In the evolving technology landscape, coupled with regulatory concerns and investor demands, CTOs at investment management firms must be prepared for a host of complex technology challenges in today’s world. Here are some of the top challenges CTOs in the investment management industry are facing today:
1.) Data Security, Privacy and Governance
One of the top challenges, if not THE top challenge, for CTOs is cybersecurity. Troublesome threats include AI-driven cyber attacks, ransomware and malware attacks, phishing schemes and internal threats, among others. Cybersecurity programs require attention, expertise and consistent evaluation to ensure you have a robust security posture, and developing the proper protections, plans and programs is time consuming and challenging.
2.) Multi-cloud Computing Challenges
While cloud computing has grown in popularity and become more accepted by investment management firms, they were more comfortable with using the private cloud based on its inherent security. Now, due to advancements in security, more firms are incorporating the public cloud into their methodology. Challenges lie in every step, from planning and deciphering which cloud model best fits their firms' needs, to implementing and securing the cloud, managing vendors, and educating employees and other internal and external stakeholders.
3.) Compliance Regulations and Audits
All businesses in the financial space need to be especially cognizant of the regulatory bodies and compliance requirements specific to their industry. Compliance audits ensure that the firm is adhering to the regulatory guidelines and drive all technology related decisions. Failure to maintain compliance can result in hefty fines or legal action. This responsibility often falls on the CTO, and it is no easy job to maintain compliance across an investment firm.
4.) Strategic Investment in Technology and Budgetary Concerns
In general, IT budgets are growing among investment management firms, and with the progressive and evolving technology landscape, new tools, technologies and services appear and create tough choices regarding budget spend. CTOs must evaluate which tools are useful, valuable, and trustworthy for the organization. For some CTO's, getting management buy-in for new technologies is a challenge of its own. On the other hand, for some CTOs convincing the management team that a technology or tool isn't the right fit for the firm is the challenge.
5.) Finding Talent
According to our 2019 Global Investment Management IT Survey, respondents indicated that lack of in-house cybersecurity talent was a top 5 concern for 47% of UK businesses and 22% of businesses in the US. The talent pipeline depends on potential hires and their skill sets, and the shortage of talent in general, specifically in security, cloud computing, data analytics and business analytics.
For investment management firms to embrace a security-first approach, they must regularly audit and evaluate their cybersecurity risk profile and adjust as necessary based on the evolving security landscape and technological advances. Continue reading for six questions your firm should reflect on regarding their cybersecurity risk profile.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
Did you know that the global average cost of a data breach is $3.86 million? Or, that the average cost incurred for each record of lost or stolen sensitive and confidential information has increased by almost five (5) percent since 2017? A recent study found that breaches are only getting bigger; and I think we have the evolving sophisticated cyber threats that continue to surface.
For alternative investment firms, there a number of business and operational challenges to navigate on a daily basis. With the evolving IT landscape and new technologies and best practices emerging, it can be difficult to stay up to speed. Here, we’ll outline four common IT challenges for alternative investment firms.
With the security landscape becoming more complicated, it can be a challenge for alternative investment firms to stay up to date with the latest and greatest trends and technologies in security. Hackers are becoming more sophisticated, and social engineering attacks are on the rise, so it is crucial to ensure that your firm has the right protections and level of security to keep your confidential information safe.
To decipher which means of security are right for your firm, you need to look at your company size and risk profile. Suffering a breach or acybersecurity incident can be harmful to your organization’s reputation, which in turn is harmful to your bottom line. You can use our Cybersecurity Checklist to see the technologies and safeguards Eze Castle offers based on which tier you choose, Standard or Advanced.
2.) Adopting New Technology
Technology adoption is a common challenge for firms of all sizes. Smaller firms may not have the budget or resources to dedicate to the adoption of new technology, while larger firms face their own set of challenges, with more end-users, and potentially bandwidth restrictions of their own.
Whether adopting new applications or migrating to the cloud, having a trusted third-party vendor to guide you through the selection and implementation process can be invaluable. Using these vendors as consultants can help your firm navigate IT and technology decisions and choosing the best fit for your firm. When choosing a vendor for your technology needs, be sure to choose a firm with industry leading, best-of-breed solutions and 24x7x365 support.
Today, security threats are ever present and constantly evolving, keeping firms on their toes and cybersecurity in the headlines. Financial institutions need to ensure that their network and systems are running smoothly and their data is safe and sound. At Eze Castle Integration, we believe in employing a layered approach to cybersecurity, meaning, having layers of technology in addition to policies and procedures in place to ensure security. Some of our top tips for bulletproofing your firm's network include:
On a basic level, firms should utilize anti-virus software and network firewalls, which will reduce traffic to the firm's network. Ensure that anti-virus software and all programs are up to date so that hackers and malware aren't able to sneak into the system. Additionally, making sure that all Microsoft patches are deployed in a timely manner is a security best practice, and there can be serious implications on your firm's security if you are not patching properly.
Active Threat Protection
With Eze Active Threat Protection, or Eze ATP, firms can take a fully managed approach to secure their network. Eze ATP has a three step approach to threat protection:
As your firm's IT Manager or Chief Technology Officer, you may be tasked with evaluating and directing the strategic technology initiatives at your firm. Unfortunately, this doesn’t always mean that you have the final say on how and when your firm makes technology-related decisions. That responsibility, in many cases, falls to the Chief Operating Officer or Chief Financial Officer, and in many cases, that individual does not have a technology background. It’s up to you, then, to ensure you provide your CXOs with the right information to make an informed decision about your firm’s technology foundation.
To assist in this process, lets walk through some of the primary considerations senior management (C-level execs) will weigh when evaluating a to the cloud.
Cloud Migration Drivers: Is Cost Always the Primary Factor?
Many CFOs feel the best way to justify a new technology to non-technical senior management is to provide a sound and logical cost comparison. And when it comes to the cloud, yes – cost is a big factor and a serious selling point.
There is no doubt that in today's world, data security and privacy is a hot topic. With the upcoming General Data Protection Regulation (GDPR) in the EU and cybersecurity constantly being in the headlines, investment firms are constantly facing scrutiny and questions from investors on what measures they take to secure their data. While most organizations have a formal cybersecurity posture, it is also crucial to have a Written Information Security Plan, also known as a WISP, and a Business Continuity Plan, also known as a BCP. While these are both formal plans to protect your organization, many firms confuse the two.
What is a Written Information Security Plan (WISP)?
A WISP details policies and procedures for ensuring confidential data is protected, how it is being protected, and who is ensuring it is protected. A WISP includes both administrative and technical safeguards that your organization has in place. Anyone or any company that has access to client or employee information needs to make sure that they implement the appropriate level of both administrative and technical safeguards.
Some examples of administrative safeguards include:
Definitions of confidential data and how it is protected
Where confidential data is located (shared drive, externally hosted, hard copy format, etc.)
Monitoring who has access to confidential data and ensuring only the necessary people are able to access the data
Roles and responsibilities for responding to a data breach or cyber incident and internal and external communication procedures for responding to incidents
In our previous post, we outlined what an information security plan is, why your firm needs one, and the first three steps of building a plan. Now, let's dive into steps four through nine on building an Information Security Plan to protect your firm.
Steps to Create an Information Security Plan:
Step 4: Classify Data
Step 5: Evaluate Available Security
Step 6: Perform a Cyber Risk Assessment
Step 7: Perform a Third-Party Risk Assessment
For a list of questions to ask and pro-tips, download the full eBook "9 Steps to Create an Information Security Plan".
Step 8: Create an Incident Response Plan
Step 9: Training and Testing Employees
In part one of this two-part blog series, we'll cover what an information security plan is, why your firm needs one, and the first three steps to create a plan.
What is an Information Security Plan?
An information security plan is documentation of a firm's plan and systems put in place to protect personal information and sensitive company data. This plan can mitigate threats against your oganization, as well as help your firm protect the integrity, confidentiality, and availability of your data.
Steps to Create an Information Security Plan:
Step 1: Perform a Regulatory Review and Landscape
Step 2: Specify Governance, Oversight & Responsibility
Step 3: Take Inventory of Assets
In our next blog post, we'll continue the series and post steps four through nine on how to create an information security plan. You can also download our eBook to get a comprehensive list of the nine steps, including pro-tips and resources relevant to financial firms.
With the technology landscape evolving at such a fast pace, it is crucial to keep an eye on IT trends throughout the year. Some common themes to watch in IT: Cybersecurity and Cloud Outsourcing.
Cybersecurity continues to take center stage in IT Trends for 2018. With past and recent cybersecurity breaches like WannaCry, the Equifax breach, and others, the financial industry, and all industries really, are on high alert to ensure that their organization doesn’t fall victim to one of these popular attacks.
Phishing & Social Engineering
Tying into Cybersecurity, phishing and social engineering continue to be a challenge for organizations. With phishing and social engineering schemes becoming more sophisticated and hackers becoming more advanced, it is crucial to keep this top of mind to avoid financial or personal loss. For tips to combat phishing and social engineering, register for our webinar on March 28th and hear from Eze Castle’s Phishing and Social Engineering experts on steps your firm can take to mitigate risks from these types of attacks.