Hedge funds and alternative credit managers face growing threats from cybercriminals. Government bodies including the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) have introduced new cybersecurity regulations and signaled their intention for more stringent enforcement.
Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit
“Investment advisors and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
If you’ve seen the news about steep fines for cybersecurity breaches, you know the penalties can be severe — not to mention the damage to your brand and reputation. The consequences of even one data breach can result in millions of dollars in fines or even the end of your company.
To prevent such disasters, funds need to ensure their data and confidential information are secure. Unfortunately, what worked ten (or even three) years ago won’t necessarily work today.
Factors that Have Changed the Cybersecurity Landscape
The threat landscape has evolved since the pandemic, and firms must adapt to a changing world. What’s different now compared to a few years ago?
Remote work. When cities locked down due to COVID, employees began to work from home at unprecedented rates. And the easing of lockdowns didn’t stop the remote work wave. While many employees love this flexibility, remote work does create more vulnerabilities for cybercriminals to attack.
Increased cybersecurity activity. Partially due to the upward trend of remote work, companies have seen an increase in the sheer volume of cyberattacks. In fact, over 80% of global organizations surveyed have experienced an increase in cyberthreats since the COVID-19 pandemic.
New leadership in government agencies. Gary Gensler was appointed as SEC Chair in April 2021. Since then, he’s announced his intention to expand the commission’s regulations relating to cybersecurity, noting its importance to national security.
New regulations and proposals from the SEC and FTC. In addition to the FTC making significant updates to its Safeguards Rule, the SEC announced proposed rule changes, including requiring firms to report cybersecurity incidents within four business days, provide a detailed summary of cybersecurity policies and procedures, and likely add staff and technology tools, among other actions.
With these changes, companies can’t use the same cybersecurity playbook they’ve used in the past. And fund managers in particular, can’t afford anything less than diligent cybersecurity measures.
The Great Mystery: What to Prioritize in Cybersecurity
As an alternative fund manager, this much is clear: cyberthreats are on the rise, and cybersecurity practices have never been under more scrutiny. It’s obvious that you need to prioritize the protection of your digital ecosystem, but cybersecurity impacts so many business facets that it can be hard to know where to focus first.
Do you need a financially prohibitive, all-encompassing security solution to protect against the most common cyberattacks? The answer is almost always no. So, what can you do to keep your data — and your clients’ data — safe?
7 Cybersecurity Best Practices to Prevent Data Breaches
and Federal Fines
Learn how asset managers can protect themselves against cybercrime in this white paper.
Cybersecurity Best Practices Checklist
Are you prepared to protect your firm from cybercriminals? Do you have the following cybersecurity best practices in place?
- Multi-Factor Authentication. The verification of a user’s identity with two or more independent credentials. Authenticating with an app or push notification is the safest route.
- Phishing Training and Testing. Train users to identify phishing emails and follow correct protocols. Education combined with testing at regular intervals leads to organizational compliance.
- Endpoint Security. Protecting endpoints (desktops, laptops, mobile devices, etc.) utilized by end users is essential in our remote work environment. Fund managers should combine endpoint protection with monitoring and remediation.
- Infrastructure Security Monitoring. Observe and track security events on essential infrastructure (servers, routers, switches, etc.) to keep production environments up and running. Most firms look to agent-based and probe-based monitoring, often packaged into a Managed Detection, Response and Remediation (MDRR) solution from a reputable provider.
- Vulnerability Assessment. It’s critical to patch known vulnerabilities in your (often robust) tech stack. While vulnerability scanning is essential, the ability to quickly scan, identify, and patch vulnerabilities with a proven process ensures more secure environments.
- Security for Office 365. Secure all applications within Office 365, which holds a bevy of confidential and sensitive information. Look to run an assessment and use optimal setting configurations.
- Incident Response. Incidents are inevitable but having a documented response will save you precious time when an incident occurs. Create documentation that defines roles and actions to be taken by specific representatives, including reporting to external bodies, where relevant.
Want to learn more about this critical topic? Download the whitepaper ‘7 Cybersecurity Best Practices to Prevent Data Breaches and Regulatory Fines’.
Protect Your Firm with Industry Expertise
Implementing the best practices outlined above will put your organization on the pathway to better data security and stronger protection against cybercriminals. If you want to skip the trial and error, working with an expert provider will help ensure the highest level of security and compliance.
At Linedata, we help fund managers bolster their cybersecurity posture and information security with advanced Endpoint Detection and Response (EDR) and Managed Detection, Response and Remediation (MDRR) solutions, plus a broader range of cybersecurity services. With over 20 years as a Managed Services Provider to the alternative funds industry, we offer the solutions, experience, and value to meet your requirements and exceed your expectations.
This blogpost is based on an article that originally appeared in the AIMA Journal, edition 132.
About the author, Don Duclos
Don Duclos has 20 years of Information Security experience at leading financial institutions and technology services providers. Prior to joining Linedata, he led teams in all three lines of defense (within the business line, Information Security, and Internal Audit) at regulated firms, where he frequently engaged with regulators and examiners from the SEC, OCC, FDIC, and FRB. He is the Global Director of Information Security at Linedata Technology Services.