By Grigoriy Milis, CTO, RFA
By including twenty-eight points in the sample request for information attached to its April 15, 2014, OCIE Cybersecurity Initiative bulletin, the SEC underscored the need for hedge funds to take a multi-faceted approach to protecting their data. Network architecture, monitoring, and protection systems are addressed alongside organizational preparedness and staff training. These example audit questions reflect what experts in the field of cybersecurity have spoken about for years: businesses must have all their bases covered in order to create a secure network environment, and they must be prepared to minimize the damage done when a breach does occur.
Any server, workstation, or network device that connects to the Internet contains potential vectors for a cyber-attack. Hedge funds must develop a strategy that balances traders’ requirements for fast connectivity with the need to prevent malware from making its way onto vulnerable network resources. Traffic on the network must be monitored and analyzed not only as it enters the network, but also as it exits back across the Internet. Advanced forms of malware are designed to go undetected as they exploit a gap in the network perimeter and transmit data back to third parties. This data can include client information, financial documentation, and other highly sensitive intellectual property, all of which can be used for financial gain.
Many firms fear that this kind of near-real-time examination of data may slow the pace of transactions and research to a crawl. Outdated or incorrectly-configured data protection systems may needlessly burden networks, but next-generation firewalls (NGFW) and intrusion detection and prevention systems (IDPS) are intended to manage the intense workloads of an active network. A NGFW is designed to recognize different types of traffic into and out of the network, with policies determining what applications are business-critical. This helps organizations optimize network performance by reducing traffic to applications that may be used for social or entertainment purposes and also blocking potential malware activity. NGFWs have built-in intelligence to ensure that packets of data need only be analyzed once before being blocked or permitted, reducing network load. An IDPS serves the role of comparing activity within the network to known attack signatures and alerting, blocking and/or quarantining this activity. The IDPS complements the firewall, which identifies inbound and outbound traffic, by identifying and analyzing suspicious activity that is active within the network, working side-by-side to help prevent data breaches.
It is important to understand that technology solutions only provide a partial answer to data protection, and that firms must be prepared to address threats that manage to get inside the network. According to the Investment Adviser Association’s 2014 Investment Management Compliance Testing Survey, over eighty percent of investment advisory firms do not have a formal incident response plan. This leaves these firms vulnerable and can worsen the impact of a data breach by wasting valuable time in determining how to contain and control the threat. New malware is designed to penetrate sophisticated defenses and remain undetected for extended periods of time, meaning that an attack may be detected once it is already active in the network. These “zero day attacks” require rapid response to minimize exposure, and a written cyber-security response plan will help firms stay calm and effective in the event of a breach. Following the response to and removal of the threat, the firm can determine ways to prevent the situation from happening again.
A common sense combination of prevention and preparedness will reduce the stress surrounding cyber-security for hedge funds of all sizes. Increased specificity provided by the OCIE Cybersecurity alert means that a robust defense and a clear plan are no longer merely nice to have – they are an essential part of doing business.
Covering Your Cybersecurity Bases (Canadian Hedge Watch, November 2014)