Great guest post by Gerard Joyce CTO of LinkResQ, makers of the Risk Management Information System solution CalQRisk who were on the long list for the Irish Tech News 2016 Fintech 20 Ireland awards. Image from pixabay.
The problem is that cybersecurity is everybody’s problem and unless all functional areas of an investment manager’s business are involved in discussions on the solution then no solution will be truly effective.
In addition to the published expectations and inevitable scrutiny of regulators such as the FCA, SEC and CBOI, it is now commonplace for investors conducting due diligence to want comfort that their data and assets will be properly protected.
The National Association of Corporate Directors (NACD) in the US put it very well in their Cyber-risk Oversight Handbook when in Principle 1 (of 5) they state “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue”.
It’s more than just keeping the bad guys out. It’s more than firewalls and intrusion detection. It’s more than just spyware and malware. It’s also about protecting integrity, making sure that the data your published reports are based on is accurate and unaltered. It’s also about availability, ensuring you and your customers can access applications and information as and when required. It’s about people, their behaviour, sometimes careless and sometimes malicious. And it’s also about prioritisation, what matters most, which information needs the most protection?
In this article we take a look at the current state of cybersecurity and what investment managers should be doing to keep the information they hold secure and private.
What does “cyber” mean?
The word cyber could, depending on the context be replaced by: Computer, computer network, virtual or simply “very modern”. However, keeping information secure and private is not new. What is new is the multiplicity of ways (“Threat vectors” in IT-speak) that can be used to access the information.
In the following paragraphs we will look at the threats and the vulnerabilities that together create risks that threaten the achievement of your objectives with regard to your valuable information (Strategies and plans, client information, financial information, employee information, etc.). We will also look at what can be done to minimise the risk and help keep information confidential, accurate and available.
Where are the Threats coming from?
Depending on your context and the nature of the information you hold the chief threats could be one or several of the following:
- Hackers and Hacktivists
- Disgruntled employees
- Criminal Organisations
- Aggressive competitors
- Hostile Nation States
What are the Vulnerabilities?
To access your information they will exploit your vulnerabilities so it is imperative that you are aware of and address these. For the typical organisation the vulnerabilities include:
- Unwitting employees who are unaware of the methods employed by those who would steal / corrupt your data.
- IT System Misconfiguration. Akin to leaving the back door open.
- Unpatched flaws in operating systems and programmes
- Mobile Devices, whether under your control or not under your control they provide an access point to your information.
- Service Providers / Vendors who have poor cyber defences can offer an easy route to your information.
- Storing data in the cloud. (e.g. Dropbox, Skydrive) Do you know how secure it is?
The risks are what threatens the confidentiality, integrity and availability of your information. They include, but are not limited to the following:
- Denial of Service attack. Attacking your systems in a manner that prevents legitimate users from accessing your information / systems.
- Encrypting your data and demanding payment for the decrypt key.
- Data breach. Can be external or internal.
- Data changed / manipulated maliciously. Could impact key decisions.
- Stealing information and routing it to external parties.
- Identity theft. Criminals masquerading as clients.
The Solution: Manage the Risks
The wide range of threats, vulnerabilities and resulting risks means that the solution requires a combination of preventative and mitigation measures. As you would expect many of these have an IT component, but many are dependent on human behaviour and a sound corporate culture. What is required is an organisation-wide approach that has the visible support of senior management. And a plan to do what is required.
Establish the Context
No one plan fits all. So the first step is to “Establish the Context”; consider your organisation, your people, processes, technology, your clients, your service providers, your vendors, the regulations that apply, the nature of your investments, your objectives and how much risk you are willing and capable of bearing. With this in mind you can better assess the risks.
Assess the Risks
Assessing risks is about identifying and analysing risks that threaten the achievement of your objectives. Know you vulnerabilities, know where threats are coming from, know what you have in place and know if it’s working.
Treat the Risk
Treating risks is about implementing controls that prevent and or mitigate undesirable consequences. It might also mean improving existing controls to make them effective.
Preventing undesirable consequences can be achieved by a combination of the following controls:
- Policies and procedures. Set the tone from the top and enforce good practice.
- Responsible person. Have one person who owns information security.
- Training and awareness. Make sure employees and directors know your policies and expected practices, know the threats and methods used (e.g. Social Engineering) to gain access to your information.
- Train people to recognise attempts at identity theft and to follow strict rules on identify verification.
- Service Provider Due Diligence. Confirm that their risk mitigation is appropriate.
- Access control. Only give access to as much information as is required. Confirm on a regular basis that access rights remain appropriate.
- Monitor user activity. Look for unexpected behaviour.
- Limit access between systems. Only allow as much access as is necessary.
- Intrusion prevention. Have you got secure / robust firewalls in place?
- Intrusion detection. Do you know if you are being attacked?
- Integrity monitoring. Do you know if information has been altered?
- Monitor the traffic. Do you know what information is leaving your organisation?
- Backup your data regularly. Know how much you can afford to “lose”.
- Manage ALL mobile devices that can be used to access / store your information.
- Train all employees on good practice when using mobile devices.
- Get a third party to verify your defences. Do a penetration test.
- Monitor adherence to your own rules.
- Incident Response Plans. Have a plan in place for when it does go wrong. Make sure everybody knows what to do if they see or suspect a breach in security.
Discussions on the Solution
On an on-going basis it is recommended that a cross-departmental group is formed to discuss how best to address the many aspects of information security. It is best if a member of the c-suite leads this group, this will give it the imprimatur it requires. Members of this group should be drawn from the investment management board, the compliance department, IT, operations, internal audit and the risk management function.
By involving people from across the organisation you can be more confident that the solution(s) will be more comprehensive and effective.
Questions that this group should consider and which will help stimulate discussion:
- What information is sensitive / most sensitive? How is it identified?
- Are there rules governing how sensitive information is to be treated, whether in paper or electronic format?
- Do you know everywhere that sensitive information is stored?
- Who decides who has access to what information?
- How often do managers confirm that the access rights of those reporting to them are correct and appropriate?
- Have all legal, regulatory and contractual obligations regarding the information you hold been identified and are there appropriate processes in place to ensure compliance?
- Have you outsourced any critical function / activity? Is somebody responsible for ensuring that your service providers have security controls in place that comply with your policies?
- Do any of the products or services you sell include access to information systems? Are discussions on information security held at an early stage of the development of the product / service so that it can be “built in” rather than “bolted on” later?
- Do you actively restrict what can be downloaded / installed on computers?
- Does the Human Resource department address information security concerns when recruiting or on departure of people?
- Do you have robust processes around the sourcing and retention of information on which key business decisions are made?
- Do you have robust processes governing the transfer of sensitive data from your organisation to an external party?
- Is somebody staying abreast of current threats and vulnerabilities and ensuring that the organisations defences remain up-to-date?
And if you do buy cybersecurity risk insurance remember that the insurance company will still expect that you have employed “reasonable best efforts” to protect and keep secure the information that you hold. Have you?
About the Author
Gerard Joyce is CTO of LinkResQ, makers of the Risk Management Information System solution CalQRisk. He is also the chairman of the National Risk Management Standards Consultative Committee (at the NSAI) and member of the ISO Risk Management Technical Committee. He can be contacted at [email protected]