The potential for cyberattacks, says the Securities and Exchange Commission, which has put fund managers on high alert to shore up any deficiencies in their data security technology and procedures. The securities watchdog says it will be reviewing the cybersecurity work of investment management firms — namely mutual funds and hedge funds — and their advisors during its 2014 annual exams.
Appparently, the SEC doesn’t think asset managers are prepared to handle cybersecurity as one of the key operational risks they face. While they may be spending much of their time addressing investment and counterparty risk to ensure high returns, cybersecurity is still low on the totem pole, giving criminals plenty of leeway.
A telephone survey of 20 US fund management shops conducted by FinOps Report last week shows that IT, compliance and operations staffers are now quickly teaming up to devise and test gameplans for how they will combat cybersecurity attacks and address them should they occur, in a worse case scenario.
All of the shops tell FinOps they have created cybersecurity swat teams to address two common threats: malware which creeps into an application when downloading emails or files; or an unauthorized internal or external access into a data application.
While the SEC insists it was planning for greater scrutiny of cybersecurity at fund managers, the data breach at Target and other well-known US retailers, likely put those plans into high gear. In late December Target conceded that information on over forty million customers was compromised when hackers made their way into platforms managed through an undisclosed third party vendor. Just one month later, the SEC announced its focus on cybersecurity as one of numerous items on the watchlist of how asset managers must prove their operational soundness.
“Making it difficult for fund managers to prepare is that the SEC has not clearly defined what it is looking for in its exams,” explains Steve Schoener, vice president of technology at Eze Castle Integration, a Boston-based firm specializing in technology work for alternative fund managers. “However, at a minimum, the SEC will want fund managers to show they have policies in place to detect and prevent cyberattacks from happening, and an action plan of what to do when they occur.”
Fund managers are apparently far more concerned about setting up an overall security program than in what technology they will buy. Information technology, compliance and operations specialists each have their own perspective on what should be done, so coming up with an agreed gameplan is turning into an exercise in group dynamics. With so many constituents with conflicting views sitting at the same table, it’s a wonder anything is getting done.
“We need to spend our time upgrading software and hardware and conduct more testing,” says one IT specialist at a fund management shop. Yet the compliance director of the same firm insists that it has spent plenty on data protection and should concentrate its efforts on proving its capabilities. “Documentation is critical to getting through an SEC exam,” says the compliance specialist. “We haven’t completed that paperwork yet because it wasn’t necessary.”
Some fund managers have incorporated their procedures into broader disaster-recovery plans. But those preparations focus primarily on restoring data temporarily lost or inaccessible during external disasters, such as terrorist attacks or inclement weather. Dealing with data breaches appears to be an afterthought.
What do operations directors have to say?: “We’re often the last ones consulted on any decisions the IT and compliance experts make, but the ones who are the most knowledgeable on where the data security weaknesses exist,” insists one vice president of operations at a New York fund management shop. His stance was shared by all of the other operations specialists who spoke with FinOps on condition of anonymity.
Fund management firms can ill-afford to fall captive to such internal dissent, says Schoener and other third-party IT specialists. They must get their houses in order quickly or risk reputational — and financial risk– in paying regulatory fines or making investors whole.
Here are just four basic steps asset managers could take, which will go a long way to keeping SEC examiners at bay. It will naturally require IT, compliance and operations specialists to put aside their differences for the greater good.
Check readiness: Cybersavvy organizations know they must adopt a more active stance against attacks. Analyzing what type of data is stored at the fund management firm or at external providers, how it is transferred; how it is accessed and how it is downloaded is critical to coming up with a gameplan.
Then comes the actual mimicking of an intrusion to determine how much damage can be done to trading systems, customer data, and information on transactions and positions. Such a vulnerability assessment is typically executed by a third-party security firm to identify areas ripe for breaches and to evaluate whether existing precautions would have effectively defended against the attacks or allowed access.
Operations specialists tell FinOps Report that they want to set the stage for understanding all of the firm’s data storage and retrieval capabilities; IT specialists, they say, should actually test the capabilities; while compliance specialists need to document the results to prove the firm tested its current preparedness. Only then can decisions be made on what needs to be done to prepare — any additional technology spend, installation and procedures.
Create response policy: The traditional hierarchical structure doesn’t work when it comes to handling cyberattacks, because it’s far too slow to make quick decisions. Asset managers need to determine just who will be responsible for handling each type of account intrusion; what immediate steps will be necessary to minimize the damage; and when the internal legal department and external regulators must be brought into the picture.
Such a playbook, says Schoener, must include a “live” document which supplements the firm’s disaster recovery plans. The document, otherwise known as an incident response plan, should define the internal team of operations, including the human resource, client service, and business continuity planning officials which must be contacted in the event of a data breach. It also needs to include public relations, vendors and law enforcement officials that must be alerted in case the attack can’t be contained.
Schoener and other IT experts who spoke with FinOps Report recommend that investment firms designate a chief security information officer (CSIO) to be responsible for maintaining the incident response plan and ensuring its execution should a data breach occur. In many cases, the CSIO role will fall on the chief operating officer, chief financial officer or chief compliance officer. IT experts might know a lot more about data security, but clearly don’t want to take on the thankless task of ensuring compliance with internal procedures. The reason: they likely don’t have the clout to pull it off.
Establish disclosure procedures: This could be the hardest part of a cybersecurity program. Just how much information should be revealed to which organization; who should reveal it and when is generating a heated debate among IT, compliance and legal departments. IT and compliance executives might opt for as little as possible while legal departments will want more information to ensure transparency.
As a rule of thumb, regulators and investors should always be notified when an actual data breach, rather than an attempted breach occurs. Of course, that begs the question of whether they should be told the exact same information or not and respondents to FinOps survey couldn’t agree.
Hire knowledgeable help: Whether an organization uses internal or external resources, data security experts suggest that two types of IT specialists need to be part of the discussion: IT experts to implement controls and security systems and threat intelligence experts to explain where the risks lie. “While a CTO may be well versed in security, having outside experts test the firm’s security posture and review the safeguards in place adds another layer of security and can help identify unknown threats,” says Schoener. “We are seeing an increasing number of investment firms contract with third party security firms to conduct external vulnerability and penetration assessments, analyze the findings and provide recommendations.”
Such specialists, say respondents to FinOps survey, should report not only to an asset manager’s chief technology officer and chief executive officer, but also a board of directors. Asset managers should consider whether to include a cyberrisk expert on their board of directors and even assign a committee to address cybersecurity risk by determining whether outsourced providers and contractors have controls and policies in place which align with the company’s expectations. Also critical is evaluating the company’s cybereducation program.
Develop cybersecurity policy from the top: Chief executive officers need to come to grips with the threat of a cybersecurity attack and set the tone for preparedness. Technologists, compliance and operations specialists can’t create policies and procedures on their own and then expect them to be enforced by the CEO after the fact, respondents to FinOps’ survey agreed.
The reason: the asset management firm will be far more successful in countering cybersecurity risks if the CEO sets the no-nonsense tone of a cybersecurity culture as a means of mitigating legal — and financial — risk. Just one way to do so: send out frequent memos about establishing strong passwords, authentication procedures, and restrictions on data access. Yet another, require employees to contact IT, compliance and operations departments when encountering any suspicious emails or asked by a colleague to use his or her password.
Former National Security Agency contractor Edward Snowden reportedly gained access to the US agency’s vast database of sensitive information by asking colleagues to use their passwords which he then copied. It is unclear whether the colleagues understood the ramifications of their actions and Snowden has publicly denied the NSA’s claims. Still, asset managers consulted by FinOps say, they are worried that such sharing is far more commonplace then they would like.
At the very least, it is clear that cybersecurity is no longer a part-time IT job. Fund managers can no longer afford the risk of being less than 100 percent vigilant.