We have listened to numerous warnings about cyber threats and data breaches. We've been urged to secure networks and prepare response plans in anticipation of an attack, but as we've seen countless times in the news, some businesses have learned the hard way.
Whether you've fallen victim to cybercrime, gotten lost in translation, or are striving to improve preventative measures, it is never too soon to enhance your firm's security safeguards.
But where do you start? What best practices should your firm implement to mitigate cyber risk?
In 2014, the SEC released a 28-point cybersecurity questionnaire to investigate the security practices and procedures of firms in the financial sector. Since then, the SEC has begun conducting examinations of registered firms and continues to release guidance on the infrastructure and business policies firms should implement to reduce the risk of cyber incidents.
The following are key takeaways from the SEC's exam findings that hedge funds and investment management firms may wish to apply in building and enhancing their cyber preparedness programs.
ALL-INCLUSIVE APPROACH
Security and growth are shared destinations across the hedge fund and asset management industry. Achieving both, however, is no easy feat.
Due to the increased sophistication of cyberattacks, coupled with growing global connectivity over the web, data breach "what if" scenarios are a way of the past. Today, it's essential that firms proactively plan to efficiently address the inevitable "when" by putting in place layers of security and incident response plans. Furthermore, a firm's cyber strategy must reflect this shift and not only address prevention, but also detection and remediation tactics.
GRASPING COMPLIANCE
At the cornerstone of a firm's efforts to address cybercrime exposures and risks is its information security and compliance program.
Results of the SEC questionnaire revealed that the majority of advisers have Written Information Security Policies (WISPs) in place to safeguard sensitive information and periodically assess their mechanisms to thwart threats. It is incumbent upon a firm to expand the scope and depth of cybersecurity awareness programs and customize policies to fit a firm's unique circumstances.
Aside from documenting and assimilating network and information security practices, senior management, CXOs, board members and the like should develop a deep understanding of all facets of these programs. They must also conduct regular audits and assessments.
INTERNAL TRAINING
For a firm's continued success, it is necessary that cybersecurity initiatives start at the core of the company: its people. The most robust, comprehensive security program is a collaborative effort that entails best-of-breed technology paired with proven and tested practices.
SEC exam findings show that employees are not always following firm procedures and thus need to be centric to an organization's risk-focused approach. Funds can stimulate educational growth and reduce the opportunities for a breach to occur by disseminating cybersecurity policies company-wide and employing mandatory training courses upon onboarding employees as well as on a regular basis.
THIRD-PARTY RISKS
Empirical evidence from the SEC's examinations exposed an acute lack of third party assessments and thus, the SEC has made it a critical point to address this in their future exams.
In a progressive, competitive landscape with increasingly high-profile technology risks, it is critical that advisors evaluate all access points to their infrastructures and address each party with network keys.
Advisers should then perform proper due diligence on all key service providers to allay security apprehensions and help ensure compliance.
To keep pace with the dynamic nature of investor and regulatory demands, firms must then take this risk-focused approach to the next level.
Beyond obtaining records of security policies and passing the baton onward, a fund manager should absorb this information and develop a deep knowledge base to adequately understand their firm's unique risks and efficiently fulfill due diligence questionnaires and evaluations.
Cybersecurity is unquestionably the number one technology risk jeopardizing the hedge fund and alternative investment industry. While there is no guaranteed solution to evade all hacktivist efforts, enhancing security measures, checking the locks and keeping at the forefront of cyberspace will better prepare advisers and managers for the inevitable "when."
Bob Guilbert is managing director of Eze Castle Integration, an IT services firm.
