On 22 September, the SEC hit RT Jones Capital Equities Management, a St Louis-based investment adviser with a USD75k penalty for failing to have sufficient cybersecurity policies and procedures in place. This led to the personally identifiable information of approximately 100,000 individuals, including thousands of its own clients, being compromised when the web server it used was hacked in July 2013.
The case has been settled, and whilst the fine itself wasn’t mortifying, the potential impact on the firm’s reputation could be significant. The unfortunate reality for investment advisers of all shapes and sizes today is that failure to treat cybersecurity seriously, and drive a culture of change from the senior management down, will result in many more penalties being dished out by the SEC and other global regulators.
Naturally, it is impossible for fund managers to be bulletproof. Nor should we expect cybersecurity to ever become an enforceable piece of regulation; it’s simply too dynamic for that.
But that doesn’t mean that managers can’t take appropriate proactive steps in response to the regulators, and at least demonstrate that they are taking their cybersecurity responsibilities seriously. Indeed, as the HFSB notes in its recently published cybersecurity memo, the SEC’s OCIE published a Risk Alert in September indicating that there would be more testing of firms’ procedures and controls, with customer information being a specific area of focus.
“I think to stay ahead of the regulator the most important thing for any manager is that they’ve taken, and are able to demonstrate to the regulator, a risk-based approach to understanding their cyber exposure. Put simply, that means understanding what assets are of most value and importance to the hedge fund, accepting that there is a potential threat to those assets, and coming up with a series of scenarios that can serve to reveal where they are potentially vulnerable,” comments Matthew Martindale (pictured), Director, KPMG’s cybersecurity team.
Once a fund manager has conducted that exercise, then it is a case of determining what controls and capabilities they have in place to detect/protect, respond/recover should any one of those scenarios end up materialising. Then it becomes a judgement call for each individual manager in terms of how much they believe they should be investing in any single control area.
This scenario-based approach to periodically test one’s network resilience is both a practical and inclusive exercise that all members of a fund management team can engage in, although as Martindale stresses, it is important that senior management take the lead.
“A lot of what is coming out of the Bank of England, for example, talks about taking “board-level ownership” for cybersecurity. As long as the senior executives in the business are being briefed and informed, and have gone through a scenario-based exercise with logic and with evidence, this will help draw sensible conclusions as to where a firm should be investing more in cybersecurity; or why they don’t need to because they can evidence that the most valuable assets are being properly risk managed,” says Martindale.
That is going to be very useful when entering into any dialogue with the regulator. It shows that the manager has understood, assessed and prioritised decisions as to how they want to move forward.
Various regulators such as the SEC, the Central Bank of Ireland, the FSA (with its “Dear CEO” letter) are pushing out the governance and ownership of cyber risk as the primary starting place. Are the board members to the fund being briefed? Is there a strategy that has been endorsed from the top down? Only after a fund manager has had that risk-based discussion can they then start to think about building their cybersecurity capability.
Simulation exercises (think of them as “war games”) in the financial sector have already been conducted in the UK and the US. The most recent in the UK, dubbed Waking Shark II, was conducted two years ago and overseen by the Bank of England, HM Treasury and the FCA to test the resilience of banks in response to a number of co-ordinated cyber-attack simulations.
Now it’s time for fund managers to start doing the same.
“This is a really hot topic in the work that we are doing,” confirms Martindale. “We’re latching on to two things. One is doing a threat assessment, the second is turning that into a desktop-based exercise. We pick a number of different scenarios and run through a series of simulated exercises in real time. We role-play them to see how the client will detect, and more importantly, how they will respond to a cyber attack. It’s got to be hands-on; getting people in a room, producing actionable cyber response plans, being clear on everyone’s roles and responsibilities, in a safe environment.”
The objective is to practice the art of making decisions around cyber threats; you think there’s a cyber breach but you’re not 100 per cent sure, you don’t know who the attacker is, or what their motivations are. You’re not sure if they’ve taken data or not.
“These are different shades of grey that you don’t necessarily know the answers to, yet you still have to make the right decisions. The art of practicing a simulated attack in a controlled way is very beneficial. A number of KPMG’s clients are using that as a mechanism to a) drive awareness and b) to improve their response and recovery capabilities,” states Martindale.
In June 2014, the Bank of England launched CBEST, a penetration testing framework designed to help financial institutions understand cyber threats and how well equipped they are, not just to merely detect a cyber breach, but remain resilient and recover from such a breach. As such, the BoE will require banking groups to compile a series of key performance indicators so as to provide a cybersecurity assessment.
Penetration testing alone – even for fund managers – is not enough and will likely not satisfy the regulators moving forward. All this does is reveal how easy it is for someone to get through the front door. Going a step further, as with CBEST, and running simulation exercises, will help managers to test the resilience of their back door; a breach has occurred, can we respond effectively?
“If I was to predict the future, I can imagine the next phase after technical testing would be to do scenario and stress testing. I think it is something that the regulator would therefore welcome fund managers to be doing,” says Martindale.
Following its cyber breach, RT Jones hired a Chief Information Security Officer (CISO) as part of the SEC’s penalty. “I think that’s a sensible and mature approach. It suggests the SEC are looking to help managers address the source of the problem as opposed to simply hitting them with fines,” concludes Martindale