When it comes to cybersecurity there are many factors that you need to be conscious of. During a recent webinar, speakers from Eze Castle Integration and Wolf & Company shared 10 of the most common cybersecurity gaps identified during an IT audit/risk assessment. We’ve listed the top 10 below and shared some particulars on a few of the most critical (in our opinion). For more detail on how these gaps are presenting themselves – and also best practices for avoiding them – click here to listen to the full webinar replay.
Top 10 IT Security Gaps
Risk Management and Governance
IT Asset Management
Social Engineering & User Training
Business Continuity Planning
Third Party Vendor Management
User Provisioning and Management
Incident Response Planning/Procedures
Risk Management and Governance
Responsibility and accountability for risk management starts in-house – and at the top. Even for firms that rely on third party outsourced providers, it’s imperative (and often overlooked) to establish governance controls and outline who internally maintains ownership of the firm’s security posture – and more broadly, who owns the firm’s risks.
When it comes to cybersecurity, the list of haves and have nots is constantly evolving due to the changing regulatory and threat landscape. In case you missed it, we hosted a webinar this week on Cybersecurity Basics for Asset Managers, during which we uncovered various elements within three primary cybersecurity layers: from Tier 0 (Basic Protection) to Tier 1 (Industry Standard) to Tier 2 (Advanced Protection).
How does your firm stack up when it comes to your cybersecurity practices? Watch the replay below and find out where you fit in.
Tier 0: We call this level Tier 0 in part because, well, there’s zero chance your firm will have long-term success in thwarting cyber risks if you don’t employ these basic security measures.
In Part Three of our Risk Outlook Webinar Series, Michael Corcione, Managing Director of Cordium, spoke about compliance and cybersecurity trends in the investment industry. Although cybersecurity risks and struggles can vary from firm to firm, it is important to address a number of key areas.
Continue reading for quick takeaways or scroll down to watch the 30 minute video replay.
Good security can be achieved as firms move from reactive to proactive strategies. Firms usually start with the goal of checking the box for regulators, but they need to get beyond the 'check-the-box' exercises and test controls. The SEC’s 2015 cybersecurity guidance update provided more specific insights on cybersecurity focus areas for investment firms - governance and risk assessments, training and awareness, incident response, data loss prevention, access rights controls, and vendor risk management. Hedge funds and investment firms should use this as a framework, understand how they have addressed these areas and where they need to improve.
A good cybersecurity program starts with the leadership team, and they need to set the tone from the top down. This way everybody understands the impact of risk and its effects on the firm. Leaders should acknowledge risk, understand risk, and lead ongoing discussions firm-wide.
During Part 2 of our Risk Outlook Webinar Series we spoke with Eze Castle Integration Director Dan Long about how investment firms should address evolving cybersecurity risks, third party service provider oversight and employee training and education. Many of the points Dan addressed highlight questions hedge funds and private equity firms should be asking themselves.
Read on or scroll to the bottom to watch the full, 30-minute replay.
What is our commitment to cybersecurity and what is our outlook on the future?
Regulators and investors continue to ask more questions about cybersecurity because they want to know that firms are effectively mitigating risk. To meet these growing expectations, firms must demonstrate that you take cybersecurity risk seriously and have implemented sound systems, policies and procedures to combat those risks. As the threat landscape and technology continue to evolve, investment management firms need to evolve accordingly and develop better ways to counteract threats. Firms don’t necessarily need to implement every available security technology, but they should be keenly aware of their options and have a plan to effectively mitigate as much risk as possible.
How are we addressing third party risk and oversight?
Investment management firms often rely on third party vendors to obtain functionality or capabilities that they need, want or can’t afford to produce on their own. But moving functions out of the firm's control can present challenges. With any outsourced function, the firm inherently takes on additional risks at the hands of the third party. But it's critical for investment managers to limit those risks through sufficient due diligence. To combat vendor risk, financial firms need to maintain strict oversight of all third party relationships and investigate security practices and protocols, particularly for those vendors who have access to the firm's confidential information. An outsourced vendor should be providing the same level of security (or better!) as your firm would if the function was under in-house control.
As we work with clients on completing due diligence questionnaires (DDQs), one increasingly common question is, “does your firm block access to data sharing sites such as DropBox or Google Drive?”
Generally the answer to this question should be ‘Yes,’ but that isn’t always the case because public file sharing services such as these are very convenient, and firms may overlook the security risk they pose. Additionally, employees accustomed to using Dropbox for personal use may be tempted to go for convenience over security when they need to share a large file or data set.
However, with security threats multiplying exponentially, hedge funds and alternative investment firms need to be proactive in protecting data and personally identifiable information (PII) from accidental and malicious insider risks. That’s why for secure file sharing Eze Castle Integration includes Varonis' DatAnywhere product as a standard feature within our Eze Managed Suite. Varonis' DatAnywhere offers users seamless and secure collaboration and file sharing across devices.
Beyond security, Varonis' DatAnywhere is easy to use. Users receive the same drag-n-drop experience as shared network drives or a cloud sync folder, which means no need for training on complex user interfaces and collaboration workflows. Additionally, data is automatically backed up and version controlled.
Cloud, Cyber Security and Managed Services: Putting Eze Castle Over the Top in Waters Rankings (Video)
We're thrilled to share that Eze Castle Integration has won the coveted awards for Best Cloud Infrastructure Provider and Best Cyber-Security Provider in the 2016 Waters Rankings. Vinod Paul, Managing Director of Eze Castle Integration, spoke with Dan DeFrancesco, Deputy Editor of Sell-Side Technology and Waters Technology about how Eze Castle Integration differentiates itself from other cloud and security providers.
Watch Vinod's video interview below or scroll down for some quick takeaways.
A new year, which is just around the corner, brings us endless opportunities to improve. So here’s a list of the top 4 IT resolutions that will help keep your hedge fund safe and sound in 2016.
Eze Video Debut!
Ever wonder about the layers of security encasing our Eze Managed Suite solution? We thought you had. That's why we created this video, which outlines not only the security protections but also the extensive services available to investment firms and hedge funds that move to our premier cloud solution.
Watch, learn and then contact us for more details.
Today we released a new whitepaper that looks at a growing trend we are seeing -- billion dollar hedge funds and investment firms moving to the cloud. Here is a sneak peak at the paper's content as well as a video interview with Bob Guilbert on why firms should read, Why the Billion Dollar Club is Headed to the Cloud.
It’s More Than Managing Money
There’s more competition in financial services than ever before. Every week, new and agile boutique firms sprout up, armed with proprietary models and the right technology foundation to compete – intensely – with the major players for billions of investment dollars. Firms of every size are competing to deliver broader ranges of increasingly exotic instruments, specialized funds, and high-performance investments that deliver competitive returns to investors whose demands and expectations continue to climb.
But when it comes to performance and success in financial services, there’s more to evaluate than just the hard numbers. Returns alone aren’t enough. Today, savvy firms know they need to deliver more. In a post-Madoff, post-2008 world, the SEC and FINRA – and investors as well – are scrutinizing all corners of the operation. There’s an increased focus on how operational risk is managed and how firms respond to greater demands for transparency. That means it’s more important than ever for firms to deploy and maintain robust, scalable, and secure technology infrastructures.
They say a picture is worth a thousand words so here is an infographic of our 2013 Global Hedge Fund Technology Benchmark Study that explores the most common front, middle and back office applications and technology used at today's hedge funds.