Six Questions to Ask About Your Investment Firm's Cybersecurity Risk
For investment management firms to embrace a security-first approach, they must regularly audit and evaluate their cybersecurity risk profile and adjust as necessary based on the evolving security landscape and technological advances. Continue reading for six questions your firm should reflect on regarding their cybersecurity risk profile.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. However, moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party, but it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
Do we perform vulnerability assessments and/or penetration tests?
There is a lot of confusion about vulnerability assessments and penetration tests. Firms should have an understanding of the differences and be using these tests to effectively mitigate risk across their businesses.
At a high level, penetration testing is when you have identified a system that has services or ports open and you are essentially hacking or using simulated hacking attempts to compromise or break that system and demonstrate what may be a potential vulnerability. This is a very highly focused and targeted activity, highly dependent on the type of system you are testing against as well as the skill and capabilities of the person or firm conducting the test.
Alternatively, a vulnerability assessment is a broader spectrum test, and it serves as a discovery action. A vulnerability assessment typically scans an entire environment and catalogs and index weaknesses and risk points. With this information, firms have database of known vulnerabilities to assess overall risk and identify where remediations need to be implemented.
What is our cybersecurity budget?
Clearly, much of a firm's ability to mitigate cybersecurity risk is impacted by their budget. There is a wide range of systems, technologies and training that alternative investment firms can employ to address security threats. On the infrastructure side, there are basic items that cannot be ignored: firewalls, anti-virus software, mobile device management platforms, secure remote access, patch management. We'd also suggest intrusion detection and prevention systems and SIEM should fall into this critical category.
Beyond technology, however, firms need to have policies and procedures in place to address firm and operational risk at the hands of a cyber incident. And training employees on said policies should be non-negotiable. Fortunately, educating your employees can also offer a hedge fund one of the best returns on its investments. Because the most common cyber risks are often initiated by users (whether unintentionally or maliciously), training those users on security best practices will empower the firm to mitigate cyber risk across all levels.
What cloud model are we using?
What training do we have in place for employees?
Bolstering your workforce with training tools and education is one of the most effective ways to mitigate cybersecurity risk. Beyond annual training exercises and drills, many investment firms are also relying on phishing tools to advance employee knowledge of cyber threats. Simulated phishing exercises can be pushed out through a managed service provider and test employee awareness and knowledge. By emulating a true attack, a managed phishing email tests employees in-the-moment and can report back to managers and firm heads about the level of preparedness its users have.