Cybercrime could extract up to 20 per cent of the global economic value created by the Internet through fraud and espionage, according to the Centre for Strategic and International Studies. Following last year's Cyber-Security Risk Alert, the SEC's Division of Investment Management released guidance this April to help investment managers prevent external attacks.
"The guidance can be boiled down into three key areas of recommendation: assessment, strategy and implementation," says Bob Guilbert (pictured). Managing Director at Eze Castle Integration, the leading provider of IT solutions and private cloud services to more than 650 global alternative fund managers.
Guilbert outlines the first area that managers should focus on: assessment. "The SEC has identified five areas that should be addressed on a periodic basis. Those five areas are:
• The nature and sensitivity of confidential information: Where is it located, how is it used, what systems are used by it? This could include investor and employee personal information, as well as fund information and company financials.
• The cybersecurity landscape: It is ever-changing and managers need to ask: What are the current threats? What are the firm's specific vulnerabilities within that changing landscape? As part of that, Eze Castle Integration recommends a technical policy assessment to identify areas for improvement.
• Security controls and processes: Firms should review access control policies, specifically looking at which employees have access to what information, etc.
• Impact: What type of impact would your firm potentially see were there to be a security breach?
• The effectiveness of a firm's governance programme in terms of managing cybersecurity risk: In other words, who is responsible for managing the security risks? Does the firm have a Chief Information Security Officer (CISO) in place? Or an incident response team?" explains Guilbert.
For the second area of focus – cybersecurity strategy – again there are five key considerations:
• Access controls: using systems with identification and authorisation methods including firewalls and perimeter fences. "This is about employing layers of security across all aspects of the firm's technology," says Guilbert. "For example, putting in place authentication limits to control who has access to what information and validating how people access third party data sources."
• Data encryption: determining where and when encryption systems should be used (e.g. should mobile devices be encrypted?).
• Removable storage media: firms should have a lockdown strategy to prevent the copying and transfer of confidential or critical files in or out of the organisation.
• Backup and retrieval: "What strategy does the firm have to recover and access backup files? How often are backup tests performed? Who is responsible for managing this process?" adds Guilbert.
• Incident response plans: Establish guidelines to respond to a particular security incident and outline who is responsible for managing the response process.
"The third area of guidance is implementation, specifically having proper policies and procedures in place," notes Guilbert. "The biggest takeaway here is that managers need to have a Written Information Security Plan (WISP) and employee cybersecurity training practices in place. The WISP should be in place to protect a hedge fund's confidential information and uphold the integrity of that information. It should be reviewed periodically and shared with investors when requested."
For more information on the Hedge Fund Cybersecurity Information Center click here
