Cyber Security is Changing: How to Build a Secure Hedge Fund
Last week, Wednesday 16 October, the Eze Castle Integration team in London hosted a breakfast seminar on Cyber Protection: Building a Secure Investment Firm.
Cyber security is one of the greatest threats facing the hedge fund and alternative investment industry. The 2008 financial crisis brought a wave of new and sophisticated attacks, as well as a high rise in security incidents to the industry. With this changing landscape in mind, our panel of experts -- Simon Eyre, Director of Service at Eze Castle Integration; Lawrence Brown, Partner at Simmons & Simmons; and Sean Blenkhorn, Director, Solutions Engineering at eSentire -- got together to address this very topic.
The hedge fund and investment industry is especially vulnerable to threats since they present hackers with opportunities to profit from sizeable asset pools. Many fund managers assume hackers are focusing on higher profile targets such as retails banks, but the reality is that they are targeting unprepared investment firms of all sizes.
What can investment firms and their service providers do to protect themselves?
Fund managers, as well as their service providers, should regularly review the security threat landscape and their security safeguards. Adopting the following steps can help protect firms from cyber crimes:
Clarify roles and responsibilities - Identify key individuals responsible for maintaining the various aspects of your firm's security plan.
Reassess the security function - Organisations already have information security functions that may be doing a good job in protecting against traditional threats. As new threats emerge, they need to focus on upgrading or transforming the existing capabilities to deal with them.
Create a cyber-incident response team - Traditional organisational structures may have the effect of hampering the quick and decisive responses needed in the cyber environment. Asset managers need effective cyber-incident response teams that can track, risk-assess and escalate incidents. (Read our step-by-step guide on dealing with a security breach for guidance.)
Take a more active and transparent stance towards threats - The high-profile and defensive nature of cyber-attacks tends to engender a defensive mindset. But a number of cyber-savvy organisations are now getting onto the forefront by adopting a more active stance towards attackers, pursuing them more actively through legal means and communicating more publicly about their cyber threats, incidents and responses.Also, firms should employ a defense-in-depth strategy, inclusive of anti-virus/anti-malware software, and network firewalls to minimise undesirable traffic on the network. However, it is important to recognize that even a computer that is running the most recent operating system with all applications at the most recent upgrade level can still be subject to a targeted attack.
Don't Forget Policies
To maximise network and data protection, investment firms should maintain strong password policies, use multi-factor authentication, develop access control and acceptable use policies, and create an Incident Response Team. As always, maintain a record of what was done and by whom to keep an accurate trail of events for investors and auditors.
Once these policies and procedures have been implemented, it is important for fund managers to educate their employees and train them on best practices for mitigating security risks. Employees who are educated on security threats and know what to look for will serve as a firm’s best assets for keeping sensitive information secure.
But, What if a Security Breach Occurs?
According to the Information Commissioner’s Office (ICO), a data security breech can happen for numerous reasons, such as loss or theft of data or equipment on which data is stored, inappropriate access controls allowing unauthorised use, equipment failure, human error, unforeseen circumstances such as a fire or flood, hacking attack and ‘blagging’ offences where information is obtained by deceiving the organisation who holds it. Once the breach has happened, there are four important elements to a breach management plan:
Containment and recovery
Assessment of ongoing risk
Notification of breach
Evaluation and response
Constant maintenance and diligence is required to keep the firm’s data and assets secure. As the industry landscape continues to evolve, it is imperative that the investment industry puts more emphasis on security and data protection in order to meet investor demands and new regulations. End-user education will remain an important aspect, especially as firms adopt new technologies and implement new policies to manage and monitor access and employee behaviour.