For investment management firms to embrace a security-first approach, they must regularly audit and evaluate their cybersecurity risk profile and adjust as necessary based on the evolving security landscape and technological advances. Continue reading for six questions your firm should reflect on regarding their cybersecurity risk profile.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
In the fast-paced, volatile world of financial services, constantly maintaining normal business operations is crucial – even in the event of an unexpected disaster. Even just a few moments of downtime could be extremely costly, so it is essential that firms implement sound business continuity procedures.
Since we frequently work with our clients on developing comprehensive business continuity plans (BCPs), we feel it is important to review and test our own BCP procedures on a regular basis to ensure they will meet our most current business needs in the event of a disaster. To this end, one of our certified business continuity professionals recently conducted a BCP table top exercise with our management team here at Eze Castle. After this successful meeting, we thought it would be valuable to share some insights on the BCP table top exercise process with our readers to spotlight the importance of this activity.
Did you know that the global average cost of a data breach is $3.86 million? Or, that the average cost incurred for each record of lost or stolen sensitive and confidential information has increased by almost five (5) percent since 2017? A recent study found that breaches are only getting bigger; and I think we have the evolving sophisticated cyber threats that continue to surface.
If you live in an area that often receives snow, you know and expect what the winter season will bring: disruption, delays, cancellations, and closures of roads, busses, trains, boats and subways that transport people to and from work. With this in mind, you should also be prepared for something more such as power outages, force evacuations, impact deliveries, and state travel ban.
In today’s article, we will take a look at some tips to help mitigate, prepare, respond, and recover during the winter weather.
With the new year now upon us, what better time to create your 2019 resolutions for your firm's IT strategy! As we know, the threat landscape is constantly evolving, cloud computing has gained momentum and is now widely accepted in the investment management industry, and new technologies and trends are emerging to support firms with their IT and operational needs.
Continue reading for Eze Castle Integration's recommendations for IT resolutions for 2019:
1.) Create a Cybersecurity Incident Response Plan
As the experts in the industry say, it's not if, but when, a cybersecurity incident will occur. According to a recent report by TechCrunch, cyber attacks are set to spike again in 2019, meaning firms need to continue to stay on top of cybersecurity best practices, utilizing layers of security to protect sensitive data, of course, have a Cybersecurity Incident Response Plan. This includes creating an Incident Response Team consisting of members throughout different departments in the organization, and mapping out the steps to take before, during and after a security incident.
Building on this, developing a Written Information Security Plan, or a WISP, is critical to securing your information, but also required if your firm is registered with the SEC. Having documentation of your firm's plan and systems in place to protect personal information and sensitive company information can help mitigate threats and risk against and protect the integrity, confidentiality, and availability of your firm's data.
3.) Create a comprehensive employee security training program
If you don't have an employee training program, it is critical that you create one in 2019. If you already have an existing employee training program, you must periodically audit this program, ensuring it is both effective and current. Having a managed phishing and training program is an effective way to train employees on how to spot and report phishing and social engineering attempts. These simulated phishing attacks against your employees provide real-time and interactive training.
Outsourcing in the Alternative Investment Management Industry: Navigating Cyber, Legal and Operational Risks + Webinar Replay
Investment firms are increasingly drawn to outsourcing to manage complex technology and operational requirements. And, of course, with this evolution comes a range of considerations. In a recent webinar, Eze Castle Integration’s Executive Director, Dean Hill, and, Lawrence Brown, Information, Communications and Technology Partner at law firm Simmons & Simmons, explored the cyber, legal and operational risks for firms looking to outsource.
Watch the full webinar replay here.
When it comes to protecting your business, you can never be too prepared. In the competitive investment management world, downtime for any reason is not an option. Whether it be a natural disaster, inclement weather, or even a flu epidemic sweeping the office, your firm needs to have both Disaster Recovery and Business Continuity Plans to ensure that your firm doesn't undergo the costly financial and reputational losses in the case of downtime.
Firstly, it’s important to understand difference between Disaster Recovery and Business Continuity Plans.
Disaster Recovery refers to the policies and procedures to enable the recovery of key technology systems after the event of a disaster. A robust DR program ensures that data centers are highly redundant, have multiple entry fiber paths and multiple power grids, undergoes annual testing, and comes with around the clock support, as outages can easily occur outside of business hours.
Business Continuity refers to a document that outlines how your firm will respond when confronted with unexpected business disruptions. A cohesive Business Continuity Plan has proven methodology to ensure your firm is prepared for the unexpected, includes a detailed risk assessment and business impact analysis, has strategies and plan development, includes testing and training, and is continuously evaluated and maintained. Our new eBook outlines the seven steps to create a BCP, download your copy here.
Whether it is an intern heading back to school or a full-time employee moving on, an investment firm must have a detailed employee termination checklist for information technology (IT) that is diligently followed.
But what are the key items that must be on your employee termination checklist?
Here’s An Employee Termination Checklist Foundation:
Contact IT Department or IT Provider to terminate or change network or application logins
Ensure subscriptions are either cancelled or changed
Collect employee equipment such as laptops, monitors, mobile devices, etc.
Ensure employee has documented transition procedures
Reset user password and disabled account
When confronted with unexpected business disruptions, alternative investment firms must react swiftly, methodically and successfully or else risk significant financial loss. This level of response requires extensive business continuity planning to ensure all aspects of a firm’s business are evaluated and protected. In this blog, we will help you create a Business Continuity Plan and help you identify which threats pose a risk to your firm.
With Cybersecurity Awareness Month steadily approaching in October, there's no time like the present to evaluate your firm's IT vulnerabilities and make sure that your firm is taking steps to mitigate these threats. When looking for vulnerabilities in your organization's IT, there are questions you can ask yourself to help pinpoint the vulnerabilities and remediate the findings.
1.) Does my firm know what assets, both hardware and software, are in inventory?
The first step to considering your vulnerabilities is to create a complete inventory of technology assets. How can you know what your vulnerabilities are if you don't know what systems and data you need to protect? Keeping a list of workstations, servers, applications and smartphone devices in one central location is crucial. As your firm grows in assets, products and headcount, are you continuing to re-evaluate your IT inventory? You'll want to have a running list of technology assets as the firm evolves and grows.
2.) Are we patching effectively and appropriately?
Your firm should be patching quickly and appropriately, as poor patch management can leave your firm exposed to potential threats. Zero-day threats take advantage of software vulnerabilities before patches and updates are available to the public. The best way to protect yourself against this is installing updates as soon as they become available. Having a patch management process in place allows firms to roll out these updates when necessary.