Essential Building Blocks to Hedge Fund Cyber Risk Management
The following article originally appeared in HFMWeek's Cyber Compliance Focus.
It’s not enough to have strong security policies. And it’s not enough to have robust technologies in place to ward off cyber threats. In truth, it’s not even enough to have both of these.
An effective cybersecurity program, rather, can only be achieved through a consistent and comprehensive strategy that touches layers across the entirety of the organization – from perimeter security and access control to policy enforcement and employee training. Without each of these building blocks, the effectiveness of a cyber risk management program is crippled at best.
And today’s standards for cybersecurity are increasing rapidly.
Tier 0: Start Here
At a bare minimum, a hedge fund or investment management firm – regardless of size or scope – should employ the following:
Firewalls to monitor and control incoming and outgoing traffic on your network, anti-virus software to intercept and quarantine suspicious threats, and patch management software to prevent application vulnerabilities and zero-day threats;
Secure remote access capabilities through applications such as Citrix or Virtual Private Networks (VPN). If employees travel or work outside of the office, this not only ensures they can maintain their workload, but do so in a secure fashion;
An Acceptable Use Policy – the backbone of a firm’s cyber risk management program and arguably most essential policy document – to outline what employees are permitted to access/use/share/etc. across the company network, systems and applications; and
Strong, non-default password enforcement for all users. Passwords are the most basic way for firms to control user security behavior, and thus, hedge funds should prompt users for strong passwords that are changed at least every 90 days.
There’s your foundation, but today’s cyber threats warrant much more sophisticated security protections, and that means building on these layers to fortify your cyber program.
Tier 1: A Strong Foundation
The good news is that most investment management firms are doing more than the bare minimum. If the above layers are your Tier 0 layer, then Tier 1 is fast becoming the standard for cyber risk, with a strong contingency of policies and more robust efforts to address network security.
Expanding your network security beyond the standard firewalls and anti-virus software to include more comprehensive network access control is first and foremost. And since email is oftentimes the gateway into a firm’s network, enhanced email security features are critical to safeguarding sensitive information. Growing in popularity, these features often include targeted attack protection, attachment scanning and encryption.
With our growing reliance on mobile devices for business, it’s become critical for firms to develop mobile device policies and employ mobile device management (MDM) solutions which allow administrators to provision, secure and support company-sanctioned smartphones and tablets. Particularly if your firm is of the “bring your own device” (BYOD) kind, you need to ensure there are clear protocols and guidelines for employee access to company/client information.
On the policy front: the written information security policy (WISP) should break down what and where your firm’s confidential data is and who has access to it. Your Business Continuity Plan (BCP) outlines how your business will continue to operate in the event the firm is impacted by a cyber-threat. And your Incident Response Policy will go into deeper detail on how to respond to cybersecurity issues, including what steps to take to remediate the situation and how/when to notify clients/third parties.
Arguably the most important – and yet underrated – aspect of your firm’s cyber preparedness, training and educating your employees is critical to the success of your organization’s security efforts. Technology and systems can only do so much to address threats. Your employees, however, can act as your first line of defense against cyber-attacks, but unfortunately, their efforts will only be effective if they are properly trained on both potential threats and the firm’s policies and procedures.
Tier 2: Progressive Protection
With rapidly growing expectations for investment managers with regard to cybersecurity preparedness, many firms are now making significant investments in their cyber risk programs, and not only incorporating the elements we’ve previously mentioned, but expanding on them even further. These investments deepen the security protocols already in place, providing firms with robust and redundant layers of protection and demonstrating commitment to institutional investors concerned with the safety and security of their assets.
To protect the perimeter, forward-thinking investment firms are employing next-generation firewalls, which take the benefits of traditional, port-based firewalls to the next level and allow firms to filter network traffic by application and implement additional security protocols to keep harmful traffic at bay.
Within the walls of the firm, one effective way to ensure security amongst users is through the use of multi-factor authentication (MFA), which requires users to verify credentials in some form to ensure they are, in fact, who they say they are. This hot tech trend is growing in popularity, and many firms now employ MFA for access to cloud services, for example.
As a more advanced security tier than its predecessors, what we refer to as Tier 2 features some progressive systems and technologies that many of today’s hedge fund firms are leveraging. Intrusion detection and prevention systems, while sometimes costly, add a convincing layer of protection to an existing cyber security program, with the ability to monitor networks and prevent threats from penetrating them. Additionally, the encryption of data at rest is becoming a top priority for security-focused firms, as well as data loss prevention – software that aims to prevent end users from sending sensitive information outside a firm’s network.
Lastly, firms that consider themselves security-conscious also likely realize the critical role employees play in safeguarding the firm’s information. To ensure employees realize their importance and act as well-informed users, many firms are conducting phishing simulation exercises to test and train users to identify potentially malicious email threats. These managed phishing tools are relatively inexpensive in nature and often include in-the-moment security awareness training to reinforce many of the key concepts users should be aware of.
There’s always room for growth when it comes to cybersecurity, so whether your firm is a Tier 0 or a Tier 2, there are likely changes you can make to fortify security, meet growing regulatory demands and satisfy even the most security-focused investors.