This post was originally posted on FundFire.

 

As asset managers embrace video conferencing to boost connectivity among their remote workforces, firms have had to factor the cybersecurity risks associated with these technologies into their threat-mitigation plans.

In recent weeks, video conferencing system Zoom attracted the attention of government workers, private sector employees and students after reports of video hackers surfaced. Security concerns led the U.S. Senate to warn its members not to use the popular video conferencing platform. Cybersecurity experts now say that asset managers should review best practices around using all video conferencing platforms, not just Zoom, in order to better protect sensitive information.

Manning & Napier reemphasized cybersecurity best practices after the COVID-19 pandemic forced staff to pivot to a remote work environment, says chief technology officer Chris Briley.

The firm’s efforts include evaluating the level of encryption offered by a videoconferencing platform and its data and privacy policies, in order to better determine what types of information employees can discuss or upload to a platform, he explains.

“You need to be very thoughtful and deliberate about… when to share information,” Briley says. “Firms that are using Zoom and possibly discussing confidential matters or intellectual property…if that level of information were to be leaked or hacked, if you will, that’s certainly going to have a ramification for a firm.”

Many asset managers may not have had time to put cyber-policies in place for video conferencing since they shifted to a remote work structure within a short period of time, says Mark Gilroy, CEO of encryption specialist firm Fornetix.

“I think the whole thing is a shocker in that within a week we all had to be running out the door doing our jobs,” Gilroy says.

Employees are using a mix of personal and business devices, creating an environment that’s ripe for scammers to take advantage of people, says Paige Schaffer, CEO of global identity and cyber-protection services at Generali Global Assistance. There has been an uptick in the number of phishing scams, where bad actors disguise themselves as a trustworthy electronic contact to steal sensitive information, she says.

There have also been instances where hackers infiltrated calls, says Ray Hillen, managing director of cybersecurity at consulting firm Agio.

“There have been bugs with the video aspect of Zoom and [other video conferencing platforms] where a bad actor could take over the camera,” he says. “Some of the risks can be with the encryption — the protection of the privacy of the communication itself and the data stream.”

Hillen has also seen cases where bad actors entice video call participants to click on a link to gain access to a workstation’s username and credentials. With asset managers, the cybersecurity risks associated with video conferencing are particularly concerning because many firms have regular morning investment meetings, he says. The code for the conference meetings is often stored in an email or invite that could be passed around, and there isn’t always a way to determine who’s listening in on these video calls, he explains. Agio has tested the security of its clients’ morning investment meetings by attempting to join these calls and has found varying degrees of success.

Having a bad actor listening in on investment meetings can be dangerous because firms will often discuss market positions and strategy in great detail, Hillen says. Hackers can also pull sensitive information from shared documents and presentations from the video conference if the platform is not secure, he warns.

“[Reputational risk] is possible,” Hillen says. “I think this is going to become a future due-diligence question for the investors as they look to invest in funds.”

Depending on the size of the firm, asset managers should appoint a chief operating officer or chief technology officer to take responsibility of these cybersecurity issues, according to Hillen. They should be reviewing the configuration parameters, disabling certain features, and enabling things like multi-factor authorization, he says. For extra safety, asset managers should distribute video conferencing IDs and passwords via two different methods, he adds. For example, if the conference ID is sent in an email, the password should be sent over a different messaging platform used by the firm.

The takeaway is that not all platforms are the same and security features change often, so asset managers should review a video conferencing platform’s features at least once a quarter, Hillen says.

Further, managers should deploy a trusted virtual private network (VPN), according to Gilroy. Less than 14% of the U.S. uses a VPN, which along with quality antivirus software could increase a firm’s crypto-hygiene level exponentially, he says.

“The bad guys are out there running as fast as they can to get as much information as possible as early as they can because there’s such a level of chaos out there,” Gilroy says.