Over the last 10 years, organisations have undergone a wholesale change in the way they run their businesses. Thanks to cloud-based platforms, wireless Internet, and the proliferation of desktop and mobile device applications, the perimeter of most businesses has moved beyond the four walls of their office. This has revolutionised the way people work: no longer tied to their desks they can be equally as effective aboard an aircraft or sitting next to the beach on vacation.
Data has become instant. Accessible.
Of course, this has placed huge demands on IT managers who must now control the security of their networks – and the flow of data within that network – on a much wider scale, as firms expand their global footprint.
To cope with this cyber revolution, hedge funds should think about building smart information sharing policies, according to Richard Anstey (pictured), CTO for Intralinks (EMEA).
As Anstey writes in his latest blog*: Data loss can be attributed to IT struggling to manage users’ sharing habits outside of the organisation. In the past, when things were held behind the firewall, IT departments knew what their internal systems were and where people were sharing data. Nowadays, we are at a point where cloud file sync and share (FSS) services have made their way into many businesses from the consumer world, causing challenges for IT and compliance staff alike.
There is still an over-reliance on transmitting data via email, and that is a real challenge that needs to be addressed. There are technologies today that can, in a relatively friction-free way, provide a much more secure means of information transmission than a standard email system.
“Information Rights Management (IRM) is one such technology that we recommend for the transmission of secure information between parties. It can still be facilitated and notified by email but the actual delivery of information needs to be protected properly,” says Anstey.
For example, if a laptop gets left on the train, IRM enables the end user to put steps in place to prevent someone from accessing the data to print it out, or to prevent photographing of the screen by using watermarks.
Moreover, IRM technology allows the end user to remotely revoke access to the data at some later date. It is, says Anstey, like having an electronic version of a paper shredder.
The importance of getting off email and moving to something more sophisticated that facilitates greater control and management of data – and which effectively mirrors the digital world we live in today – is not to underestimated. But for managers to embrace change, the message still needs to be disseminated, and the benefits explained, to using cloud platforms to migrate to a more secure information-sharing environment.
Intralinks Fundspace makes it easy to set up permission structures and create a safe space for collaboration and sharing information with third parties and investors. Using IRM technology, the fund manager is able to fully control the lifecycle of any information it shares on the platform, including triggering its destruction at some later point.
This is likely to become an increasingly important tool for hedge funds, given the level of data transparency and reporting being asked for by institutional investors. Managers face a “Catch 22” situation: To what extent should they share information without giving away their secret sauce? And if they do share information, how do they ensure it doesn’t fall into the wrong hands?
“Your investor today might not be your investor tomorrow. As such, managers need to have the ability to withdraw access to content that has already been downloaded; that’s a powerful weapon to have, given the changing nature of the market.
IRM technology can also aid managers in building an electronic audit trail, such that if a data breach were to occur, they would be able to demonstrate to regulators not only that they had proper internal policies and data governance controls in place, but that they put them into action and they worked.
Anstey confirms that every access to information on Intralinks Fundspace can be recorded.
“We can generate data on who did what and when. Who commented on what? At what time did they open the document? Investors can be quite fickle and if there’s any suggestion that a firm isn’t taking the necessary steps to protect personal data or is not security conscious, they can always go somewhere else. So reputational damage is absolutely something that managers should be worried about when it comes to having the right security posture,” comments Anstey.
In a recent survey by the North American Securities Administrators Association, it was discovered that only four per cent of small- to mid-sized registered investment advisors were aware that they had suffered a security breach. This doesn’t mean that hedge funds are wilfully neglecting the integrity of their systems; but what it does suggest is that by using internal homespun systems to run their hedge fund operations and distribute content, managers are blind to the potential cyber risks that exist today.
Advanced tools, such as intrusion detection systems, although not a panacea, are at least used by cloud providers who have the scale and resources to invest in such areas. This avoids managers having to incur substantial capital outlay. They get access to IDS, next-generation firewalls, etc., to better protect a fund’s sensitive information (personally identifiable data, trading algorithms, market research). Moreover, cloud operators have dedicated teams in place whose job is to monitor what is going on in the network and, at the same time, build an audit log.
“Finding the right trusted third party is important. It can also help a lot when it comes to the manager demonstrating that they have the right processes and procedures in place. We get asked to complete audit surveys on a daily basis for our customers, which include many of the large banking groups. They are under regulatory pressure and this will continue to trickle down to smaller hedge funds going forward. We’re used to helping people deal with these issues on a much larger scale,” says Anstey.
Not that managers should merely abdicate their responsibility when using outsourced providers. This is something that the UK financial regulator, the FCA, was keen to stress last year in its “Dear CEO” white paper, when it raised resilience risk and oversight risk as two key areas of responsibility for fund managers.
Regardless of who hedge funds decide to turn to as they shore up the cyber-risk programs, there needs to be an open willingness by the appointed vendor to allow managers to put their heads under the bonnet and perform periodic risk assessments. This is good practice and demonstrates a serious level of compliance to end investors. Intralinks has a 20-year heritage and has seen USD 28 trillion of business on its platform.
“Thanks to that heritage, we’ve built up an expertise to help our customers. Up until now, this hasn’t been required at smaller firms like hedge funds – but we can see that coming down the road. The SEC is moving in that direction and it is going to be tough for managers to demonstrate the necessary level of compliance on their own,” suggests Anstey.
The conversation then turns back to the issue of content management and distribution. As mentioned above, the perimeter of today’s organisations has expanded beyond the four walls of their building into cyber space.
Everyone carries computers inside their mobile phones. There’s so much work done beyond the physical boundaries of the network that it no longer makes sense to think of the physical network as the container for content.
Beyond the four walls of the hedge fund, one can extend the perimeter to secure data centres, but what level of expertise would a hedge fund have in understanding these? How would they know what to look for from a security perspective unless they had a Chief Information Security Officer (CISO) or a Chief Technology Officer (CTO) in the firm?
In Anstey’s view, the perimeter of the organization can be – and indeed needs to be – extended right down to the information itself.
“We use a strapline, ‘Content is the new perimeter’,” says Anstey. “What we are effectively saying is that you can take data and wrap it in its own protective shell that travels with that data throughout its lifecycle. Whenever anybody is trying to read the document, the shell checks who they are and whether they have permission to view that document.
“That’s why we are investing so heavily in IRM; we believe that the future for protecting information is right at source.”
One of the biggest considerations when appointing an external service provider is understanding the fact that the manager is effectively trusting that service provider to safeguard their information. It’s a significant responsibility. A cloud platform will necessarily use encryption algorithms to secure that information; however, because those encryption keys are held by the platform, there is a theoretical risk that if they were to be compromised, that information would be at risk.
“We have a multitude of processes to mitigate that risk. Every file has an encryption key. That said, our current focus of innovation is to give customers control of the encryption. In this scenario, we won’t hold the encryption keys ourselves. Rather, we will ask each customer in a millisecond timeframe what the key is to decrypt the information and then share it with another requested third party.
“So what we are basically doing is giving control of the encryption to our customers. The way I explain it is, in a physical environment one always has peace of mind that in a worst-case scenario one can simply pull the plug out of the wall. We are offering precisely that same level of comfort. Even though customers are getting all the advantages of operating within a SaaS environment, by giving them control of the encryption keys we are, in a cyber sense, giving them the ability to pull the plug out of the socket,” explains Anstey.
With cyber security presenting a potential reputational risk to managers, the mercury is rising in terms of embracing robust information-sharing policies.