EventsTips, Traps and Trends

Cybersecurity: Hot Topics and Takeaways for Investment Managers

By November 26, 2018 No Comments

Recently published in the Hedge Connection blog (11/15/18), this article is reprinted with permission.

Speakers: (l/r):
Russ Somers – Baker Tilly, Lisa Vioni (moderator) – Hedge Connection, Lisa Togneri – Soundlink Partners, Michael Merrigan – Shadmoor Advisors

What trends and risks are we facing in cyber-attacks and data breaches? How has the regulatory environment changed? Are there actionable themes for success?  How do allocators and the due diligence process look at cybersecurity?  These questions were addressed by a cybersecurity expert, operations due diligence professional and family office investor speakers during the November 8, 2018 cybersecurity workshop in New York, organized by Baker Tilly and Hedge Connection.

What trends and risks are we facing in cyber-attacks and data breaches?

The financial industry followed by the healthcare sector shows the highest level of cyber-attacks, with the majority of breaches perpetrated by outsiders. However, not all breaches stem from outsider activity, approximately 28% involve one or more insiders[1].  The most common type of attack involves phishing (fraudulent attempt to obtain sensitive information) and spear phishing (a targeted mail that appears to be from a trusted source). These phishing messages are used in a few ways:

  1. To directly obtain non-public or confidential information
  2. To obtain credentials to access a system or network with access to non-public or confidential information
  3. To install malware on a machine, system or network

While these attacks are still occurring thousands of times a day, we as a workforce are becoming more aware and adept at spotting these messages, such that approximately 78% of workers won’t click a phishing message all year.  Conversely, there is a small percentage of the workforce that will click on every phishing message.[2]  Phishing messages are the primary deployment mechanism of malware, approximately 2/3 of malware was installed via malicious email attachments. Of that malware, 39%[3] was ransomware.  Ransomware is relatively easy to deploy and monetizes access to your systems and operations rather than the underlying data; meaning, they don’t have to take your data, they just have to keep it away from you.

Another source of data breaches are third party vendors.  You can have a solid cybersecurity program, effectively deployed policy, highly functional tools and effective monitoring mechanisms, yet still be significantly exposed by what happens outside your walls.  Whether it’s cloud “as a Service” type providers helping to modernize your network and increase resiliency, third party transaction processors or even fiduciaries; leveraging specialization and expertise allows us to operate more effectively and focus on the “core” business, but also allows others access to your data.  While that vendor has a responsibility to protect your data, if they get breached and your data is affected, it becomes as much your problem as it is theirs.

How has the regulatory environment changed?

Compliance has become key.  Regulators are challenged to outpace potential violators by codifying best practices as technology and opportunities for malicious activity increase exponentially. Frankly, policies and procedures aren’t enough. The SEC is cracking down, levying large fines including in cases where policies existed but the execution was absent.  Additional layers of regulatory scrutiny and guidance involve FINRA, SEC, FTC, NY Department of Financial Services (NYSDFS Part 500), General Data Protection Regulation (GDPR) and state-based privacy rules (such as the California Consumer Privacy Act “CalCPA”). FINRA’s key cyber findings in 2017 focus on 6 issues: access management, risk assessments, vendor management, branch offices, segregation of duties, and data loss prevention (DLP).  The SEC OCIE has communicated their focus for 2018 exams: access management, risk assessments, vendor management, data loss prevention, training, incident response and governance.

Are there actionable themes for success?

  1. Approach cybersecurity as an enterprise-wide risk management process, not just an IT issue, with involvement from the Board of Directors, executive sponsorship and organizational alignment.
  2. Assess risks related to data inside and outside the organization: identify risks to avoid, accept, mitigate or transfer, and document plans to address each risk
  3. Allocate adequate staffing and budget for technical expertise and reinforce awareness throughout the organization with effective training.
  4. Prepare for the scenario that something goes wrong. Being able to effectively respond to an incident will dictate how a security incident or breach is viewed by regulators, investors and the marketplace. Test your incident response plan through table top exercises, identify your blind spots and focus on improvement.

How do allocators and the due diligence process look at cybersecurity?

Soundlink Partners, serving as a family office, fund of funds and multi-family consulting business, looks at each manager differently including within the context of the manager’s specific resources and third-party vendors.  Infiltration and data protection are considered a key concern that could directly affect the portfolio(s).  “Our cybersecurity discussions start at the top, focusing on governance, policies and vendors,” noted Lisa Togneri, COO of Soundlink. “In our view, conducting penetration testing and ongoing monitoring are becoming best practices.  In addition, we do see some managers with cybersecurity insurance coverage and we’re interested to see how this coverage evolves over time,” she added.

Shadmoor Advisors, providing operational due diligence services for allocators / institutional investors, looks at managers’ cybersecurity deficiencies such as mobile device management and inadequate use (or lack of) use of dual-factor authentication.  Many firms need to tighten the access points on mobile devices to accomplish better data protection.  “In a bring your own device (“BYOD”) to work environment, mobile device management (“MDM”) has moved to the forefront of cybersecurity concerns.  In terms of mobile devices, the ‘sandboxing’ or ‘containerization’ of corporate data within a user’s mobile device, laptop encryption, and forced password protection across all mobile devices, are certainly best practices to be considered by network administrators,” as noted by Shadmoor’s Managing Member Michael Merrigan.  In addition, he cited a recent Bloomberg News article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” noting the possibility of Chinese espionage as a current risk.

[1] Source (via speaker Russ Sommers): Verizon’s 2018 Data Breach Investigations Report,

[2] ibid

[3] ibid

 

© All Rights Reserved. HS Marketing LLC.