It is a near certainty that a security breach will occur at some point at every asset management firm, according to Steve Schoener, vice president of technology at Eze Castle Integration. However, with careful preparation, firms can take control over how damaging that breach may be. FINalternatives recently spoke with Schoener about the biggest cybersecurity threats facing hedge fund firms, and how they can steel themselves against them.
What are the biggest technological challenges facing fund managers?
There’s really a shifting mindset throughout the hedge fund industry as far as technology is concerned. In the past, fund managers have maintained focus on keeping productivity high, keeping operations simple and concentrating on managing money – after all, that’s the primary goal. But in today’s world, technology has come to play an important role in shaping a fund’s operations, and as a result, it becomes necessary for firms to have a person or persons dedicated to managing IT. Whether that role is internal or outsourced, IT has become more of a strategic role, and those managing it are dealing much more with creating and maintaining policies and procedures, particularly around security. It makes it challenging then to balance the need to manage risk with the desire to keep productivity high.
Can you tell us about the SEC’s cyberspace initiative that was unveiled last month?
The SEC first made it clear they wanted to take a closer look at cybersecurity when they announced a roundtable earlier in the year. Since then, they’ve issued a Risk Alert which announced they would be conducting exams of at least 50 registered broker dealers and investment advisers. The most important thing we saw come out of that announcement was the sample questionnaire provided by the SEC.
What do these new guidelines mean for fund managers?
The questions provided by the SEC are really a framework for firms to follow in terms of structuring their security programs and policies both in preparation for and in the event of a security incident. The questions cover a variety of areas – everything from how firms go about identifying risks to maintaining secure relationships with third-party vendors. Answering these questions becomes a lot easier when firms have written information security plans (WISPs) in place. A WISP will identify administrative and technical safeguards for a firm and address any gaps a firm should fill in as it relates to their cybersecurity preparedness.
One thing to consider also is that firms may need to start identifying under what circumstances some kind of disclosure needs to take place. Disclosure isn’t currently required under any SEC laws, but this may be a step in that direction. Firms should start evaluating in what situations it would be critical to notify regulators, investors, etc. -- for example, if money is transferred or personally identifiable information is released as a result of a technology breach. Those could be circumstances that might be regulated in the future.
What do you see as the biggest cybersecurity threats facing financial firms today? And specifically for hedge fund managers?
A lot of focus is placed on high-profile security breaches and the potential for hackers to target financial services firms, in particular. But the reality is that a much more likely security threat is an internal one. Internal security incidents – whether intentional or not – are generally the most serious for firms to contend with and definitely the most common. As a hedge fund manager, it’s important to implement strict internal policies around what information can be accessed by whom and keep documented logs of which employees tap into what data. Beyond that, training employees on what’s acceptable and expected of them is critical to minimizing the number of incidents and the potential for a breach to occur.
What are some of the biggest mistakes financial firms make in terms of cybersecurity?
One of the biggest mistakes financial firms make is assuming that if a security incident hasn’t happened yet, it never will. Newer startup firms tend to come into launches with open minds and ask a lot of security-related questions; they are also generally more open to implementing cybersecurity practices and procedures to protect the firm.
More established firms that have been lucky to avoid any security threats tend to be complacent and assume since they have avoided danger in the past, they will continue to do so. This can be a huge detriment to a firm if it chooses to skimp on security protocols or overlook them entirely.
What are the three most important steps firms can take to protect their systems from hackers or viruses?
There are a number of steps firms can take as part of a proactive approach to cybersecurity. Limiting attack vectors is certainly a priority, and firms can do this by taking a layered approach to securing and ensuring that all systems are designed in a way that protects critical infrastructure and data. Anti-virus software and firewalls are simply not enough to protect a firm against a security attack.
Educating and training employees is also a critical factor, particularly given that internal breaches are far more likely to occur than external cyber-attacks. Keeping security on the minds of the end users and making them aware of how their everyday job responsibilities and tasks can affect the business is important as well as challenging.
Finally, documenting policies and procedures is a necessary step to combating security threats. Unfortunately, the reality is that a breach or exposure is near certain for firms, but the nature of that threat and the extent of the damage is something firms can take more control over. By implementing written information security plans (WISPs), firms have thorough processes on paper that will make responding to and recovering from an inevitable security incident that much easier and smoother.
Can investment firms be held liable if they are a victim of a cyber-attack and customer data is compromised?
Depending on the circumstances and upon various state laws, for example, yes firms can be held liable if customer data is compromised. Massachusetts, for example, has a data privacy law in effect (MA 201 CMR 17) that was put into place to protect firms from compromising or releasing personally identifiable information of any employees or investors.
From a federal perspective, though, at this point it looks like the SEC is still trying to gather as much information as they can, and it seems likely that down the road, they may look to implement some kind of disclosure and/or penalty regulations to control how firms protect information from a security perspective.