Five Hedge Fund Cybersecurity Risks and Struggles
In Part Three of our Risk Outlook Webinar Series, Michael Corcione, Managing Director of Cordium, spoke about compliance and cybersecurity trends in the investment industry. Although cybersecurity risks and struggles can vary from firm to firm, it is important to address a number of key areas.
Continue reading for quick takeaways or scroll down to watch the 30 minute video replay.
Good security can be achieved as firms move from reactive to proactive strategies. Firms usually start with the goal of checking the box for regulators, but they need to get beyond the 'check-the-box' exercises and test controls. The SEC’s 2015 cybersecurity guidance update provided more specific insights on cybersecurity focus areas for investment firms - governance and risk assessments, training and awareness, incident response, data loss prevention, access rights controls, and vendor risk management. Hedge funds and investment firms should use this as a framework, understand how they have addressed these areas and where they need to improve.
A good cybersecurity program starts with the leadership team, and they need to set the tone from the top down. This way everybody understands the impact of risk and its effects on the firm. Leaders should acknowledge risk, understand risk, and lead ongoing discussions firm-wide.
Maintaining solid cybersecurity practices is important to a firm’s reputation. Clients, investors and regulators want to ensure that your firm is addressing risk and still able to perform daily tasks if a disruptive event occurs. When it comes to working with third parties, you want to ensure that your providers understand your business and know the financial industry up and down as well as the technology that powers it. Along with industry experience, ensure that your service providers also have a good industry reputation and a commitment to protecting your firm’s data when it is not in your hands.
Understand the effectiveness of your cybersecurity programs. What value are you getting from your spend and are you truly reducing risk? When performing risk assessments, there are a wide range of categories that firms have to cover, and assessments also uncover tasks that need to be completed or updated. Make sure that the systems you are employing are effective, and when you find weaknesses, take the time to make updates and changes.
Investment firms need to survey their entire threat landscape to include who is going to attack and through which entrances (mobile devices, open wireless connections, social media). It could be an external hacker or an employee (acting maliciously or unintentionally) caught in a phishing scheme. Poor employee training and education can result in a weakness in your firm’s security. Ransomware doesn’t care what data they are attacking, as long as it is important. Your firms risks should drive a strategic cybersecurity plan. It is not about 'if' an attack will happen, but 'when'.