<!-- Swiftype Variables -->

Industry Voices

Commentary: Why cybersecurity governance is essential for institutional investors

For institutional investors traditionally concerned about liquidity, management and strong returns, 2019 will be the year a new primary threat comes to light — financial fraud. Cybersecurity attack vectors, including phishing, wire transfer fraud and vendor payment fraud are more common than ever before. As employees and vendors succumb to manipulation from sophisticated bad actors, they unwittingly share access to private capital and sensitive data at the expense of client trust and corporate reputation.

Fueling the threat of cyberattacks is the common misconception among institutional investors that technology is the lone — or primary — solution to digital threats. A robust technology suite is critically important, but in reality, it's employees and vendors who are the greatest risk factors. Indeed, firms must employ great governance, not just great technology.

To develop effective governance policies and prevent harmful cyberattacks, asset managers and other investment firms must adopt the following best practices:

  • Develop, regularly update and test a comprehensive incident response plan.
  • Implement mandatory risk reviews and stakeholder meetings to discuss relevant updates and recent threat intelligence.
  • Perform regular systems testing to provide assurances that established controls and protocols are working as designed.
  • Engage with vendors to ensure their own security standards comply with critical cybersecurity protocols.
  • Review all relevant local, state and federal cybersecurity and data security legislation, developing relationships with regulatory bodies along the way.

Together, these strategies form a thoughtful and effective governance protocol that better protects firms from the growing onslaught of cyberattacks anticipated in the year ahead.

Developing an incident response plan

Historically, cybersecurity protocols have primarily focused on incident prevention. While prevention is critically important, firms are beginning to recognize there is no bulletproof method to thwart potential attacks, especially as bad actors become increasingly adept at evasion techniques that fool cyberdefenses and mask their attacks. In response, there's been a significant shift toward incident detection and response — Gartner Inc. estimates that enterprise information security budgets will more than double their allocation for rapid detection and response programs over a five-year period ending in 2020. An effective incident response plan is key to effectively protecting sensitive data and assets.

An incident response plan must also be regularly updated and tested to address any changes across data assets, systems, personnel and legal mandates. To ensure accuracy, cybersecurity governance teams will require the active participation of executives across technology, legal, human resources, investor relations, compliance and risk management departments. It is essential that everyone has a seat at the table, shows up and takes their role seriously. Without these pillars of change management, a firm's IR plan can quickly collapse.

Notably, incident response plans should cover:

  • Securing data through necessary patches or fixes, testing for any gaps in the security process simultaneously.
  • Developing an accurate data map, which enables you to quickly detect if financial information, Social Security numbers, medical records and other personal information were exposed.
  • Detailing who is on the incident response team, what their responsibilities are, how the scope of a breach is determined, how to notify clients and investors, how to meet legal and compliance requirements, and how to manage internal and external communications.

Cyberrisk reviews

A cybersecurity program's efficacy is highly correlated to the rigor applied to governance. A core tenet of governance is regular risk reviews and protocol meetings with key stakeholders and executives. Mandating consistent updates, reviews and meetings with senior members of the firm, including C-suite executives, directors, vice presidents and portfolio/hedge fund managers, is critical to this process. These meetings need to be structured with a formal agenda, including post-meeting action and remediation plans so participants can start to see and feel the value and progress being made.

To meet the growing cybersecurity needs at institutional investment firms, consider scheduling risk reviews and cybersecurity updates. Hold monthly meetings with key stakeholders at the firm (senior leaders and managers): IT, operations and cybersecurity teams should update senior leaders and managers on risk assessments in progress, data mapping exercises and incident response plans, as well as discuss any budgetary needs or upcoming training sessions across the firm. Also, hold quarterly meetings with executive team: IT and information security staff should provide executives with a comprehensive brief about any updates to cybersecurity programming and identified risk areas requiring critical oversight. Additionally, there should be a threat intelligence review so that stakeholders understand what cyberthreats their competitors are encountering with the aim for technical staff to weigh in and discuss necessary steps for the organization to execute in order to shore up their own defenses.

Systems testing

Building on their incident response plan and risk reviews, its imperative that firms regularly test their cyber protocols to ensure they function in the way they were designed. Even the most mature and sophisticated plans are only effective if they've been sufficiently tested. Neglecting to do so allows potential shortcomings or blind spots to go completely unaddressed, creating vulnerabilities for bad actors to exploit in potential attacks.

In particular, firms should undertake the following tests:

  • Penetration tests — simulated cyberattacks to evaluate security protocols.
  • Phishing tests — assessments to review the ability to recognize and report phishing emails.
  • Vulnerability tests — thorough review of potential cyber weaknesses within company network.
  • Tabletop exercises — mock IR exercises for key personnel to review their responsibilities in the event of an attack.

Each of these assess different parts of a firm's cyber preparedness to provide essential assurances that the systems programs, and protocols firms have put in place are effective.

Conducting thorough vendor assessments

For institutional investors, a firm's network is only as secure as the networks of its vendors. The most noteworthy and evocative example of this issue is the Target data breach that transpired in 2013, when bad actors accessed sensitive data through the stolen network credentials of Target's HVAC vendor. According to recent research, 63% of all data breaches start with a vendor's cybersecurity vulnerabilities, but only half (52%) of firms have formal security standards for third-parties.

Financial services firms often work with almost 100 vendors — all of which have varying degrees of cyber preparedness and present different degrees of risk depending on the data they have access to/store. Considering the pronounced risk they present, it is critical that firms categorize vendors accurately based on their risk profile and cyber readiness and, in turn, apply the appropriate level of rigor to each. Some critical vendor security tasks include: performing a robust annual vendor assessment, conducting real-time threat analyses and tracking ongoing vendor monitoring, all of which should ascertain each individual vendor's systematic capacity for identifying potential and existing threats, protecting against standard attack vectors, detecting data breaches, responding to attacks and planning for asset recovery.

Understanding the regulatory landscape and incident reporting requirements

If your home or office were burglarized, your first step would be to call the police. But, what if your hedge fund is the victim of a cyberattack? Do you dial 911? The local police department? The FBI? How about the SEC? The fact that this question confounds so many institutional investors is indicative of the importance of proactive planning.

As a result of such confusion, amid other concerns of accountability and reputation damage, cyberattacks are grossly underreported. In fact, the FBI Internet Crime Complaint Center estimates that 10% to 12% of cybercrimes committed in the U.S. are reported each year. Such lackluster reporting emboldens hackers, while precluding firms from gaining the critical threat intelligence they need to curtail major industry threats and vulnerabilities.

These attacks do not happen in a vacuum and it is essential institutional investors form partnerships with state and local law enforcement, local FBI and Secret Service field offices, and the SEC, before a cyberincident occurs. If relevant authorities are familiar with one's business, and the firm is familiar with their typical approach, this awareness can save critical time during incidents where their support is required. Such relationships also provide another source of cyberthreat intelligence, tapping into resources outside of firm walls to recognize threats and take preventive measures accordingly.

Institutional investors should also consider joining the Financial Services Information Sharing and Analysis Center, which supports cybersecurity teams by sharing insights via conference calls, webinars, summits and interactive training sessions.

Bart McDonough is CEO and founder of Agio, New York, a hybrid cybersecurity and managed IT organization. This content represents the views of the author. It was submitted and edited under Pensions & Investments guidelines, but is not a product of P&I's editorial team.