user responsibilities for both prior to and in the event of a data breach.
Train: Speaking of employees, it's often said that your firm's users can either be your greatest threat or your first line of defence against cyber threats. As a result, training is not only critical but essential so employees understand the threats facing them and the company as a whole, as well as how they can take steps to prevent, detect and respond to cyber security incidents.
Cultivate: More abstract than the prior points, this third pillar suggests that firms create a culture of compliance throughout the organisation, starting from the top. Senior Management need to set the tone for the firm by spreading awareness of cybersecurity threats and their potential impact on the business by instituting annual information security awareness trainings and sending regular reminders about basic security protocols.
Manage: The fourth and final pillar of an effective cyber security defence programme relates to managing key third party relationships with vendors, and at a higher level, taking a strong position on risk management across the firm. Managers must work closely with all their third party service providers to understand how their cyber security programmes are designed and ensure the data and assets of the investment firm are protected from internal and external threats.
Emerging managers face a tough landscape from regulators and stiff competition for investors, therefore making early investments in cyber security protections is critical to demonstrating preparedness and forging successful investment endeavours. From day one, start-up alternative firms must operate at an institutional-level, vaulting themselves into competition with established funds and validating the operational excellence that has come to be expected of them.