A white paper from Gravitas provides alternative investment companies with a layered cybersecurity strategy including a six-point framework of actionable steps to address a range of cyber-threats head on.
Gravitas is a co-sourcing platform providing portfolio management and risk analytics, research and analytics, operations and information technology services to the alternative investment industry.
“The evolving cyber-threat landscape and increased regulatory scrutiny have created tremendous pressure for alternative investment firms as they shore-up their IT security,” says Patrick Mullevey, executive director of Systems Integration at Gravitas. “Gravitas has constructed a framework for assessing a firm’s cybersecurity awareness, preparedness and resilience to operational threats and regulatory compliance requirements. Our new white paper outlines a six-point action plan to help firms generate procedures and add required technologies to better protect themselves.”
The Gravitas paper – Cybersecurity: How Alternative Investment Companies Manage Operational and Regulatory Risks – recommends that all firms reflect on their existing operations and develop or enhance a cybersecurity strategy designed to protect critical data, systems and applications. An initial operational risk assessment quickly determines the current level of risk inside a firm and is outlined in the white paper.
Creating and implementing a layered cybersecurity strategy is based on the concept that any one point of protection can, and will be, penetrated. While there are multiple layers to a cybersecurity approach, there are six types of layers upon which to focus in order to mitigate the potential risk for each one:
1. Physical security: to protect the hardware, networks and data from a material breach, including protection from fire, power, disgruntled employees and terrorism;
2. Network security: to protect against risks associated with web browsing and email;
3. Malware: to control the download and protect against an attack spreading across the firm infrastructure;
4. Access control and password management: to control administrative permissions;
5. File monitoring: to cross-check the alignment between access controls business requirements and an ever-growing file system;
6. Incident response plan: to implement a set of processes and procedures to rapidly discover, acknowledge, compartmentalise, neutralise and eradicate an attack from the environment.