With increased oversight, regulatory scrutiny and risk related to cybersecurity, now may be the time for those in the asset management industry to be proactive in managing cybersecurity risk.
Cybersecurity continues to concern many industries, due to potentially broad exposure among both the media and regulators. The number of recorded data breaches rose 30% from 2012 to 2013, and on August 28, it was reported that the FBI is investigating data breaches between four and five major U.S. financial institutions, including J.P. Morgan.
According to Money Management Executive's Operational Issues Survey, a total of 65% of companies rated data management as "important" or "very important," and 58% stated they would be "concerned" or "very concerned" about the potential for error regarding computer/data security.
However, only 25% stated that their firm runs redundant systems or automated back-up recovery systems for computer/data security. When asked how likely their firm is to spend money to improve computer/data security over the next 12 to 18 months, only 36% stated it was "likely" or "highly likely" while another 47% stated that they did not know. Similarly, only 26% of respondents stated that they were likely or highly likely to hire additional staff for computer/data security, while another 47% stated that they did not know.
In June, mobile apps and iPads/tablets ranked supreme among fund providers in Money Management Executive's technology survey. The goal among providers in their use of these technologies, they said, is to increase staff efficiency and productivity, enabling greater ease when traveling and making it easier to multi-task when working from home.
With that level of information and convenience, however, comes compliance and security challenges. "Cybersecurity is one of the SEC's biggest concerns within the money management world, because regulators want to see that if you're a fund firm you have processes in place that will protect information," Emily Silva, managing director at Cipperman Compliance Services, told MME.
Proper cybersecurity risk management requires a proactive, system-wide approach. Waiting until a breach occurs to prepare a response may be "too little, too late." Fund providers may wish to consider the following points:
Form a Team and a Plan
Form a team to include IT, legal/compliance, public relations/communications, operations, vendor management, and any other applicable roles that may collect, use, share or store sensitive data. Smaller businesses may not have separate positions or departments, but rather individuals with multiple responsibilities encompassing these areas.
Prepare a plan to respond to a potential data breach. Legal plays a central coordinating role, especially if your company operates in multiple states. Also note that your response to a data loss is only one piece of your cybersecurity approach. Your team should develop a comprehensive plan centered around the basic concepts of: identify, protect, detect, respond, and recover - concepts addressed, among other resources, in the cybersecurity framework coordinated by the National Institute of Standards and Technology (NIST).
Your plan should also include training, drills and internal (and preferably independent external) audits to ensure adequate cybersecurity policies and practices. Some of the issues you may wish to address in this plan may include: record retention and destruction, network security and authentication, vendor and supply chain management, and policies and procedures for sharing data with third parties.
After discovering a breach, immediately contact both legal resources and an outside (or in-house if resources are adequate) forensic investigator.
A forensic investigator can swiftly identify the source and contain against additional loss while preserving system and operational integrity. Legal can cover the investigation under privilege and respond to any complaints. (For major breaches, lawsuits are now being filed within 24 hours of a breach announcement). Legal can also ensure compliance with any legal notification requirements. Data breach notification laws exist in 47 different states as well as multiple countries, including the European Union. Insurance policies or third party contracts may also include notification requirements.
Finally, understanding how and when breaches are communicated is crucial to managing reputational harm. At first, your understanding of the breach will change day to day and even hour to hour. Public communication should be early and specific enough to assure customers, employees, or shareholders that your company is proactively handling the situation, but not so early or specific that you compromise that confidence by continually correcting yourself as your investigation and understanding of the breach evolves.
Assign Oversight and Accountability
Assigning senior leadership with responsibility and accountability shows investors, regulators, and the public that cybersecurity and protection of their data is a top priority.
You should also require vendor accountability. Many recent breaches have been caused by exploitation of vendor vulnerabilities or mistakes. You should incorporate privacy and security measures comparable to your own into your vendor contracts, and may also wish to consider incorporating indemnity or insurance requirements.
Encourage a System-Wide Security and Privacy Culture
It's also important to encourage a system-wide security and privacy culture. Senior leadership plays an important role in encouraging a system-wide security culture. By establishing senior leadership and accountability, you send a universal message to your organization that security and privacy are priorities.
Outside threats (e.g., hackers) are only one threat to data security. Sensitive data can also be leaked from a lost or stolen laptop, disgruntled employees, ex-employees or vendors, or even a misdirected email.
By proactively addressing cybersecurity risk in a well-thought out and informed manner, you can provide confidence to regulators and the public that you are responsibly managing an increasingly important risk across the country.
W. Brad Neighbors and Brandon N. Robinson are attorneys in the Birmingham, Alabama office of Balch & Bingham, and are members of the firm's Privacy & Data Security practice group.