Comment and Analysis: Why cybersecurity suddenly matters
Following the recent high-profile security breaches, including direct attacks by vendors on large retailers and the Heartbleed incident, cybersecurity has suddenly become a hot topic. Where previously the focus on maintaining the confidential nature of fund data was on keeping it protected from competing forces, the dialogue has now broadened to providing assurances that equipment and data are kept safe from all eventualities; and given the multi-client nature of our business, it is critical for service providers to demonstrate complete integrity in this area.
And now the SEC has decided to weigh in. In April the SEC issued a risk alert announcing the intention to plan sweep exams to assess registrant cybersecurity readiness and to gather information related to recent cyber experiences and threats.
So for now I would like to focus on the six areas of security that the SEC is particularly interested in.
1. IDENTIFICATION OF RISKS/CYBERSECURITY GOVERNANCE
At the core of a company’s protection from cybersecurity threat is its security policy. This policy should be tailored to the company’s own circumstances, so the first task is to gain an understanding of the company’s cyber-infrastructure by mapping the network resources, connections, data storage and data flows, and conducting a census of every computer and inventory every application used on the network.
Once the security policy is in place, a formal system of governance by an independent security department should demonstrate compliance with the policy and any measures taken to protect the company and its clients from threats.
2. PROTECTION OF FIRM NETWORKS AND INFORMATION
Each company should develop a multi-layered approach to defending its networks and data, designed to prevent penetration, including ongoing checks on its software platforms and applications, ensuring they are kept up to date and are not vulnerable to hackers or malware. The housing of critical servers and client data should be protected by round-the-clock, professional security resources and tested regularly for vulnerabilities.
3. REMOTE CUSTOMER ACCESS AND FUNDS TRANSFER REQUESTS
Access to portals is a critical potential vulnerability that should be protected by the appropriate industry-recognised authentication tests. IDs and passwords should be generated remotely, and controls should be subject to regular penetration tests. Instructions to move funds should be processed in accordance with strict protocols that typically entail dual, hierarchical review and sign-off.
4. RISKS ASSOCIATED WITH VENDORS AND OTHER THIRD PARTIES
Following the data breach at a large US retailer last year, which was initiated through a network vulnerability by a vendor, security should perform detailed initial due diligence on vendors’ cybersecurity policies, followed by ongoing reviews. In addition, vendor activities on a company’s network should be monitored to ensure compliance with their policies.
5. DETECTION OF UNAUTHORISED ACTIVITY
Companies should have intrusion physical detection/intrusion prevention systems at all data centres and offices to detect anomalous activity. For their network infrastructure, companies should be able to demonstrate the ability to monitor the network environment for cybersecurity events, as well as the presence of unauthorised users, connections and software.
EXPERIENCES WITH CYBERSECURITY THREATS
Given that each company has its own risk profile, any risk self-assessments should be properly aligned to demonstrate how the firm has dealt with its threats and events.
Asset service providers should anticipate a significant increase in requests for information about their security policies and any experiences with cybersecurity threats – and not just from regulators; providing reassurance about the complete integrity of the company’s security policy has become standard business practice.
Published in HFM Week
22nd May 2014