Although Wall Streeters often criticize Washington, DC bureaucrats for being out of touch with their daily realities, the new Framework for Improving Critical Infrastructure Cybersecurity issued in February by the National Institute of Standards and Technology (NIST) might just be a notable exception. It has apparently become a hit among US investment management compliance and data security experts alike.
The reason: it offers a non-prescriptive, generalist and technology-neutral approach applicable to just about every firm, say a dozen fund management compliance specialists consulted by FinOps Report this week.
Asset managers were always concerned about cybersecurity, but with the US Securities and Exchange Commission is now insisting they include cybersecurity in the category of operational risk they continually monitor and mitigate, they are even more concerned. Regulatory visits are just a few months away, so fund managers have to think fast.
“Given the NIST’s recommendations have such high-level White House backing, it stands to reason that the SEC would incorporate them in its exam process,” says one compliance director at a Boston-based fund management firm. “Our external and internal legal teams are also in favor of our adopting its recommendations.”
While regulators are still trying to understand the exact cybersecurity threats facing fund managers and what they can require, Deborah Prutzman, chief executive of New York-based regulatory compliance firm The Regulatory Fundamentals Group, agrees that asset management firms would do well if they relied on the NIST’s framework. “Currently, they [regulators] are determining the severity of the problem and learning about existing industry practices,” she says. “The SEC has indicated it won’t provide a laundry list of precautions and actions fund management firms should take. With this in mind, the NIST framework is a good starting point.”
Means to an End
At the core of the NIST’s three-tiered methodology is the premise that using sophisticated technology alone to create a protective fortress from cybercriminals isn’t a panacea. Instead it’s important to take a more holistic comprehensive company-wide perspective to reduce internal and external threats with C-level staff and every business line involved. Such an approach should be fluid, rather than static, adapting cybersecurity practices through continual improvement where appropriate — just as the cybercriminals are doing.
Here is the gist of the NIST’s framework, as explained by the New York law firm of White & Case in a newsflash published last month where it also offered its endorsement as a way to mitigate legal risk. “In the absence of legislation, the framework could be used in the context of disputes or enforcement actions as a point of comparison in assessing whether the company’s practices are reasonable or unfair or deceptive,” write attorneys Trevor Nagel and Allison Dodd.
The NIST has come up with a core tier, implementation tiers, and profiles. The core addresses five basic functions to be included in an organization’s cybersecurity risks as identify, protect, detect, respond, and recover. Fund managers need to spend time understanding and documenting the mission critical ways they use technology, their security procedures, the testing they have undertaken to confirm their procedures work, how they monitor for cybersecurity risks on an ongoing basis and how they quickly respond to recognized threats.
The implementation tiers allow an organization to classify the extent to which its cybersecurity risk management and practices are vigorous and sophisticated, informed by business needs and integrated into its overall risk management practices. A score of 1 means partial and 4 is adaptive. Operating at the highest level Adaptive Tier means that C-level staff and every business line is involved, as appropriate.
The profiles help a firm understand its overall state of cybersecurity risk management within its business requirements, risk tolerance and resources. Doing so, a firm can bridge the gap between its current level of readiness and its desired or target level.
“There is no silver bullet. No matter how much money an asset manager spends on cybersecurity technology, it will never be completely secure,” says Eldon Spricherhoff, chief security strategist at hedge fund data security management firm eSentire, which co-authored with Prutzman a white paper on cybersecurity risks and options for asset managers. “Hence, asset managers need a gameplan to protect areas of highest vulnerability and plan ahead about what to do in case security is breached,” he adds.
Like their sell-side brethren, asset managers face a serious threat of criminals invading their networks and nabbing confidential data through malware, stolen credentials or social engineering. Once an external attacker obtains a foothold within the fund management environment, it may be able to discover whatever the firm considers its secret sauce. Recently, some cybercriminals have even begun encrypting all the files of the firm they target and are demanding a ransom to allow the firm to access its own data.
Top Targets
While banks and brokerage firms might have deep pockets to keep track of all cybersecurity risks, not so with many asset managers. Start-up hedge funds face enough challenges just getting up and running, and without sufficient protection might have to close shop before they even start.
That’s why a risk-based approach comes critical to survival. “Think like a thief would,” urges Sprickerhoff, who recommends asset management firms ask themselves just what they have that a cybercriminal would want to get its hands on the most. Protect those assets first and foremost, rather than trying to guard too large a front unsuccessfully, is the way to go.
Three of the prized possessions that asset managers should consider safeguarding when planning, says Sprickerhoff: information related to portfolio strategy, banking accounts, and client information. Any unauthorized access and use can lead to regulatory scrutiny and short-term financial loss through front-running trading strategies, illegal funds transfers, sale of confidential data, and even delays in post-trade clearance and settlement of trades.
If any of those don’t tank a fund manager, reputational risk will. “Institutional asset owners won’t be happy finding out their closely guarded secrets are in the wrong hands and even if they don’t sue, they will want to pull out fast,” one New York-based hedge fund compliance officer tells FinOps.
Next up: evaluating which activities are the most susceptible to a security breach. The simplest everyday workflow could be the riskiest. Cybercriminals can target a website used by portfolio analysts or managers on a consistent basis so that any information downloaded contains malware. Voila, a beachfront has been established at the fund management firm.
However, opening a bad email attachment is by far the most likely vector for a cyberattack. “It’s human nature to open all of one’s emails and fund management firms will be receiving hundreds of them each day from current clients, prospective clients, service providers, and prospective service providers,” says J. Paul Haynes, chief executive officer for eSentire, headquartered in Cambridge, Canada. “Cybercriminals have studied what makes any email attractive, and just one click can open the door for them.”
The task of evaluating just how strong an asset management firm is to facing such commonplace cybersecurity risks and reducing them will likely fall heavily on the shoulders of an internal IT department, if there is one. Even the best should considering calling on third-party consultants such as information security specialists who do even more testing and are experienced in writing specific cybersecurity risk mitigation and recovery plans. They can assess a firm’s security readiness through vulnerability assessments, malware analysis, forensic-level network traffic, policy review and testing.
Team Effort
IT folks aren’t the only ones who should be designing cybersecurity plans as attacks can cut across the firm and operational processes. The chief executive officer, chief financial officer, chief operating officer and chief compliance officer all need to be well-informed and part of the decision-making process. So does the governing body. “At the very least,” says Prutzman, “senior management will want to have sufficient information to satisfy itself, investors and regulators that the risk has been appropriately considered.”
She recommends that IT and compliance specialists bring senior management up to date on all relevant developments at least quarterly. Of course, any remediation plans need to be monitored on a more timely basis. Should a material security breach take place, crisis communications will become critical. Senior management will need to set standards and acceptable levels of risk while compliance and legal teams handle contractual and regulatory expectations.
Fund management firms who haven’t had internal discussions on how they will handle cybersecurity attacks need to do so fast, as they must show the SEC they are prepared. Such talks should generate written firm-wide guidance about reporting procedures as incidents occur, as well as an incident management plan. “It is important that the plan have the names and contact information of key stakeholders, including regulators and enforcement personnel,” says Haynes.
Should the best designed plan fail, the asset management firm will still need to mitigate further damage and recover fast. If it sounds like a disaster recovery or business continuity roadmap, it is with one exception, the disaster comes from a malware bug and not a natural weather event, terrorist attack, or market meltdown.
If the attack is technology-based, data security and technology specialists must be prepared to plug holes fast and inform all of the C-level staff — the CEO, CFO and COO — of what they are doing on a step-by-step basis. The contact list could also include any third party fund administrators, custodians, prime-brokers, IT integration specialists, and data storage specialists. Even public relations specialists might be brought into the mix to come up with just the correct messaging. Spin isn’t necessarily a four-letter word when a fund management firm’s survival is at stake.
Just when to notify regulators and law enforcement will likely become far more difficult to determine. “It’s an art, and rarely a science,” says Prutzman. To make the decision, a fund management firm needs to plan ahead because there may not be enough time to gather critical information in the moment.” Planning ahead means understanding the requirements of the jurisdictions and regulatory bodies affecting the firm, its investments and investors.
Each cyberattack is different; each asset management firms is different, but it appears that US regulators are now asking US fund management shops the same question “Have you thought about the approach which is right for you?”
When that happens, asset managers will want– and need –to be prepared with an answer.
Leave a Comment
You must be logged in to post a comment.