By Grigoriy Milis, CTO, RFA
It is the responsibility of each hedge fund to ensure that this information is protected from the kinds of data breaches that have led to international news headlines. No firm is too small or too inconspicuous to fall victim to an attack, and with the release of the SEC’s OCIE Cybersecurity Bulletin, a clear message has been sent that every hedge fund must have network security safeguards in place.
One of the key takeaways from the SEC bulletin is that checking the boxes next to technology solutions is not enough for a firm to be considered protected from a breach. The idea that the right combination of security precautions will create an impenetrable barrier around network assets is a misconception.
While advanced technologies exist that can prevent known attacks and detect suspicious activity, there are numerous “zero day exploits” that capitalize on previously unidentified flaws in business applications that will go undetected until malicious activity begins. In addition, employee errors such as revealing passwords to a third party or clicking on a link disguised as legitimate correspondence, such as an email from a bank or a shipping partner, put the company at risk in ways that technologies may not be able to prevent.
Beyond failing to fulfill the guidelines set out by the SEC, this kind of “set it and forget it” approach to securing the network will not live up to the obligations firms have to protect their clients. Technology is not to blame when a firm fails to respond effectively to a data breach. Simply put, hedge funds will be held accountable for cyber-security incidents and will be penalized if they take a casual attitude towards their clients’ data.
Attacks on data must be treated with the same approach as the one taken towards natural disasters in the wake of Hurricane Irene and Superstorm Sandy: cyber-security incidents will happen and steps must be taken to minimize the impact of these incidents. There are three main elements to cyber-security preparedness: technology protection, employee education, and a clear incident-response plan. It is this last point that can mean the swift resolution of a breach versus an ongoing issue that can lead to stolen data and a loss of investor confidence.
Many hedge funds leave themselves open to exactly this kind of risk, with over 80 percent of investment advisory firms reporting that they lack a formal incident-response plan in the Investment Adviser Association’s 2014 Investment Management Compliance Testing Survey.
Have a Plan
In order to begin creating a complete incident-response plan, firms must understand what these plans should encompass. Much like the firm’s overall business continuity plan, a cyber-security incident-response plan contains the steps that specific team members must take once a potential breach has been identified.
Technology such as monitored intrusion detection and prevention systems (IDPS) and next-generation firewalls (NGFW) will provide early alerts if suspicious activity is detected, but it is up to the firm’s employees to respond appropriately to lessen the damage. These plans will be unique for each firm, and the plans of larger firms with more complex infrastructure may require the inclusion of more elements and additional departments.
The first step in an incident-response plan should be to learn what data is affected by the breach. This includes identifying systems and servers that have been breached, along with what team members are responsible for those systems. From here, the responsible parties will have a set series of actions that must be taken to triage and quarantine compromised systems. Research must be done to identify how the threat entered the network.
Attacks can occur in a vast number of ways, including via unpatched software, unauthorized web usage, and spear-phishing attacks that target employee behavior. Once a determination has been made as to how the attack occurred, steps must be taken to ensure this type of attack will not happen again. This resolution will most likely take a form that combines technology enhancements with employee education.
It may seem pessimistic to assume that any firm can fall victim to a data breach, but it is a line of thought that will make businesses take threats to their network security seriously. The fact is that investors, regulators, and partners have an expectation that when they share their most sensitive data, it will be kept safe from compromise. While the increased level of accountability placed on hedge funds may seem intimidating, there are common sense steps that can be taken to reduce the impact of a cyber-security incident. Your firm can’t afford to be unprepared.
Cyber-security: Preparing for Accountability (Waters Technology, October 24, 2014)