With cyber risks increasing year-on-year, and regulators such as the Securities and Exchange Commission (`SEC') taking an increasingly prominent role in assessing the preparedness of broker-dealers and registered investment advisors, establishing cybersecurity best practices is not only useful; it's a necessity.
Cybersecurity is a complex web and as such there are many areas to consider. The best place for any manager to start is to take a step back and assess the risk of their overall business environment.
"It should be woven into business process and supported by senior management. It should not be relegated as being just an IT issue," says James Tedman, Managing Director, ACA Aponix (Europe). "It's all very well having sound processes but you need to make sure you can evidence that. When it comes to risk assessment, firms should create and manage prioritised issue lists and demonstrate how they are working through these. They should maintain inventories of all devices, and create data maps, so that they can show where data resides and how it flows through the organisation and externally to vendors."
Rather than cybersecurity becoming a Sisyphus-like challenge, managers can partner with outsourced technology specialists who spend their working days keeping on top of this ever-changing landscape. As Mike Asher, CIO, Richard Fleischman & Associates – a leading New York-based outsourced technology consultancy – comments: "Our R&D department is constantly testing new products to determine what is viable and what we should be paying attention to."
"There's no silver bullet solution. But at least managers should make a breach as difficult as possible," adds Grigoriy Milis, chief technology officer at RFA. "If it does occur, they need to know about it as soon as possible. Those are the two goals that we are trying to achieve for our clients, and which any hedge fund should try to accomplish."
At a high level, Milis briefly summarises some of the key components to establishing a solid cybersecurity programme. Firstly, managers are advised to implement next generation firewall solutions "combined with a managed security service that can monitor the intrusion detection aspect of the firewall on a continuous basis".
"Secondly, we recommend a next generation end point solution. End point still remains one of the most unprotected parts of any infrastructure in the hedge fund space. Regular detection rates with antivirus solutions are somewhere in the region of 35%, which is clearly not sufficient," states Milis.
Thirdly, implement a data governance policy. This helps managers to not only identify sensitive information on the company's servers but also shows who has access to that information; that can be an invaluable tool if they need to determine the extent of a cybersecurity breach event.
"We also recommend encryption solutions as the last line of defence to protect the most sensitive information in the company," adds Milis.
Data management & data fraud
One of the best lines of defence in any cybersecurity programme is establishing a robust data management solution. Cybersecurity does not simply mean nefarious forces trying to infiltrate the network; it is also about data loss within the firm, which represents a significant reputational risk.
Hedge funds are unique in that they transfer data to multiple sources – their prime brokers, their fund administrators, etc – and as such it becomes a difficult task to keep track of that data and guard against data fraud or internal failings. "It's important for hedge funds to understand exactly what data their service providers have access to, how and where this is stored, and how it is secured. That's vital," stresses Tedman.
Richard Anstey is CTO at Intralinks (EMEA). He points out that there is still an over-reliance on transmitting data via email and is an issue that needs addressing. There are technologies out there that can, in a relatively friction-free way, provide a more secure means of information transmission.
"Information Rights Management (IRM) is one such technology that we recommend for the transmission of any kind of secure information between parties," says Anstey. "It can still be facilitated and notified by email but the actual delivery of data is secure. With IRM steps can be put in place to make it difficult for someone to print out information or photograph the screen by using watermarks in documentation.
"Moreover, you can remotely revoke access to the data at some later date. It's like having an electronic remote version of a paper shredder. You can destroy data that you've shared with someone that you think is no longer relevant using IRM technology."
Vendor appraisal
Vendors are often the firm's weakest link when it comes to cyber risk. Firms should take heed of the FCA's "Dear CEO" paper, which was released last year and apply a robust vendor management programme as part of cybersecurity management.
Not all hedge funds have sufficient visibility of processes within the vendors they partner with. SOC 2 and ISO 27001 are all perfectly valid certifications that are hard to earn "but we recommend to our clients that they go beyond that. They should build a clear understanding of the vendor, their process, people, and be comfortable that policies are being followed in practice," comments Tedman.
In other words, managers shouldn't take blind faith that their vendors – and this includes their key service providers such as prime brokers – are doing all that they can to uphold the security and integrity of a fund's data. Rather than take their word for it, managers should seek independent verification.
"One telling statistic is that 69 per cent of breaches are detected by an external party (Mandiant M-Trends 2015). This highlights the value of an independent audit – you can't check your own homework. It does not mean that the IT team or service provider is doing a bad job, it's just that an extra set of eyes gives independence and avoids conflict of interest," says Tedman, adding:
"Reviews should be undertaken at least annually and the questions that you ask of your vendors should be tailored to the role that they play and the data that they are privy to. Use searching questions that avoid simple Yes or No answers."
RFA's Asher points out that prime brokers are working hard to identify the weakest links and establish secure communications with all their clients; partly because many have been breached already, partly because they do not want to suffer any further reputational damage.
"They are providing alternative asset managers with helpful questionnaires that can be shared with their vendors to make sure they are compliant with SEC guidelines, as well as providing guidance on what firms need to do to secure themselves to an acceptable baseline level," says Asher.
Bob Guilbert is Managing Director at Eze Castle Integration. In his opinion, the vetting of third party vendors is becoming essential; not only as best practice, but also because investors themselves want to know what business continuity plans and incident response plans these vendors have in place.
"Investors are getting a lot more savvy and asking detailed questions to ensure that the end providers themselves have the proper cybersecurity plans in place as well as the manager.
Asking questions on BCPs, etc, should become a thorough part of a manager's own due diligence process when selecting their service providers. Thereafter, the manager should conduct annual due diligence checks. We advocate going to visit them in person. For example, we use top-tier data centres for the protection of the Eze Private Cloud and we encourage clients to go and visit one as part of their annual periodic review.
"We ourselves are constantly making adjustments to respond to this changing landscape. The funds themselves should be asking for updated BCPs and updated WISPs, to reflect this changing landscape," comments Guilbert.
Written policies
Establishing cybersecurity best practices should not only be about prevention from external threats but having the necessary internal policies and procedures to recover from a breach attack. This should not be confined to the minds of the CTO or senior IT staff; rather, firms should look to build out an incident response plan.
In a white paper written by Capital Support Limited in May 2015 entitled Cybersecurity Threats and Vulnerabilities, they point out that an IR plan should include the following six components:
• Incident classification
• Data classification
• Performance targets
• Operating models
• Identify weaknesses
• Tools and guidelines.
Asher states that confusion arises within hedge funds when it comes to understanding what needs to be done when a breach occurs and how it should fall into the manager's overall business continuity plan (BCP).
"There's no hesitation invoking a disaster recovery component when there's a technology issue i.e. a power outage. It's a well-defined practice. But reporting a cybersecurity breach to a third party vendor that might then be required to relay information during a regulatory investigation means that there is still hesitation. It is uncharted territory and that's where the confusion stems from.
"It's an educational process from our end, explaining what needs to be included as part of a comprehensive business continuity plan that is actionable and allows the manager to proceed with their operations even if a breach is detected," says Asher.
One document that is becoming an important tool is the Written Information Security Plan (WISP). As Guilbert explains: "The WISP covers both administrative and technical safeguards as well as the incident response plan, third party risk assessments and employee guidelines. It allows us to look through all facets of a hedge fund manager's operations, from a cybersecurity perspective.
"The WISP should be periodically reviewed and shared with investors when requested."
Recently, the SEC found that 83 per cent of advisors have adopted a WISP but Tedman warns that not all of them pass muster. Typically, he says, there is minimal data governance, the incident response plan is weak or non-existent, and all too often the WISP template has simply been lifted off the internet.
"Policies should be specific to the organisation and based upon a deep understanding of the environment such that they are practical and demonstrable as well.
"They should, in short, reflect the culture of the firm. Going forward we expect to see much more interrogation of security processes with regulators looking for clear evidence that firms are adhering to best practices, not just asking them whether they are or not," says Tedman.
Staff training
The majority of cybersecurity issues that arise are preventable and typically result from human error. As such, training and educating staff are an obvious way to mitigating this risk. As Guilbert states, the first line of defence is "preparedness, awareness and education".
"It's the concept of having multiple locks on the door to dissuade potential cyber hackers. We are seeing more attacks happening at the individual level through phishing attacks and targeted phone calls. Padlocking the door means properly educating employees as to who is responsible for validating emails, using tools to validate email links, looking at phishing attempts and teaching sound practices on avoiding social engineering techniques," says Guilbert.
Anstey points out that one of the strengths of information rights management is that it means managers have a technology solution in place that help them to recover from accidental data loss. "The advantage of IRM is that you retain control even after the content has left the organisation," says Anstey.
Tedman says that staff training is a major issue, noting that the vast majority of attacks involve some form of phishing or social engineering as this is the easiest route into an organisation.
"Building staff awareness of cybersecurity threats and educating them on best practices is extremely important and will substantially reduce a firm's vulnerability to attack. As part of our process we run employee training sessions and phishing tests. In the phishing tests we undertake with our clients, we are typically able to harvest around 40 per cent of the user's credentials and gain access to email or the file system."
By thinking about some of the above considerations managers will better understand their threat matrix and be able to create solutions to address the most likely attack scenario.
As Milis concludes: "It's being cognisant that the landscape is changing and the need to take proactive measures to stay protected."
