Intralinks’ Todd Partridge (pictured) advises a multi-pillar approach to guard against cyber attack.
In light of high-profile hacking events, where the likes of JP Morgan, Home Depot, and, most notably, Sony suffered significant losses of information, it is incumbent upon organisations to think more holistically about governance. Enterprise must put in place a security framework that incorporates people, processes, and technology.
This is especially important for hedge fund managers, who share sensitive portfolio and investor information with various counterparties across external networks. These data-transfer channels are potential weak points for hackers to exploit.
Todd Partridge (pictured) is an executive at Intralinks and thought leader in the cybersecurity realm. The governance framework referred to above forms one of four pillars of secure enterprise collaboration that Intralinks incorporates into everything they do. Briefly, the three other pillars, which Partridge describes in his recent blog (Better Safe than Sony’d: 4 Pillars for Secure Collaboration), are:
• Sharing Process Control: This focuses on how clients control information access.
• Content Lifecycle Control: This centers on defining capabilities needed for organisations to control content, from creation through to how it is shared.
• Technology Infrastructure Security: After the information sharing rules have been implemented, a service provider has been selected, and a solution has been implemented, the organisation must ensure that all facets of that solution remain secure.
In Partridge’s view, one of the biggest threats to hedge funds right now is mobile attacks.
“The increased desire of employees to be mobile,” says Partridge, “and accessing data on various mobile devices, represents an area of cyber security that lots of businesses are at risk from: How are they managing mobile devices? How are they managing access to important information on those devices?”
More on that last question shortly.
Another area of increased attacks, and one that largely explains the high-profile breaches referred to at the top of this article, is that of hackers exploiting weak links within organisations.
As Partridge points out, the resulting investigations into those attacks revealed that it was employees, consultants, or other outside entities who had previously approved access to the corporate networks who proved to be the weak link. This is something that hedge fund managers, who add and subtract different counterparty relationships through a fund’s lifecycle, need to be mindful of; not updating their network security and removing old users on a regular basis could lead to an unwanted security breach.
“These types of issues – use of mobile devices, potential weak links within the system, use of consumer grade tools – are becoming more important and firms need to have the right safeguards in place,” explains Partridge.
“What we try to do with Intralinks Fundspace™, and encourage our clients to do, is take a four-pillar approach to secure collaboration. Our premise is that organisations need to find safe tools and safe ways to share information outside of their organisation. To do that, one has to put in place a plan that addresses all four pillars: enterprise governance, sharing process, content lifecycle management, and technology and infrastructure security that holds all that information.”.
Every innovation that Intralinks develops is done so by addressing all four pillars.
Let’s say a hedge fund is going through a re-certification process with an auditor (or any other key service provider). Regardless of how complex that process may be for the fund, Fundspace is able to provide all the compliance data and resultant reporting needed for the CEO or COO to know that they are fully compliant at any point in time.
“They can access this report and see for every single exchange of information who those parties are. That’s what we mean by enterprise governance. Our platform provides the compliance reports managers need to stay in compliance,” says Partridge.
Fundspace is a vertically focused collaboration application that runs on the Intralinks platform specifically to allow fund managers to share sensitive information about their funds. Approximately 14 of the 25 largest hedge funds use the platform to interact with investors and share files, safe in the knowledge that there is a full audit trail.
“We provide a high level of security around customer and fund-specific data that is going to be shared on the platform. Managers can review fund marketing materials prior to going on the platform and have granular control over whether or not people (i.e. investors) can view content online. Maybe they are allowed to download it. Maybe not. We implement rights management capabilities as well, meaning that even if a manager provides someone with the ability to download a fund prospectus, our security technology stays with it.
“At any time, the fund manager can un-share that data and shut it down from anywhere in the world, if needed,” notes Partridge.
As mentioned, mobile device attacks present a serious threat to hedge funds. Intralinks has responded to this by increasing mobile security measures on the platform. One of these measures is device pinning. If an Intralinks user accesses data remotely, the organisation can control what mobile devices can be used.
“You can put in place unique PIN codes for each mobile device, which adds another layer of security to make sure you are validating the identity of the user(s) before they are authenticated by the system,” says Partridge.
Through a programme called Enterprise Fabric, Intralinks is establishing technology partnerships with best-of-breed vendors in mobile security. The most recent was with a firm called MobileIron, a mobile device management vendor. MobileIron acts as a protective shell for users who have the Intralinks SecureMobile application on their iPad, for example.
A hedge fund’s IT team knows that all the Intralinks applications, like Fundspace, are running inside MobileIron. If, for any reason, they need to wipe that data off the device, they can do so without impacting personal files. MobileIron gives them the ability, remotely, to shut down access to the data by removing the file(s) entirely.
This is particularly important to maintaining the integrity of a hedge fund’s security network. After all, if an employee leaves their iPad on an aircraft, for example, and it contains sensitive files, the organisation is going to want to ensure that either the data is secure from an access perspective, or, at worst, can be eradicated at the click of a button.
“Our technology can prevent data from being opened. MobileIron goes one step further by wiping the file completely,” explains Partridge.
There are still a large number of firms – hedge funds included – that share information with clients via email. In many ways this is archaic. Anyone who picks up a misplaced mobile device has the potential to easily access confidential information.
A layered approach to security
What Fundspace allows is the ability for fund managers to avoid using email altogether and share information in a secure environment.
The fund manager is then able to control who can access what data. If it’s too sensitive, maybe they’ll decide that prospects can only view their fund information online.
“The next layer is where the fund manager allows prospects to download their fund prospectus. When they do, we have security embedded with the document that controls what a user is able to do with the file once it’s downloaded. Maybe we restrict the user from printing it, or copying and pasting text.
“Layer three is what we call information rights management. For any files that are downloaded, specific permissions are embedded and unknown to the user. We don’t want it to be hard to share information; we just want it to be secure. Every time that file is opened it effectively ‘phones home’ to the Intralinks platform and says ‘Person X is trying to open this file’ which is fine because they have permission to do so when online. If they try to access it offline, they will be prevented from doing so.
“The final layer is that, in the event of leaving the iPad on a plane and someone tries to impersonate the owner, IT staff can immediately revoke access to all necessary files in the click of a button,” explains Partridge.
Add MobileIron on top of this, and one gets a good sense of how secure Intralinks Fundspace has become as managers look to get on top of their security issues.
Take heed of the Sony attack
The Sony attacks that led to enormous swathes of personal data being leaked into the public domain are a stark warning to hedge funds. The consequences of investor information being accessed and used for nefarious purposes would cripple any hedge fund. The financial liability would be manageable; the potential litigious fallout and resultant lawsuits, such as those facing Sony, would not be.
“Sony has already put aside approximately USD15mn to deal with numerous lawsuits that have arisen from the recent hacking incident. Could a small or mid-sized hedge fund manager afford to do that? Can they be sure that USD15mn would not have a material impact on their fund? It’s unlikely,” says Partridge.
One caveat to this is that, should a hedge fund suffer a serious cyber attack, providing evidence of the steps taken to prevent the breach could at least soften the blow and offer some degree of understanding from investors.
“There’s a big difference between an organisation that took steps within their means to protect their clients’ data from being breached versus a company that, for any variety of reasons, did not. It’s something we try to stress with our clients. In a business where you are sharing sensitive information there are tools, such as those we offer on Fundspace, that can mitigate the risk,” says Partridge, adding:
“No one is naïve enough to think that they can’t be breached. There are organisations out there, somewhere, that, if they want to, can dedicate the time and resources to attacking your network and sooner or later they’ll find a weakness, some way in – whether it’s a technology route or, as I mentioned at the top of the article, exploiting the weakest link.”
It is therefore incumbent upon the fund to define their own governance around risk tolerance. What is the most important information they need to secure, and how often do they audit what is being secured? By having that governance structure in place, managers can start to tie together the technology tools to support it.
“They have to first decide on the rules that determine what types of information are allowed to be shared with what types of users – administrators, custodians, etc. Next they can align the technology to support that. Finally, once they’ve aligned the technology to support those rules, they need a compliance policy in place to ensure they are protected.
“Rules. Technology Alignment. Compliance. At a high level, those are the areas to focus on,” says Partridge.
Whether it’s the SEC, FINRA, or another regulatory agency, managers need to demonstrate that any of the information they share doesn’t end up in the wrong hands.
“It used to be enough to have compliance reports that showed access to files. That’s not enough anymore, concludes Partridge. “Now you need to be able to show who accessed the file and when the system sent out a notification that a new file was in the system. Compliance reports have to deliver a lot more information detailing every electronic communication that occurred on the Intralinks platform for a particular fund.”