In 2018, there were over 1200 publicly disclosed security breaches globally with the number of exposed records more than doubling from 197.6 million in 2017 to 446.5 million last year* as reported by Fortune. The number and scale of attacks has been rising year on year for the past decade and with general data protection regulation (GDPR) now in force in Europe, the number of reported breaches is likely to continue rising.
With the cloud environment becoming a ubiquitous feature of the fund management industry as managers seek to benefit from scale and efficiency gains, the migration into cyberspace has increased the threats of data breaches. Over 1.4 billion records were lost to data breaches in March 2017 alone, many of which involved cloud servers according to Tripwire. Insecure APIs is one way for cybercriminals to exploit cloud security, as is poor vendor selection and oversight.
“There is a lack of understanding of how to properly secure a cloud-based environment, which is providing a driving force for a lot of the larger breaches we’ve seen over the last 12 months,” comments Jed Gardner, Vice President, IT at Linedata.
The problem is not that companies don’t know what they are doing. They either leave a lot of the cloud security to development operations teams, or they go with providers who may or may not have a full understanding of what they are looking to accomplish. Moreover, a lot of cloud providers like to perpetuate the “all or nothing” model, assuring clients they can fully contain security risks within their own private cloud environment, all the while ignoring the benefits of partnering with public cloud providers led by Microsoft and Amazon.
The Linedata Gravitas Private Cloud team takes operational risk extremely seriously and applies an active, intelligence-driven approach to security. The single tenant architecture leverages industry-leading technology from Cisco, NetApp and VMware, and can be used to support the needs of fund managers of all sizes. Security is a constant focus at Linedata: from third party and proprietary application hosting to disaster recovery and cloud backup, the aim is to maintain each client’s security posture as robustly as possible at all times.
A key part of this is how Linedata thinks about vendor risk.
In the view of James E, who leads Linedata’s Security Consulting practice, one of the biggest problems that persists today is a genuine lack of understanding related to vendor and third-party risk. It is critical to be able to understand and support anything your clients are looking to do, and this process starts with vendor selection.
It is not the fault of any one vendor but is more a systemic problem in the way companies approach it. A hedge fund manager will send a detailed due diligence questionnaire (DDQ) with 400 data points and assume it’s going to solve all their problems. However, a completed DDQ, no matter how detailed, will not provide clarity into the risks or potential problems that might arise with a particular vendor.
Linedata steers clear of this. The modus operandi to minimise cloud operational security risk, is to use active intelligence to assess vendor risk and to let the numbers do the talking; something any CCO or CFO would doubtless welcome.
The DDQ is subjective in nature. You need objective, quantifiable data and that is the Linedata approach to risk management, both as a company and regarding its clients. This includes social media exposure, reputational risk, legal risk, technical vulnerabilities, etc.
“Some of the client assessments we have carried out revealed people have limited understanding of who their vendors are. One client Linedata visited thought they had 13 different vendors. Having advised the CFO to go through every vendor they had paid for the past two years, it was quickly concluded that in fact they had 47 different vendors,” reveals James.
Fourth party risk
The point of security is to provide the client with actionable intelligence and to explain it in such a way that they can make their own informed decisions. Rather than make suggestions to clients on vendor selection, Linedata will present them with a point in time, which shows whether their security posture is improving or not, month after month, year after year.
James has an intelligence background, providing a sound understanding of what to look for when assessing vendor risk on the Linedata Gravitas Private Cloud. Using the information gathering skills he has refined in an operational intelligence capacity, James, together with the Cloud and Cybersecurity Consulting team, evaluate all publicly available filings, any dark net exposure from breaches, fraud alert identifiers and other data sources to find as much information on companies as possible.
The reason for doing this is to limit the operational risks that result not from third party risk but fourth party risk; this is a key differentiator in terms of how Linedata thinks about cloud security.
“There are some unique third parties that clients work with, but there is also overlap not only between clients, but between one client vendor and another vendor for the same client. Third party vendor risk is something people are beginning to understand, but what about the fourth party risk or the risk that bleeds over when two or more vendors of one client rely on the same company or service? If that vendor‘s vendor presents a risk, it stands to reason the client will be subject to the same risk from anyone of their vendors using the impacted service,” explains James.
This is not something that can be uncovered with a DDQ alone. By applying an array of intelligence techniques and tightly integrating new technology tools into the platform, Linedata can make the conversation easier for all parties concerned, using metrics that everyone can understand.
“In the alternative fund management space especially, people like to see numbers. They don’t want to be burdened with verbiage and detailed reports – they just want the hard facts based on quantifiable data,” emphasises Gardner.
Linedata is driven across all avenues of security and risk management to make things more objective: providing actionable intelligence and sustainable metrics that clients can use to make informed decisions.
In this current regulatory landscape, actionable intelligence and sustainable metrics is where Linedata sees everything trending.
In the last few years, it is less that cyber breaches have evolved and more the fact that people’s perceptions have changed. In short, there is markedly more situational awareness of the threats, as fund managers migrate key parts of their business operations into the cloud and C-suite executives begin to take more ownership.
As an example of how firm leadership’s views on the importance of security has changed, the Linedata team recently visited one client to explain this concept of third- and fourth-party risk analysis using an intelligence-led approach, for which they spent six hours with one the senior principals. “Our aim is to get across these issues to C-level executives within fund management groups – the CCO, CIO – and we are engaging with them today at a level not previously seen,” explains Gardner. “We believe our approach is gaining traction as senior leaders increasingly view cybersecurity as a core measure of a firm-wide risk.”
Most vendor risk programmes are designed to monitor risk through DDQs and other methods of self-attestation, lacking both transparency and defined, actionable metrics. Transitioning from subjective self-assessments to objective and actionable operational intelligence is an important and growing trend.