Exploring Cybersecurity at Family Offices: Taking a Proactive vs. Reactive Approach
We recently sat down with Matt Donahue, Security/Data Privacy Consultant and Steve Banda, Senior Product Manager, to discuss cyber security trends in the family office space, as well as what steps these and other wealth management firms can take to prevent cyber-attacks. NOTE: This article originally appeared in MarketCurrents' Technology Trends - Family Office Series 2017.
What are the biggest cybersecurity threats investment management firms face?
There are constant threats facing organizations internally and externally, especially within the financial industry. One of the biggest issues is that the cyber threat landscape is continuously evolving. Hackers are trying to compromise firms in a number of ways – from phishing and social engineering to ransomware. It’s becoming much like an arms race, where both sides (hackers and criminals vs. security firms and CISOs) are diligent, organized, and well-funded, each gaining and losing the upper hand on a daily basis.
From an internal perspective, threats emerge as a result of employees being inadequately trained, falling prey to social engineering scams or not following corporate policies. They also come from technology gaps including outdated IT systems, lack of patch management and other shortcomings that could have been addressed by vulnerability assessments.
Building on the importance of vulnerability assessments, firms should recognize that hackers are always scanning to identify holes and gaps that may provide an opportunity to breach an environment. This risk reinforces the importance of technology security defenses including next-generation firewalls, intrusion detection and prevention systems (IDS/IPS) and penetration testing. Ultimately firms want to close gaps and make IT environments unappealing to hackers.
Are there any key issues that family offices should be particularly mindful of in comparison to traditional asset managers?
Family offices must recognize cyber safety does not come automatically with obscurity, as all firms across the financial industry are potential targets based on the data they possess. When it comes to IT, family offices must be disciplined and commit to running institutional-grade operations. While this may sound like an insurmountable task, the reality is that cloud services and managed cyber security services make this both cost-effective and attainable.
How can family offices prepare for increasingly sophisticated and invasive attacks like the recent WannaCry ransomware attack?
There are always going to be new and more sophisticated attacks, but firms should cover the basics. The recent WannaCry ransomware attack highlighted the importance of regular data backups, conducting patch management and having an incident response plan. It also demonstrated the dangers that relying on outdated and legacy technology can introduce into a firm.
Vulnerability assessments are also key to helping identify risks to minimize the potential for future situations.
What should be included in a cybersecurity plan?
There is no one-size-fits-all for a cybersecurity plan, but rather core components that must be included. A company’s plan should be a living document that evolves with the organization and cyber trends. Firms should have an understanding of their most important systems and data as well as appropriate protections and access controls. They must ultimately identify what is most important to their business and protect those items.
Plans should have an incident response outline for rapid action, should a security incident occur. Response components should include communication procedures, including alerting service providers and regulatory agencies as appropriate. Lastly, employees need to understand that they are human safeguards, and their training is a critical component of a plan.
How does Eze Castle work with firms to put a plan in place?
While Eze Castle Integration’s cybersecurity offering is comprehensive, we tailor our services to client needs. We work with clients to understand their cyber maturity and risk levels and devise an appropriate cybersecurity plan and program that aligns to immediate and long-term needs.
What ongoing measures should be taken once a plan has been implemented?
Ongoing measures include testing and training, simulated phishing and online training. It is important for firms to conduct annual vulnerability assessments along with biannual penetration tests. Performing vulnerability assessments will allow firms to remediate risks identified through the risk assessment. They should also ensure patching is completed within a reasonable time period. With security ever-changing, firms should be informed on risk trends, stay current on security threats – or ensure their managed service provider is. Lastly, firms should implement security monitoring of the IT environment for ongoing, proactive protection.