TechRepublic recently shared that cybercriminals are increasingly targeting asset and wealth management firms (AWM). Based on current industry projections, asset and wealth management firms’ AuM is set to grow by up to 5.6% a year by 2025, to USD 147.4 trillion. This level of wealth and this type of data represent a tempting target for today’s cybercriminals.
If your firm were hacked tomorrow and all your data was encrypted, what would that mean for your firm? If your data were stolen, what would your firm do?
Hackers are no longer some vague threat or news headline; they are part of the reality of doing business today. Here is what firms need to take stock of to thwart these malicious actors.
We recommend starting with a security risk assessment. Before firms can thwart risk, they need to identify it. Firms must identify the data and subsequent weaknesses in both the protection and procedures.
Once your firm or your cyber partner has completed your Risk Assessment, the systems to IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER from cybersecurity issues need to be put into play.
Here is how.
- A SECURITY ASSESSMENT: It is paramount that you identify your data, your risk, and your risk tolerance before creating a plan to protect yourself and the firm. A comprehensive Risk Assessment is the right place to start.
- BACKUP: Backup is a pre-requisite for security. It is not a security step; it is the last resort. You must determine your firm’s Recovery Point Objective and Recovery Time Objective. We suggest following the 3-2-1 backup rule: three copies of your data on two different media, with one copy offsite. Assure your backup is not vulnerable to crypto attack. (Cloud backup and storage services are ideal.)
- FIREWALL: “Next Generation” or “Unified Threat Management” firewalls should be implemented along with managed Web application filters. Ongoing updates and maintenance are vital.
- ANTI-VIRUS: An active alert system must be tied to your anti-virus software. Getting alerts about virus activity will not help you if you do not have procedures and people to take actionact on the alerts.
- INTRUSION/ENDPOINT PREVENTION: Intrusion prevention is sometimes referred to as Advanced Endpoint Protection. It includes software that takes actionacts when unwanted behavior is detected. A Security Operations Center (SOC) or provider is recommended to assure proper response to detections. For large firms or firms with compliance requirements, security information and event management platform (SIEM) are recommended.
- INTRUSION DETECTION: Early detection is vital. Limiting Dwell time, the amount of time a hacker gets a foothold on your network before detection and remediation is a key to successful security management.
- MANAGED DETECTION RESPONSE: Onboard Managed detection and response (MDR) services. MDR is an outsourced service that provides firms with threat hunting services and responds to threats once discovered before they can act against your firm.
- ENCRYPTION: Encrypt everything. Data should be encrypted at rest and in transit. Disk encryption is a must, and file-level encryption can offer a safe harbor.
- MULTI-FACTOR AUTHENTICATION (MFA): MFA is a must. CISA and Microsoft now recommend using a mobile application for MFA rather than relying on text-based MFA.
- PHISH TESTING AND SECURITY AWARENESS TRAINING: Training significantly reduces your chances of a breach or an attack. Knowledge is always power. Educating your employees and developing a security-conscious culture is essential and typically not a priority for firms, but it should be.
- CLEAR WRITTEN POLICIES: Be prepared. Compliance requires written policies.
- SPAM CONTROL: Reducing spam directly limits the most common method of penetration for most malware. Unfortunately, hackers are becoming more sophisticated and have developed techniques to deliver legitimate emails that still pose a threat. Speak with your cybersecurity partner about software that can limit spear-phishing attacks.
- PASSWORD MANAGEMENT: Helps assure passwords meet complexity requirements and are not used in more than one place.
- PATCH MANAGEMENT: Assuring you patch your operating systems, applications, and devices like firewalls is vital to reducing your attack vector. New vulnerabilities are discovered daily, and an active patch process is vital to keep you protected.
- MOBILE DEVICE AND ENDPOINT MANAGEMENT: With today’s distributed workforce, cell phones, mobile devices are all an attack vector and often overlooked. Anti-Virus and preferably full management of endpoints are recommended.
- CYBER INSURANCE: When all else fails, if you do not already have it you should have insurance to protect your firm. You have liability insurance. You have auto insurance. Why wouldn’t you protect yourself and your firm from this spreading new threat of cyber-attack? Remember however cyber insurance covers the typical losses that an alternative investment manager would face after a cyber event. However, losses due to the inability to trade after a cyber event that causes your network or another network to go down would not be covered.
- RISK MANAGEMENT PROCESS: We recommend having a clear CVSS style risk management process, so the board and partners are clear on how risks are being mitigated on an ongoing basis, giving them scores against impact and likelyhood (for example).
At RFA our focus is on ensuring your systems are not only secure but meet the highest compliance standards expected by investors and regulators. If your firm is navigating the cyber landscape alone connect with us for a review and assessment.