Six Questions to Ask About Your Investment Firm's Cybersecurity Risk

By Katelyn Orrok | Tuesday, September 27th, 2016

During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.

Read on or scroll to the bottom to watch the full, 30-minute replay.

What is our commitment to cybersecurity and what is our outlook on the future?

Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.

How are we addressing third party risk and oversight?

Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.

Do we perform vulnerability assessments and/or penetration tests?

There is a lot of confusion about vulnerability assessments and penetration tests. And we promise to cover it in more detail in a future blog post. Firms should have an understanding of the differences and be using these tests to effectively mitigate risk across their businesses.

At a high level, penetration testing is when you have identified a system that has services or ports open and you are essentially hacking or using simulated hacking attempts to compromise or break that system and demonstrate what may be a potential vulnerability. This is a very highly focused and targeted activity, highly dependent on the type of system you are testing against as well as the skill and capabilities of the person or firm conducting the test.

Contrastly, a vulnerability assessment is a broader spectrum test, and it serves as a discovery action. A vulnerability assessment typically scans an entire environment and catalogs and index weaknesses and risk points. With this information, firms have database of known vulnerabilities to assess overall risk and identify where remediations need to be implemented.

What is our cybersecurity budget?

Clearly, much of a firm's ability to mitigate cybersecurity risk is impacted by their budget. There is a wide range of systems, technologies and training that hedge funds and private equity firms can employ to address security threats. On the infrastructure side, there are basic items that cannot be ignored: firewalls, anti-virus software, mobile device management platforms, secure remote access, patch management. We'd also suggest intrusion detection and prevention systems should fall into this critical category. Beyond technology, however, firms need to have policies and procedures in place to address firm and operational risk at the hands of a cyber incident. And training employees on said policies should be non-negotiable. Fortunately, educating your employees can also offer a hedge fund one of the best returns on its investments. Because the most common cyber risks are often initiated by users (whether unintentionally or maliciously), training those users on security best practices will empower the firm to mitigate cyber risk across all levels.

Are we using free services (e.g. public cloud)?

Whether your firm leverages free, public cloud services or paid services may have an impact on your security posture. Investment firms should look at various services' terms of use and the way the products are operated; often times with free services, firms are yielding a certain level of privacy and control. In some cases, the product/tool may do searches through your information to push target advertising, may not provide backups, may limit their responsibility to you, and they may not encrypt data.

What training do we have in place for employees?

Bolstering your workforce with training tools and education is one of the most effective ways to mitigate cybersecurity risk. Beyond annual training exercises and drills, many investment firms are also relying on phishing tools to advance employee knowledge of cyber threats. Simulated phishing exercises can be pushed out through a managed service provider and test employee awareness and knowledge. By emulating a true attack, a managed phishing email tests employees in-the-moment and can report back to managers and firm heads about the level of preparedness its users have.