Q&A: Cyber security and technology risk for investment funds
December 2014 | SPECIAL REPORT: INVESTMENT FUNDS
Financier Worldwide Magazine
FW moderates a discussion on cyber security and technology risk for investment funds between Mike Gillespie at Advent IM Ltd, Jay Leek at The Blackstone Group, Scott Loughlin at Hogan Lovells US LLP, and Brian E. Finch at Pillsbury Winthrop Shaw Pittman LLP.
FW: In your opinion, what are the major information technology and cyber security risks facing fund managers today? How vulnerable are they to this risk?
Gillespie: Spear phishing is a major threat because fund managers are dealing with very specific sorts of information and their access to highly sensitive and valuable information makes them a highly sought after target. They are very vulnerable because spear phishers do their research carefully and will probably have done a fair degree of social engineering or research in order to choose precisely the right person and hook them using precisely the right language or emotional squeeze. According to Verizon research, almost a third of attacks have some kind of ‘social element’, normally in the preparation period. Large numbers of people don’t know what basic phishing is – one in four UK employees, according OnePoll – and that’s why it is so successful. Managing funds on behalf of ‘high net value individuals’ means the finances, as well as the personal details, will be of interest to nefarious people. Another threat could come from a DDoS attack, which could knock out vital trading information websites or systems. Good security, then, is a must. Good security awareness training, but also good business continuity processes and planning, must be in place to ensure that ‘business as usual’ can continue and the risks identified are mitigated. All plans need to be thoroughly tested.
Leek: Regardless of what industry a company is in, every organisation faces cyber security threats ranging from advanced and persistent to benign and opportunistic, and these threats are even more significant for financial institutions given the nature of the data they handle and manage. Therefore, protecting the confidential data of their investors and strategic partners is essential to protecting their businesses. A continuous process is required to manage the risk of confidential data being stolen by external threat actors, or mishandled by a well-intentioned employee. Every organisation finds itself vulnerable, especially since the human risk or mistake is the most significant risk for any organisation.
Loughlin: Today’s cyber security risks take many forms. An errant email sent by an employee, a malware infestation, or a lost laptop or thumb drive all may result in the loss of personal, confidential or proprietary information. A breach could cost a company millions. Investment fund managers face a particularly complex cyber security landscape, because their exposure comes from multiple sources. They not only face cyber risks within their own operations, but each of their investors, portfolio companies and assets are potential targets, especially ones with fewer IT resources. Malicious actors looking for easy targets are likely to be attracted to this combination of valuable data and relatively less sophisticated defences, leaving fund managers and their investors and assets vulnerable.
Finch: Fund managers are as vulnerable as any other group of professionals. Given the large amount of capital they are handling at any given time, cyber criminals will want to access their accounts and account information. The biggest risks include monitoring of networks to gain information, manipulate portfolios and impersonate account holders to steal funds. Technological risks include advanced malware, destruction of data including backups and counterfeit parts that contain malware.
FW: Could you outline the importance of cyber security as it relates to data privacy and protection? What potential liability exists for fund managers in connection with the loss of sensitive data at the fund level, and at the portfolio company level?
Leek: Cyber security and data privacy and protection go hand-in-hand, because most private information is stored digitally and is accessible via the internet or corporate networks. Security helps ensure that privacy can be maintained. Class action lawsuits are always a concern, and the reputational damage and investor value lost from a major breach will be material if not properly managed.
Finch: Cyber security is absolutely critical. Today, the biggest losses of private or sensitive data are through electronic means. That includes malicious software designed to shunt information to criminals, or failing to encrypt data that is then lost or stolen in a physical form, such as on stolen laptops or mobile devices. Managers could face enforcement actions from the SEC as well as contract or negligence claims from customers or even third parties. Managers essentially can count on massive litigation following a cyber attack.
Loughlin: Privacy laws determine what data needs to be protected; cyber security practices outline how that data can be protected. Without effective security strategies, privacy protections may also be compromised. This recognition has fuelled the ascent of cyber security concerns on corporate agendas in recent years. Remediation costs following a data breach alone can be crippling. Liability flows from many sources – costs include those associated with internal and government investigations, legal fees, lawsuits and third-party cyber security and forensic firms. Companies may face both statutory and contractual notification requirements. If the breach involved sensitive financial information, a firm may choose to provide credit-monitoring services to affected customers. When proprietary commercial information is involved, firms face the added complexity of assessing the business implications of the security breach. Finally, investment firms will have to rehabilitate their image following the reputational harm that accompanies a breach.
Gillespie: The threat is that the malfeasant could alter the integrity of funds. They could steal from them, of course, but the damage is not simply financial loss to the client; it is also damage to the information within it – and this can then affect the trading value of those funds. Aside from those risks, the reputational damage to the firm could be catastrophic and final. ISO27001 is a great framework for protecting all information assets, regardless of their format, and offers a means of reassurance to all key stakeholders that security is a priority and that information assets are adequately protected. The Information Commissioners Office (ICO) assesses breach potential or real impact on the individual, such as stress, so the ICO would take the impact of a breach against a fund manager very seriously – there would be a great chance this would carry the maximum penalty from the ICO. BS10012 is a standard for personal information management systems, which could also be a helpful reference framework.
FW: How important is it for fund managers to identify and manage cyber risks arising from third party relationships and outsourcing arrangements?
Finch: Third parties represent serious risks and have been used in several prominent data breaches to carry out the attack. Unsecured or less than secure access provides an excellent entry point for criminals. And you can count on criminals finding the weak point through which they can steal data. Criminals operate with no time limits, meaning they constantly review companies to find exploits. So it is vital that managers carefully review the security posture of vendors and outsourcing suppliers.
Gillespie: Managing third party risks is vital. There are many associated risks when working with third parties. Those risks have to be identified and the appropriate due diligence and vetting must be strictly adhered to. There may be vulnerabilities in the supply chain and we are finding that there is actually a growing demand for evidenced supply chain security resilience and that all partners are auditable and either certified or compliant with standards such as ISO27001. This means that smaller businesses and organisations which are part of complex and sensitive supply chains may have to start thinking about how they can evidence their robust security posture. The requirement for this kind of reassurance will only ever increase, as cyber threats show no sign of decreasing. Expanding on this theme, when we consider moving fund management information to the cloud, the risk increases and any off-shoring needs to be thoroughly risk assessed, and any necessary physical and information security risks understood and mitigated. This would, of course, be the case for any professional service, but the level of information that fund managers are handling, along with protecting the personal data of high net worth individuals, makes it a gilt edged priority.
Loughlin: Fund managers’ cyber risks are not just internal, but also arise through its collaborator, vendor and other business partner arrangements. Although data sharing between fund managers and business partners often is essential to those arrangements, third-party data sharing brings inherent risks, because the business partner’s cyber threats become direct threats to the fund manager’s data. As a result, a fund manager’s cyber risks are multiplied by the number of third parties that have access to sensitive data. Fund managers can seek to assess these risks by identifying the third parties that have access to investment fund data or systems and analysing the necessity of these arrangements. Where data sharing is necessary, the amounts and types of data can be limited to accomplish the business purpose. The risks can be further managed by conducting privacy and data security due diligence upfront, implementing contractual cyber security safeguards and carefully monitoring compliance.
Leek: Third party risk management is relevant because business partnerships often include some type of information exchange which can expose the security flaws of each party. Many business partners can mean lots of interconnections, which can become unwieldy if not strategically managed. It is one of the most commonly underinvested areas for most organisations despite it being the common element among many of the largest data breaches in recent memory. However, this is changing as organisations are quickly beginning to understand the risk a third party can expose to an organisation.
FW: Broadly speaking, how would you characterise cyber security risks in the context of M&A? Do fund managers pay enough attention to assessing target companies in this respect?
Loughlin: Pressed by the time pressures of a deal, buyers often do not focus on cyber security risks facing the seller during due diligence. This is a mistake as a company’s cyber security capabilities can affect the value of a company or even the viability of the transaction itself. Depending on the transaction, cyber security risks of a seller may soon become the liability of the buyer. A buyer may inherit and assume liabilities for data breaches, security vulnerabilities, non-compliance, government enforcement and litigation. A loss of information in a breach may also present serious risks to the intellectual property and value proposition of the target company itself.
Leek: A security breach can have a more significant impact if realised in a corporate M&A transaction as the newly acquired company will inevitably be integrated into the acquiring organisation. An issue in a smaller acquired company could manifest itself into a much more significant one in the larger company post-integration. However, I think that everyone would agree that a security breach can materially impact any organisation’s value and the confidence of its customers if not properly managed. Therefore, information security assessments during due diligence are becoming much more common among fund managers, and I think it is only a matter of time before it is a common industry practice. The risk is too significant to ignore.
Gillespie: I would be surprised if there is much done in terms of cyber due diligence in M&A, and would also be surprised if there was any major skill or experience in investigating cyber threats. This represents a significant vulnerability to the client, as the cyber security posture of any party in an M&A situation could have a huge impact on reputation as well as all other business functions. We have recently seen in the news that some breaches involve hackers hanging around on company servers, for years in some cases, such as the Goodwill breach in the US. The Nieman Marcus and Home Depot breach saw them lurking around, unchecked, for around five months. What kind of damage could that do to a business and would all parties understand the ramifications of this level of security failure in terms of an M&A position? The security posture part of due diligence on a business in M&A is a large, missing piece of the jigsaw, and if the skills do not exist in-house then it would be vital that the expertise to examine and assess this cyber risk is sourced. There will also be the potential for complex legal ramifications, but this would vary from jurisdiction to jurisdiction.
Finch: Generally speaking, the financial sector is the most aware of the cyber threat. Banks in particular spend a spectacular amount of time and money on security. That said, most of that energy and money is spent on protecting information, not in evaluating M&A risk. More attention needs to be paid to that area. Just like a fund would examine the environmental risks when investing or buying a chemical company, so too should they examine cyber risks when making investment decisions. Companies with poor security are likely poor investment targets.
FW: What steps can fund managers take to prevent data breaches and cyber intrusion? What are the particular challenges and costs associated with mitigating these risks?
Gillespie: Put simply, understand the real threat, and from that the real risks. Build a strategy based on those risks, and from that develop policies and procedures. These need to be embedded, educated and enforced until they become culture, and regularly audited. This is the basis for good quality policies and processes in both technical and physical countermeasures. Companies need to mitigate the threat from social engineering, so people must never be forgotten as part of the process of understanding threat. Sometimes the threat comes from inside and it may be completely unwitting. There needs to be a well understood and tested protective monitoring and reporting process in place. If we use Target as an example, the monitoring was in place through FireEye and it worked – where it fell down was the human part of the equation, which required action to be taken after the alert was received. Senior management must ‘buy in’ to the cyber risk agenda and cyber risk must be on the corporate risk register, not kept in isolation on a security risk register. The protection required in different areas will be organisationally specific, so it needs to be layered appropriately. There should be regular technical and procedural compliance checking, vulnerability scanning and penetration testing, and robust change and configuration management on all systems.
Leek: The traditional security paradigm of prevent, detect and react is not working. A better approach is to balance prevention with enhanced visibility, intelligence and response. This requires shifting the goal from ‘not getting hacked’ to being able to identify a compromise and remove the threat from the environment before it creates any harm to the organisation. This approach requires reasonable investment in time, resources and financial commitments, but it is necessary to defend organisations from today’s threats.
Loughlin: There are several components to establishing and maintaining effective cyber security practices. Fund managers should understand their cyber security risk profile, which involves assessing the business context, conducting a comprehensive inventory of both physical and virtual assets, and tracking data flows to, from, and within a firm. Second, fund managers must protect their critical infrastructure and assets. In addition, a network monitoring program should be in place to prevent attacks and detect new threats. It is important to have a documented and tested incident response plan for handling cyber security events and potential security incidents. Furthermore, there should be a recovery plan to restore any capabilities or services that may have been compromised by a breach. The particular challenge of mitigating cyber security risk flows from the dynamism of today’s threat environment. Cyber security is an ongoing effort – entities must continuously monitor and react to new threats as they arise.
Finch: Managers should focus on establishing a process for determining cyber risks and applying defensive measures. There are no cyber silver bullets or a magic budget amount to create security. Indeed there is no such thing as absolute cyber security. There will always be risks and there will always be successful attacks. So managers need to learn what kinds of attacks they should be able to stop and those they cannot. For attacks they cannot stop, they need to have a good response policy in place to mitigate losses.
FW: How should fund managers respond if they fall victim to cyber-crime? What immediate steps should they take?
Leek: The first step is to be prepared before something happens by building a security program around key principles. Attackers and threats are constantly changing, so you need to keep current and think ahead. Constantly monitor the environment to detect and prevent threats from doing any harm. Understand the flow of information to respond effectively. Raise awareness of the threats to your organisation and ensure personnel understand their responsibilities to help protect it. Then, when you have an issue, you are in a much better position to address it early and before it causes material damage. The quicker answer is to always seek help if you don’t have the internal competency to respond. Most organisations have not been through major security incident responses before to build that knowledge in-house. It is also wise to engage an external law firm and use them to contract with the incident response firm.
Loughlin: All fund managers should have an incident response plan in place before a breach occurs. This plan should call out the key individuals responsible for managing the technical, business and legal ramifications of a breach. It should also identify trusted outside counsel to help navigate the company’s response as well as third party forensics experts to assist with investigative and data recovery efforts. When a breach does occur, it is important to assess the nature of the incident: who is the attacker, how did they attack and what data did they obtain? The incident response team should contain the incident while remaining cognisant of evidence preservation considerations. After an investigation, legal counsel can help determine who, if anyone, must be notified about the breach. Because the effects of data breaches can compound rapidly, time will be of the essence. Having a comprehensive incident response strategy in place can make all the difference when cyber criminals strike.
Finch: Fund managers need to immediately implement their cyber response plan. And the obvious assumption there is that they have a plan. Fund managers cannot deal with a crisis by calling 911 or calling in a cyber response company they have never dealt with before. Instead, managers need a plan that spells out who to notify internally and externally – including counsel, forensic firms and crisis communications – and implement procedures to stop data loss as soon as possible in order to limit the damage.
Gillespie: Damage limitation measures should be able to identify, contain and recover. A plan that has been fully tested should come into operations smoothly and swiftly. This should be clearly documented and easily available to those pertinent to carrying out the steps it lays down. Report any breach or theft to the correct channels, such as Action Fraud in the UK and the police. Manage the expectations of clients immediately – there is nothing worse in terms of reputation and perception than clients finding out after everyone else. According to The Ponemon Institute, 28 percent of data breaches are detected by the client and the majority, at 56 percent, are actually detected by accident. So when a security incident occurs, that is the time to leverage the business continuity, crisis management and forensic readiness plans.
FW: What insurance solutions exist for fund managers, in connection with cyber security and data breaches? How aware are fund managers of the existence and the availability of risk transfer options?
Finch: Any number of cyber insurance policies are available to fund managers. In fact, so many policies are available that some refer to a “Wild West of cyber insurance”. There is little uniformity in these policies. In fact, they can significantly vary in terms of quality and scope of coverage. So fund managers should speak to and work closely with insurance brokers, as brokers immerse themselves in these policies as well as coverage trends. A good broker will lead a fund manager to good policies at appropriate premium rates. Finally, fund managers should consider alternative risk transfer options including statutory safe harbours like the SAFETY Act or well written contractual terms and conditions.
Gillespie: Risk transfer is a little misleading. Yes, you might be financially compensated, but if your reputation has been irreparably damaged, then insurance clearly has not covered it – and how could it? Cyber insurance is on the increase. There has been a proliferation of companies offering to underwrite it and brokers have seen increased interest in uptake, but it’s an immature market and for the most part, confusion reigns. There is inconsistency and it is very hard for prospective inured parties to compare and contrast policies as there is no real benchmark or ‘standard’ kind of policy, since they all vary quite substantially. Cyber insurance doesn’t seem to have weighting in terms of risk to the client being insured, so premiums may not vary even if the applicant’s cyber posture is robust. It’s possible that organisations and insurers going forward will start to look at things like, IASME, Cyber Essentials and ISO27001 as a way of risk managing the organisations they insure. Those with ISO27001 will probably pose less of a risk, for example, and this could be reflected in lower premiums. Some insurers are already starting to do this, but not all. It is the maturity lag that is delaying this progress. Cyber crime is also inconsistently reported and investigated, so the statistics on its growth or the resulting cost are really just educated guesses. The UK Home Office, in its report on key findings on cyber crime last year, pinpointed so many areas of challenge for both business and police to deal with that it’s clear there is still so much we don’t know about cyber crime.
Loughlin: Cyber insurance is an emerging insurance market. News stories indicate that between 2012 and 2013, demand for cyber insurance policies rose more than 20 percent amid reports of high profile data breaches. Yet because the market is relatively new and the magnitude of risks is still uncertain, available policies vary widely in scope and coverage. The most comprehensive plans include both direct costs, such as the expense of hiring a forensics firm and notifying customers, as well as indirect costs associated with reputation management. But many plans contain exclusions that need consideration. One plan may exclude employee negligence, while another may refuse to pick up the tab for advanced persistent threats – for example, state-sponsored actors – which is a common and growing form of cyber attack. Cyber insurance may well be a prudent purchase, but the novelty and fluidity of the market calls for a careful review of available plans to find one that fits the needs of each organisation based on its risk profile. The decision of whether and which insurance policy to purchase should be part of the overall cyber security risk analysis.
Leek: While cyber insurance options are available to help organisations with the external costs associated with a security incident response vendor, there are no insurance policies that can protect a fund manager against the reputational damage that will occur during and after a major security issue. Additionally, the costs to morale, brand and distraction from core business operations can be significant – these are the intangible costs to resolving an incident.
FW: What are your predictions for the cyber security landscape over the next 12-18 months? Do you expect fund managers to take increasingly proactive steps to address this issue across their operations?
Loughlin: The pace of change in the cyber security landscape will continue to accelerate. New threats will emerge, perhaps faster than defences can adapt. Governments around the world are recognising this trend and paying increasing attention to cyber security. A 2013 executive order signed by President Obama has spurred the development of a common Framework for Critical Infrastructure Cybersecurity. Meanwhile, the European Parliament has proposed a Cybersecurity Directive which, if adopted, will establish notification requirements and security standards. Financial regulators such as the SEC are increasing their scrutiny of financial cyber security practices. Just as retailers have faced several high profile breaches, the same is likely to occur in other sectors. Cyber security is no longer an extracurricular consideration for prudent fund managers. Today and into the future, it deserves a central spot within any risk management framework.
Finch: The cyber problem will only get worse as time progresses. There is no incentive for attackers to slow down their attacks because of the rate of success and return on investment. So you will see more attacks and increasingly sophisticated attacks that circumvent existing defences. Fund managers will thus have no choice but to be more proactive when it comes to cyber security. They will also need to be reactive, meaning being mindful of attack trends and the likelihood that they will be used against the funds. Simply put, there will be no slowdown and managers are facing a new reality where cyber attacks are an everyday reality.
Gillespie: Nothing material is likely to change in the way most organisations handle security. Having cyber security in a silo, operating in isolation and being under-represented in the boardroom, will lead to more of the same but with greater intensity and frequency. Those organisations and fund managers that manage to shift the security perspective to an organisational imperative and business function – rather than an IT issue – will probably fare better than average. Organisations of all descriptions need to raise their game, but given the amount of financial institutions targeted by persistent attack in the last 12 months, and the rate at which they are growing, then fund managers need an even greater developed sensitivity to the risks. It is no longer just about protection but reporting too. The EU may soon be requiring mandatory reporting – as outlined in the draft EU General Data Protection Regulations – and this is going to shine a huge light on the situation. Businesses have proven to be continually behind the curve and lacking training. We need to see a growing demand for organisational security training, starting with the C-suite, and a growing realisation that tech is never going to solve the problem in isolation. There is no sign that cyber crime is going to do anything other than grow, so those who cannot envision handling their security risk in any way other than how they have always done it are creating their own vulnerabilities. Incorporate security and information security into organisational risk registers and, if your organisation is one of the 70 percent that feels their information security strategy is not fit for purpose, then seek expert advice on remediation.
Leek: Unfortunately, I think that we are just at the beginning of understanding the magnitude of the cyber security challenges to come. Fund managers, as all other organisations, must address the issue head-on in an attempt to get ahead of it before it gets ahead of them. This requires investments and building knowledge in new areas to defend and prepare themselves, but it will be a critical success factor going forward.
Mike Gillespie is the managing director of Advent IM Ltd. He is also director of Cyber Strategy and Research for The Security Institute. Mr Gillespie is a security professional and CLAS (the CESG Listed Advisor Scheme – CESG is the technical arm of GCHQ) consultant of many years’ standing. He can be contacted on +44 (0)121 559 6699 or by email: bestpractice@advent-im.co.uk.
Jay Leek, CISM, CISA, CISSP is the CISO for Blackstone. Prior to joining Blackstone, Mr Leek established, built and headed up global information risk and security programs for Equifax and Nokia. He also acts as an industry adviser for information security organisations and government agencies, and he currently serves on the Board of Directors for Accuvant and the NY Metro ISSA Chapter, as a Board Observer for Cylance and on the Advisory Board for iSIGHT Partners and Risk IO. He can be contacted on +1 (212) 583 5749 or by email: jay.leek@blackstone.com.
Scott Loughlin practices in the area of privacy and cyber security with a focus on transactional and commercial matters. Mr Loughlin represents clients in strategic corporate and commercial transactions involving domestic and international data flows and the use, disclosure, and protection of sensitive data. He also counsels companies in planning for and responding to data incidents. Mr Loughlin is an adjunct professor at Washington Adventist University where he teaches courses on constitutional law and American politics. He can be contacted on +1 (202) 637 5565 or by email: scott.loughlin@hoganlovells.com.
Brian Finch is a partner in Pillsbury Winthrop Shaw Pittman LLP’s Public Policy practice and is based in the Washington, DC office. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40 and by Law360 as one of its ‘Rising Stars’ in Privacy Law in 2014, Mr Finch is a recognised authority on global security matters. He specialises in counselling on regulatory and government affairs issues. He can be contacted on +1 (202) 663 8062 or by email: brian.finch@pillsburylaw.com.
© Financier Worldwide
THE PANELLISTS
Advent IM Ltd
The Blackstone Group
Hogan Lovells US LLP
Pillsbury Winthrop Shaw Pittman LLP