Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a financial firm undertakes when outsourcing a function of its business to a service provider is enormous. Not only is the firm relinquishing control to an outside vendor, it also takes on the added burden of managing that company, in addition to its own.
I recently interviewed Eze Castle Cybersecurity and Data Privacy Analyst, Matt Donahue, and we spoke about how hedge funds, private equity firms and other alternatives can roll out and improve third party risk management programs.
Within an organization, where does the accountability for risk live and how do third parties fit into that structure?
Typically, when firms think about where responsibility and accountability live within their organization they mention compliance or information technology – when, in reality, there should be a sense of responsibility at almost every level. As we’ve noted before when talking about establishing a culture of security, tone should be set from the top down – and in this case, risk management responsibility starts at the top also.
If you’re making decisions with only a single lens on technology or cybersecurity or any one area – you’re missing the big picture. Senior execs bring a high-level view point that will help the risk management program align throughout the entire organization.
When September rolls around, Apple users await the annual release of the newest Apple products. This year was something special. It has been 10 years since the first ever iPhone came out! The original iPhone ran on OS X, lacked 3G (meaning you could only get online when connected to Wi-Fi), and didn’t include an App store. All in all, it's pretty remarkable to see how far Apple has come since 2007. But before we get to the new iPhones (yes, plural!), let's take a look at some of Apple's other exciting announcements.
Watch Series 3
Apple Watch has just recently surpassed Rolex and is now the #1 watch in the world. And for the first time ever, Apple Watch now has cellular built in. This means you can have the freedom to go anywhere with just your watch – no iPhone necessary! When the iPhone is left behind, your Apple Watch will allow you to make and receive phone calls and send text messages from your same phone number. You will be able to utilize the maps function, plus 'Find My Friends' will update your location based on where you and your watch are. Cellular and Apple Music allows users to stream up to 40 million songs. The new Watch is swimproof, 70% faster, allows for up to 18 hours of battery life and comes in a variety of new bands and colors.
With hurricane season fully upon us and Irma bearing down on Florida, firms must ask "Would my firm be ready if there were an emergency today?" and "Would your employees know what to do?" September is National Preparedness Month (NPM) which is sponsored by the Department of Homeland Security and FEMA’s The Ready Campaign in an effort to increase awareness for individuals, businesses, families and communities. NPM aims to encourage the public to make preparedness a part of their daily lives and stresses the importance of being ready for the unknown.
Why should you focus on being prepared?
By teaching your employees why to prepare, your firm will not only demonstrate its importance, but employees will also maintain this knowledge and expertise that will help keep the business operational. Preparation can mean the difference between a successful and failed recovery, both personally and professionally. Educating your employees on what they’ll need at home, where to go, who to contact, etc. will equip them with the right information they’ll require at the time of an incident. With the proper information readily available, employees can focus on helping resume business operations more quickly.
Below is an excerpt from our whitepaper, 'Cybersecurity for Private Equity'. Click here to download the full whitepaper.
As private equity firms become more dependent on outsourcing and adopt new technologies to support operations, the number of threats they expose themselves to increases exponentially. It can be a daunting task to stay on top of the new and evolving risks at hand, but meticulous attention needs to be employed to mitigate these ongoing threats.
Today’s hackers and cyber criminals are not only targeting IT systems, but humans as well. Attacks vary in target, size and motive, but all pose serious risks to your firm’s wellbeing, thus it’s vital to be aware of common threat types targeting your firm and the broader private equity community. Here are a few to be mindful of:
In addition to taking advantage of human errors and naiveté, today’s hackers are also incredibly successful at identifying gaps in technology that can lead them to profit (monetary or otherwise). One of these most critical gaps is a lack of adequate and timely patch management.
Software vulnerabilities have turned heads in 2017 with news-making ransomware outbreaks such as WannaCry and Petya calling attention to outdated patches and legacy technology. First, hackers look for an entry point: often a phishing email or other social engineering scheme intended to fool users into leaving a gateway open. Once inside a firm’s network, there’s no telling the damage a hacker can do, but we’re witnessing increased activity and success in exploiting these security holes caused by inadequate patching.
What can firms do to address this security gap? Unfortunately, the problem of patch management cannot be resolved with one click of a button. Successful and ongoing management and monitoring of security patches requires a diligent effort – and one that cannot be 100% automated. Regardless of size, most firms do not have the internal resources required to manage frequent patch roll-outs, particularly for firms leveraging a host of third-party applications.
To sustain the highest levels of resiliency and prevent software vulnerabilities from causing harm on their own or at the hands of malicious hackers, firms should look to implement a patch management service. Companies – such as Eze Castle Integration! – can provide fully managed patch services to ensure software and firmware remain up-to-date and are proactively monitored to prevent security bugs and malicious exploits, reducing overall firm risk. This means seasoned IT experts are keeping pace with a constantly changing threat landscape, enforcing consistent IT policies to eliminate weak links and reducing overhead so your IT resources can focus on more complex tasks.
Hackers are tricky. And one common phishing attack trick is registering domain names similar to those of the targeted organizations with the goal of capitalizing on typos or fast readers. It is a modern day sleight of hand.
Here’s an example. You search for West Hamilton Capital and www.westhamiltoncaptal.com pops up. If the phishing site looks similar to the real website, there is a good chance a visitor could be fooled. Additionally, the domain can be used in phishing email scams.
That is why it is important for firms to keep an eye on their company’s domain name variations. Some firms may even wish to proactively register variants or block similar domains to reduce the risk of them being used in social engineering scams against employees.
How Do Firms Monitor Domain Registrations?
DNStwist is a domain name permutation engine for detecting typo squatting, phishing and corporate espionage. Another option is the domain name permutation service, DNStwister, which generates a list of domain names that are similar to the one that is inserted, checking to see if any of them are registered.
According to the DNStwister website, you can subscribe to receive alerts if a new domain is registered like yours, if an existing domain has changed IP address or has even been unregistered.
Here’s a sample DNStwister report for the fictitious West Hamilton Capital.
The most vital asset of a business is their data, and protecting your data is becoming more and more challenging. In our recent blog, Is Your Data Dirty? Data Hygiene Best Practices for Financial Services, we talk about securing your data and eliminating data that is no longer of appropriate use for your company. In doing so, you can help safeguard your firm.
“Dirty data” can include forgotten data, old reports, archived emails, and more. Duplicate data is similar to that of forgotten data because it is sometimes unknown that the copy exists. Not having a firm handle on the data within your organization can increase storage costs, complicate IT environments and ultimately make your firm vulnerability to cybersecurity events.
Beyond Internal Data Hygiene
Going beyond understanding where your sensitive data lives and practicing good internal data hygiene, firms need to understand where it is overexposed, how it is being accessed and how to protect it.
To help clients take control of their data, we encourage firms to take advantage of file auditing tools such as Varonis’ DatAdvantage, which provide insight into when and by whom corporate files are opened, edited or shared. DatAdvantage, which is included with our Eze Cloud Solutions, also aids in identifying stale (i.e. dirty) data that is no longer accessed by actual humans.
Additional benefits of DatAdvantage include:
Monitoring All Real-Time Access: Varonis monitors every open, create, delete, and move event, every email sent and received that any individual generates. You see who accessed data, the action they performed, the name and type of the accessed file or email, the folder the file is stored in or moved to, and when.
What is the GDPR and Who is Affected?
The General Data Protection Regulation (GDPR) was adopted and approved by the EU parliament in April 2016 and will supersede the UK’s Data Protection Act 1998.
The GDPR directive will come into force Friday 25th May 2018, and will apply to organisations located within the European Union (EU) but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The main intent of the GDPR directive is to give individuals more control over their personal data, impose stricter rules to companies handling it, and make sure companies embrace new technology to process the influx of data produced.
From 25th May 2018, penalties for failing to abide by the GDPR’s principles will lead to fines of up to 20 million euros or 4% of global annual turnover, whichever is greater. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Since 2014, the Securities and Exchange Commission (SEC) has made it clear that cybersecurity risk is a top priority, and now via their second round of examinations, the regulator has issued key observations to educate and inform financial firms and investment advisers of their growing expectations.
And while the SEC noted that, overall, firms demonstrated more preparedness than their first round of exams in 2014, gaps remain within cybersecurity programs, notably around employee training, patch management and vulnerability assessments.
Following are noteworthy takeaways from the SEC’s cyber exam sweep observations:
Cybersecurity Gaps Observed:
Many firms’ policies & procedures were considered too vague or generic and failed to include specific safeguard examples or implementation procedures.
The SEC observed a failure by firms to ensure employees complete annual information security training as well as a failure to take action with employees who did not comply with said requirements.
Unlike broker-dealers, the majority of advisers do not have incident response plans in place, which include plans for notifying customers and counterparties of breaches.
This article appeared in its entirety in HFMWeek Magazine in August 2017. Part 1 is featured below. Part 2 will appear on Eze Castle Integration’s blog in the coming weeks – stay tuned!
The security risks we face are ever changing, and it’s a full-time job trying to keep pace. Attacks can spread quickly (think: WannaCry) and disrupt systems, networks and operations to the point of disaster. And social engineering scams – e.g. sophisticated, well-timed phishing emails – are targeting users more frequently, meaning your guards need to be up, technology and otherwise.
Unfortunately, many firms often fall short when it comes to their cyber-security protections – and they don’t often realise it until it’s too late. These 10 common IT security gaps highlight areas where investment firms can take steps now to avoid risk in the future. These gaps are preventable, and when the next phishing email hits your inbox or ransomware attack strikes, you can rest easier knowing you’ve plugged these common security holes.
Risk management and governance
Who owns the risk at your business? Cyber strategy and programmes start at the top, so your leadership team/executive board should be involved in discussions around cyber-security preparedness. You should also appoint a Chief Information Security Officer (CISO) to oversee the firm’s security posture. Oftentimes, this individual holds a dual-role within the firm, also operating as the Chief Compliance Officer or Chief Technology Officer.
Risk management does not end with the CISO, however. There should be broad support and input across the firm with regard to cyber-security practices and governance policies.