Why cybersecurity governance is essential for institutional investors

Historically, cybersecurity protocols have primarily focused on incident prevention. While prevention is critically important, firms are beginning to recognize there is no bulletproof method to thwart potential attacks, especially as bad actors become increasingly adept at evasion techniques that fool cyberdefenses and mask their attacks. In response, there’s been a significant shift toward incident detection and response — Gartner Inc. estimates that enterprise information security budgets will more than double their allocation for rapid detection and response programs over a five-year period ending in 2020. An effective incident response plan is key to effectively protecting sensitive data and assets.

An incident response plan must also be regularly updated and tested to address any changes across data assets, systems, personnel and legal mandates. To ensure accuracy, cybersecurity governance teams will require the active participation of executives across technology, legal, human resources, investor relations, compliance and risk management departments. It is essential that everyone has a seat at the table, shows up and takes their role seriously. Without these pillars of change management, a firm’s IR plan can quickly collapse.

Notably, incident response plans should cover:

• Securing data through necessary patches or fixes, testing for any gaps in the security process simultaneously.
• Developing an accurate data map, which enables you to quickly detect if financial information, Social Security numbers, medical records and other personal information were exposed.
• Detailing who is on the incident response team, what their responsibilities are, how the scope of a breach is determined, how to notify clients and investors, how to meet legal and compliance requirements, and how to manage internal and external communications.

A cybersecurity program’s efficacy is highly correlated to the rigor applied to governance. A core tenet of governance is regular risk reviews and protocol meetings with key stakeholders and executives. Mandating consistent updates, reviews and meetings with senior members of the firm, including C-suite executives, directors, vice presidents and portfolio/hedge fund managers, is critical to this process. These meetings need to be structured with a formal agenda, including post-meeting action and remediation plans so participants can start to see and feel the value and progress being made.

To meet the growing cybersecurity needs at institutional investment firms, consider scheduling risk reviews and cybersecurity updates. Hold monthly meetings with key stakeholders at the firm (senior leaders and managers): IT, operations and cybersecurity teams should update senior leaders and managers on risk assessments in progress, data mapping exercises and incident response plans, as well as discuss any budgetary needs or upcoming training sessions across the firm. Also, hold quarterly meetings with executive team: IT and information security staff should provide executives with a comprehensive brief about any updates to cybersecurity programming and identified risk areas requiring critical oversight. Additionally, there should be a threat intelligence review so that stakeholders understand what cyberthreats their competitors are encountering with the aim for technical staff to weigh in and discuss necessary steps for the organization to execute in order to shore up their own defenses.

Building on their incident response plan and risk reviews, its imperative that firms regularly test their cyber protocols to ensure they function in the way they were designed. Even the most mature and sophisticated plans are only effective if they’ve been sufficiently tested. Neglecting to do so allows potential shortcomings or blind spots to go completely unaddressed, creating vulnerabilities for bad actors to exploit in potential attacks.

In particular, firms should undertake the following tests:

• Penetration tests — simulated cyberattacks to evaluate security protocols.
• Phishing tests — assessments to review the ability to recognize and report phishing emails.
• Vulnerability tests — thorough review of potential cyber weaknesses within company network.
• Tabletop exercises — mock IR exercises for key personnel to review their responsibilities in the event of an attack.

Each of these assess different parts of a firm’s cyber preparedness to provide essential assurances that the systems programs, and protocols firms have put in place are effective.

For institutional investors, a firm’s network is only as secure as the networks of its vendors. The most noteworthy and evocative example of this issue is the Target data breach that transpired in 2013, when bad actors accessed sensitive data through the stolen network credentials of Target’s HVAC vendor. According to recent research, 63% of all data breaches start with a vendor’s cybersecurity vulnerabilities, but only half (52%) of firms have formal security standards for third-parties.

Financial services firms often work with almost 100 vendors — all of which have varying degrees of cyber preparedness and present different degrees of risk depending on the data they have access to/store. Considering the pronounced risk they present, it is critical that firms categorize vendors accurately based on their risk profile and cyber readiness and, in turn, apply the appropriate level of rigor to each. Some critical vendor security tasks include: performing a robust annual vendor assessment, conducting real-time threat analyses and tracking ongoing vendor monitoring, all of which should ascertain each individual vendor’s systematic capacity for identifying potential and existing threats, protecting against standard attack vectors, detecting data breaches, responding to attacks and planning for asset recovery.

If your home or office were burglarized, your first step would be to call the police. But, what if your hedge fund is the victim of a cyberattack? Do you dial 911? The local police department? The FBI? How about the SEC? The fact that this question confounds so many institutional investors is indicative of the importance of proactive planning.

As a result of such confusion, amid other concerns of accountability and reputation damage, cyberattacks are grossly underreported. In fact, the FBI Internet Crime Complaint Center estimates that 10% to 12% of cybercrimes committed in the U.S. are reported each year. Such lackluster reporting emboldens hackers, while precluding firms from gaining the critical threat intelligence they need to curtail major industry threats and vulnerabilities.

These attacks do not happen in a vacuum and it is essential institutional investors form partnerships with state and local law enforcement, local FBI and Secret Service field offices, and the SEC, before a cyberincident occurs. If relevant authorities are familiar with one’s business, and the firm is familiar with their typical approach, this awareness can save critical time during incidents where their support is required. Such relationships also provide another source of cyberthreat intelligence, tapping into resources outside of firm walls to recognize threats and take preventive measures accordingly.

Institutional investors should also consider joining the Financial Services Information Sharing and Analysis Center, which supports cybersecurity teams by sharing insights via conference calls, webinars, summits and interactive training sessions.

Bart McDonough is CEO and founder of Agio, New York, a hybrid cybersecurity and managed IT organization. This content represents the views of the author. It was submitted and edited under Pensions & Investments guidelines, but is not a product of P&I’s editorial team.