Seminar Recap: Third-Party Risk Management and Cybersecurity for Investment Management Firms

In a recent New York City seminar, industry experts gathered for a two-panel event to collaborate and share knowledge on Thid-Party Risk Management and Cybersecurity. 

The first panel, titled "Third Party Risk Management: Evaluating, Managing, and Monitoring in a Complex Outsourced Environment" was moderated and led by Eze Castle's VP of Marketing, Mary Beth Hamilton. Panelists discussed the increased draw to outsourcing complex technology and the operational requirements that go with it. 

The discussion begun with the existing landscape in outsourcing in the investment management industry. Panelists noted that outsourcing, when done properly and with the appropriate vendors and partners, can be highly beneficial for investment management firms, especially as firms are getting started. Panlists noted that there has been a huge increase in acceptance in investors in terms of outsourcing, as long as the appropriate due diligence and monitoring are performed. That said, having a third-party risk management program should be part of your overall cybersecurity program.

Some best practices in managing ongoing monitoring of partners included: 

• Know which vendors have access to which data

• Stay up to date: times change, and something that may have been considered "acceptable risk" in the past, may have shifted to "unacceptable risk"

• Industry specific vendors and partners will be better informed when it comes to regulatory and compliance 

• Perform ongoing due diligence on third-parties, always keep your ears open!

Panelists also discussed potential red flags to look for in a third-party partner, including:

• Security breaches and incidents in the last year

• Vendor has been seen in the news, for any unsavory behavior

• If the vendor is being evaluated by the SEC or other regulatory body for non-compliance

• For existing partners, if you find out that a partner or provider previously had a breach and they didn't inform you

The second panel, "Cybersecurity Requirements: From Basic to Advanced for Investment Management Firms", led by SVP of North American Sales, Dan Jones, covered basic to advanced cybersecurity techniques specific to the investment management industry.

Panelists dove into what cybersecurty threats are keeping them up at night. With threat actors being far more advanced then they were in the past, hacking and filtration techniques have become increasingly complex and sophisticated. In addition, new products, tools and services are constantly emerging, and technology professionals need to evaluate which products and services are the right fit for their firm. One panelist made the analogy to baking cookies: one cup of sugar is works in the recipe, but ten cups of sugar isn't effective. Choosing tools and technologies to create the most effective and efficient security posture can be challenging. Other panelists cited phishing and social engineering threats, malicious code infiltration, and of course, human error from internal employees.

Some key concerns for a successful IT program included:

• Documenting your environment and knowing how it all works together

• Alerts management programs

• Assessing and auditing the fact that you're using tools and technologies effectively 

• Phishing testing and training

• Budgets for detection driving increases in IT spend

• Alleviating investor concerns 

For firms looking to build or evaluate your existing cyber strategy, tools and technologies, check out Eze Castle Integration's Cybersecurity Resource Center.