This post was originally posted on FundFire.

 

Hedge funds and alternative investment firms need to take a proactive approach to cybersecurity given the “numerous weaknesses” in the Commodity Futures and Trading Commission’s (CFTC) data protection and storage capabilities revealed in a recent Inspector General audit.

While the agency has longer-term tactics in place to improve its data protection, including its “LabCFTC 2.0” initiative and a multi-year cloud strategy, the agency and the firms it regulates need to take action to avoid breaches in the short term.

We’ve called out some tactics that both the CFTC and reporting investment firms can apply to secure their data.

 

1) Apply Modern Data Mapping in Government Agencies

The Inspector General’s audit notably highlighted flaws within the CFTC’s Integrated Surveillance System, which accumulates data on the positions hedge funds and other big traders take in the commodity markets so the agency can monitor daily market activity, price correlations, and other notable supply and demand factors.

While the CFTC may have a general understanding of the data it holds, the commission must detail where and how it stores datasets, as well as their ideal lifecycle before permanent deletion. Organizations that fail to dispose of sensitive data in a routine and regimented manner provide a compelling payload for criminals, who can find value outside the organization for data related to payments and cash flows.

The security professionals selecting tools and technology to cover this exercise should also consider how quickly their process can scale, to accommodate future data volumes and IT innovations.

 

2) Install ‘Smarter’ Data Protection Measures

Cybersecurity risk within the CTFC isn’t just limited to large databases. Standard office tools and software also can be exposed to more modern threats.

Should the CFTC secure a larger budget for cybersecurity protection, it should look into automated security that canvasses all these areas. Tools like ‘smart’ firewalls, for example, have the inherent ability to detect changes in threat levels in near-real-time and adjust their security controls accordingly.

The commission should support these tools with a scoring system that weighs different risks based on a broader combination of factors, including vulnerability to a specific type of risk, the age of this vulnerability, the probability that a bad actor could exploit it, the value of the data being compromised, the efficacy of existing controls and the required outcomes.

Another approach would involve testing database security and the individuals maintaining it. “Grey-hat hacking,” for example, allows the commission to assign a third-party expert to breach its defenses. Successful infiltration and subsequent analysis of the process by cybersecurity experts would provide the intelligence needed to build custom functions that better protect an organization’s database.

Critically, the efficacy of cybersecurity and data protection is also determined by the rigor with which governance is applied. Key stakeholders and executives across the entire commission – not just technologists – should play a role in regular risk reviews and protocol meetings to ensure proper application of cybersecurity policies.

 

3) Improve Vendor Security Vetting Processes

Hedge funds and alternative investment funds stand among the highest-value targets for cyber criminals as they convene client capital, personal information, account information and key asset details. As such, it’s critical to double down on one’s own approach to managing partners, vendors and other entities with which confidential information is shared. A fund may work with several vendors that each have their own risks and varying degrees of cyber hygiene, depending on the data they have access to.

Any software purchased or licensed from a third party should also be equipped with some means of automated anomaly detection, a mechanism that sends an alert to relevant parties whenever it detects strange behavior.

 

4) Task AITEC to campaign for updates to the CFTC’s systems

Engaging the collective influence of the Alternative Investment Technology Executives Club (AITEC) to lead industry dialogue with the CFTC will put a more unified and influential voice behind calls for more cybersecurity spending within the agency.

AITEC has more than 400 members across 300 firms and six countries, representing the collective interests of buy-side alternative investment firms with more than $4.2 trillion in combined assets under management as well as the added perspective of 25-plus members from independent sell-side firms.

Issuing a regulator-facing equivalent of AITEC’s Illustrative Questionnaire for Due Diligence of Vendor Cyber Security, for example, would be one step toward having a constructive dialogue – one that can lead to a more stable foundation for data protection and a safer future.