Whilst the cybersecurity narrative typically tends to focus on how asset managers are putting steps in place to improve their cyber preparedness, of equal importance is how investors can assess managers objectively as part of their due diligence process.
Bringing that objectivity is sometimes overlooked. Investors might be interested to hear about how managers are tackling the problem, but they need a way to scorecard them. To help with this, Castle Hall Alternatives has launched Due Diligence University to support asset owners as they conduct due diligence on third party asset managers.
The first white paper, in what will become a series of educational resources for investors, is entitled Evaluating an Asset Manager's Cybersecurity Environment, which identifies ten key due diligence risk areas related to technology security and includes a cyber risk management evaluation tool.
"While there may be a gold standard for an asset manager that has significant internal resources to deploy, naturally that same gold standard cannot apply to all asset managers. As such, any assessment needs to include baseline aspects to a cyber risk framework that an investor could apply as a `common standard' to all asset managers," explains Daryl Purdy, Vice President, Castle Hall Alternatives.
Whilst it is fair to say that there is now a general willingness within the fund management industry to accept that proper policies and procedures need to be in place, there will inevitably be a wide range of capabilities among fund managers.
This year, both the National Futures Association and the Securities Exchange Commission have become increasingly active in assessing the `cyber preparedness' of registered investment advisers, using specialist IT teams to conduct audits. But whereas large institutional managers have not waited for the regulatory response, with many putting in place measures to beef up their cyber risk frameworks over the last couple of years, smaller managers are still in the early stages of implementation.
"Our risk evaluation tool serves as a framework to ascertain how prepared a manager is and use it as a basis for discussion whereby investors can share their initial thoughts on where they think the manager's cyber risk approach needs to be improved. This is really a guidance tool. Through our ODD process we can also help managers move towards best practices and improve their business and operations," explains Vladimir Rabotka, Director, Security and Systems Administration, Castle Hall Alternatives.
"We will come in and speak to managers about particular sections of the evaluation. I believe in terms of self-assessment it is a useful tool to have as it can help managers to work towards a position of being proactive rather than reactive, and stay one step ahead to identify which controls need to be in place."
One of the 10 evaluation items is Data Classification. This, says Rabotka, is about understanding what constitutes sensitive information and how it propagates throughout the manager's environment i.e. having a good idea of where data is being transferred, processed and stored in order for the manager to put in place the appropriate security controls. "Security controls always have to travel with the data," says Rabotka. He says that an example of where this might be regarded as sub-standard in the investor's eyes would be if there is no awareness over where such sensitive data is stored.
"For example, a manager that relies on vendors and consultants but doesn't understand how much access these third parties have to their data, which might include investor data. Blind faith is put in third parties without having a clear and full picture of what exactly is being handed over and what level of access is being granted," comments Rabotka.
If senior management within a fund group are providing different answers on where they think sensitive data is being held, and what the nature of that sensitive data is, this could point to a lack of Security Awareness and Training within the organisation; another of the 10 evaluation items.
"There are three types of sensitive assets that we typically see with our clients," says Brian Lozada, Managing Director of Duff & Phelps' Cybersecurity practice. "These include: 1. Investor data (bank details, names, social security numbers), 2. Employee data, and 3. Intellectual Property: trading strategies, algorithms, research notes."
Vendor due diligence
To help managers reduce the cyber risks of using third parties, Duff & Phelps assess every third party who is either storing, processing or transmitting sensitive data on behalf of the fund and then look to ascertain exactly what that third party is doing from a security perspective.
"What controls do they have in place? Do they have a 24/7 response team? Does the third party have an Incident Response Plan? Does it go through vulnerability and penetration tests? Does it share those results with the fund? We ask a series of questions on their data handling processes and their recovery efforts in the event that they are compromised," explains Jason Elmer, Lozada's colleague and fellow Managing Director.
One of the issues that fund managers need to be mindful of with respect to their third parties is that if they have had contractual relationships in place for four, five years, they are unlikely to contain information security provisions.
With every new contract that is put in place, Duff & Phelps will helps its clients to stipulate the information security provisions and breach disclosure terms that need to go in to the contract.
"Ultimately, alternative fund managers depend heavily on their third parties and trust them with a lot of sensitive data. Getting those contractual obligations in good order is key," states Elmer, who adds that they are currently doing risk evaluation exercises with clients so as to best prepare them for the eventuality of an SEC or NFA visit.
"We do this by evidencing the manager's policies and evidencing the fact that they've done due diligence on their service providers, evidencing that they've conducted tabletop exercises to prove that they've practiced their IRP and that it works, evidencing that their cybersecurity calendar outlines every quarter what training exercise will take place, etc. Showing that audit trail is very important."
George Ralph is Managing Director of RFA, a leading technology and financial private cloud provider. He makes an important point by stating that any time an asset manager uses outsourced IT vendors for IT development, they will have substantial terms and conditions in place to ensure that their intellectual property rights are protected.
"If, however, you have an internal IT development team, the chances are you won't have an IPR agreement in place with your staff. These are the sorts of points that we get our clients to think about to properly protect themselves," says Ralph.
The human element
To contain the threat of a cyber attack organisations might think that technology is the fail-safe option. Whilst up-to-date technology is important to an extent, the fact remains that it is the human element that is, and always will be, the biggest threat to suffering a cyber breach. As such, it is incumbent upon fund managers of all shapes and sizes to take seriously the need for ongoing training and education; which is far more cost-effective than buying the latest IDS system, for example.
"One thing we highlight with our clients when we do cybsersecurity training is that every single employee is a target," says Lozada.
"Threat actors are patient and disciplined. They do a lot of reconnaissance. They'll use LinkedIn to work out who works for who, who reports to who, and they are targeting people at home in the hope that that home compromise can be brought into the office. People are going to get phished on LinkedIn, Gmail, Facebook, etc. We therefore stress to users the need to think about things from an online practice perspective, not just to limit it to the office."
Hackers are continuously devising new and novel ways to penetrate networks but at the end of the day they just want to get paid. And so it becomes a numbers game. They will look to exploit employees with subtle tactics that are designed to catch them off-guard and trick them, for example, into clicking on a link that downloads ransomware, encrypts data, and demands a Bitcoin payment to unlock it.
"Recently, I received an email from Bank of America.co instead of .com. Even though I don't have a bank account with them it was, nevertheless, a well-written email made to look like something I should respond to. We've actually started to use that email as one of our phishing campaigns," confirms Mark Coriaty, Senior Vice President Strategy & Partnerships, Eze Castle Integration.
Ralph explains that the top five social engineering techniques are: stealing passwords; pre-texting or `friending' where someone tries to build a relationship by posing as an external service provider; phishing attacks; bating, which tries to tempt people with free goods; and tailgating, where someone will follow an employee into the building after they have swiped their security card.
When asked what the risks are to using social media, Ralph advises managers not to simply ban because it would then drive people to doing more on their mobile devices, but rather to make employees aware of the risks and offer alternatives.
"LinkedIn will allow you to sign up using your Gmail or Facebook account. Don't do that. Create a new account. And also control the content that employees post on Twitter, on LinkedIn. Keep it personal and not business specific as that will attract potential cyber criminals," stresses Ralph.
He says that following blogs is fine "but we advise people not to post comments.
"People always say that their views are personal and not those of the organisation they work for but that never gets taken into consideration. If someone posts a response that someone doesn't agree with, they might bear a grudge with the company that person works for and that could expose them to a potential attack. The key point to remember is that social media is not verified. We can all work for any company we want on social media."
Dealing with a breach
Given that humans make mistakes, the fact is that organisations should have a plan in place to deal with a breach when it happens, not if it happens.
One way to reduce the scope of a breach is to put limits in place on who can access what data within an organisation. This is especially pertinent to C-level executives. They might want access to everything as the COO, but do they really need to see the marketing department files, or the everyday accounts payable files?
There's a point to this. If, for example, that same COO fell victim to a CryptoLocker attack, if they did not have permission to see certain data sets then equally the piece of malware would likewise not have access to those data sets.
Marcus Lewis is Director, Technical Sales at Capital Support, a leading managed IT services provider. He says that they use shock tactics when they visit clients.
"We use a mock headline on a newspaper that says they suffered a massive breach and the aim is to elicit the response, `We wouldn't want that to happen!' Our response is, `Okay, let's reverse engineer the situation. What do you need to have in place before and after to manage a breach?'
"That's when we talk about putting in place a proper risk and incident response plan, an appropriate Business Continuity plan. Cybersecurity is about how to cope when your data centre goes down, or your telephone network goes down. If there is a malware attack, make sure you have backups in place because you're only going to lose the most recent data on the network," says Lewis.
That ability to respond effectively to a breach is precisely what Datto offers to the marketplace. It provides comprehensive backup, recovery and business continuity solutions, which it deploys using the SIRIS 3 data protection platform.
If someone falls victim to a ransomware attack, by using SIRIS 3 clients simply revert to the most up-to-date clean backup of their system, thereby circumventing the threat posed by the ransomware attack.
"The end user would see the ransom note pop up and they would be unable to access their files. It's at this point that they would get on the phone to their IT vendor who has a partnership in place with us and they would then look at the most recent backup, check it's clean, and do a full restore.
"This gives clients piece of mind. They know that they have the ability to fully recover from a ransomware attack, or indeed a natural disaster, in a matter of minutes rather than a matter of days or, worse still, not at all," says Carrie Reber, Vice President of Marketing at Datto.
Hackers play the law of averages. They know that if they send out 1,000 emails there are going to be a certain number of companies that end up paying the ransom.
As Reber recalls: "A hospital in California recently paid USD17,000, and there was a similar case of a university in Canada that paid the ransom because they just didn't know what to do.
"Clients of ours using the SIRIS solution via their IT service provider have suffered attacks and simply rolled back to the most recent backup and avoided paying the ransomware altogether. It's a very effective post-breach solution."
Reber concludes by offering the following words of advice: "Think about preventing an attack but equally as important, think about how to recover from an attack. Make sure you have a knowledgeable IT service provider who can be sure to help you recover quickly, and with minimal disruption.
