There is a tendency when faced with a potentially serious threat to take extreme measures in life. Cybersecurity is no different. Many firms are looking for a quick fix, even if it comes with a high price tag. However, should managers take a more balanced and common sense approach to tackling the issue of cybersecurity, before spending vital operating capital on expensive individual solutions?
"Frequently, hedge funds are led to believe that the best way to protect themselves against cyber threats is to invest in expensive intrusion detection systems (IDS) or sophisticated firewalls," says James Tedman (pictured), Managing Director, ACA Aponix (Europe). "These items are effective, but it is important to understand their role and limitations. Rather than a silver bullet solution to the problem, they should be considered as one component of a balanced cybersecurity risk programme."
To develop a balanced response, managers need to first assess risk – understand the threats posed as well as identify vulnerabilities within their business process and technology.
"The published findings of the SEC OCIE sweeps stated that 79 per cent of the investment advisers surveyed had carried out risk assessments. However, we see that few managers undertake a true risk assessment and that many consider a network perimeter penetration test sufficient for identifying risks. A risk assessment should be a broad review that encompasses all aspects of the business and technology. A penetration test will not highlight whether a firm is using unencrypted email to communicate with their fund administrator or reveal an issue with the management of data backups," notes Tedman.
The first step in any risk assessment is to build an accurate picture of the environment. This includes knowing what devices and software are being used. Also, what data exists in the environment, where it is stored, how it gets there, who has access to it and how it is secured.
"It is important to create and maintain up-to-date inventories; this process can be automated using software to catalogue devices and software. On the data side, you should be able to map out where data resides both inside and outside your infrastructure. You should know what this data is, how critical or sensitive it is, and how it gets there. This will not only help to determine where to focus your effort in terms of implementing security measures, it is also essential information when trying to remediate a breach," explains Tedman.
Given the trend towards outsourcing in the hedge fund sector over recent years, and the amount of sensitive and business critical data to which vendors are privy, they can also be a significant security risk. Recent examples of this are the Target and US Office of Personnel Management (OPM) breaches where credentials were stolen from contractors.
As Tedman points out: "All managers should have some form of vendor management programme with each vendor assigned a risk classification based on their role and data access. Firms should be undertaking deep due diligence on key vendors to get a detailed understanding of their process and security measures. Other items to consider are security on the transport mechanisms used to send and receive data to vendors, as well as including specific provisions for cybersecurity in third party contracts."
By taking a bottom-up approach to assessing risk in the environment, managers can develop a more effective cybersecurity framework. "It is about identifying weaknesses in a fund manager's technology, their processes, their vendor relationships, and within their staffing arrangements as well. It needs to be a broad, balanced assessment of their environment," concludes Tedman.
