Our clients; alternative investment firms, private equity firms, prime brokers and insurance firms have a specific set of risks that they need to manage, and the list continually shifts in order of importance.
Top of the risk list is business continuity. Making sure you can carry on trading and operating, even when incidents occur. Making sure your data is replicated and backed up. Making sure you have built resilience into your infrastructure, so that if the worst happens and your firm or your providers’ firms are attacked, that you can simply switch across to the backup and carry on. To do this, whether your IT is situated on, or off site, you need a robust DR and Business Continuity plan which takes into account each element of your infrastructure, prioritises it in order of importance and outlines what happens if it goes down for whatever reason. You should know how quickly you need to be up and running again, and what the margin of data loss can be, if any. Include outsourced services, and check that your providers’ DR and BC policies are in line with your needs and expectations.
Next on the list should be cybersecurity. Whilst already a very high priority for senior managers, 74 per cent according to the Ipsos Mori Cyber Security Breaches Survey published in April 2017, only 33 per cent have a formal policy which covers cybersecurity risks and only 11 per cent have a cyber security incident management plan in place. If you don’t have a plan to deal with attacks, you’re not adequately prepared. The plans should include detailed infrastructure mapping, with weaknesses highlighted and mitigated against with appropriate tools. Again, where outsourced services meet in house, ensure these are not weak spots. The same survey results report that 19 per cent of respondents are worried about their suppliers’ cyber security, but only 13 per cent require suppliers to adhere to specific cyber security standards or best practice. User behaviour is a particular weak spot with the most common attacks coming in the form of phishing attacks, which opened the door to viruses, spyware and malware, identity and ransomware, as happened recently with WannaCry. Users can be protected with software, but this needs to be backed up with robust policies and procedures, regular training and spot testing.
Non-compliance with regulatory requirements also features highly on the list for our clients. Fines can be huge and the damage to a firm’s reputation can be crippling. Check out my other articles on these specific pieces of legislation. Compliance is a tricky business and can require some specialist knowledge, so consider using a compliance tool, or bring in expertise from outside.
Volatile markets and political unease are a huge issue, and some firms are looking at moving operations to other countries to spread the risk.
The list could go on, with all of these things being inter-connected, and each bringing fresh risks. The key is to be prepared for anything.