PE Tech Report

NEWSLETTER

Like this article?

Sign up to our free newsletter

What hedge fund CISOs need to consider when appointing a SaaS provider

A couple of years ago, the title Chief Information Security Officer, or CISO for short, was a foreign concept within the hedge fund community. The winds have changed, however, as hedge funds become increasingly targeted by cyber hackers, causing many to hire a CISO to uphold the network integrity of the firm. 

But what exactly should a hedge fund CISO be looking for when assessing the security of a SaaS provider in this fight against cyber sabotage?

Ken MacCuish is ideally placed to shed some light on this. He is the Senior Vice President and CISO at Intralinks, Inc. Prior to this, MacCuish sat on the other side of the fence in his role as Global Head of Information Systems Security at Bain Capital, a private equity fund manager with approximately USD75 billion in AUM. Bain is best known for being a pioneer in value-added investing in the private equity space.  

“I was running the information security programme for five global business units,” says MacCuish. “Although we wanted to adopt best practices internally we were looking towards external providers to help us meet that need. We had an information security programme for a range of internal processes: technical controls, anti-virus software, intrusion detection systems, in addition to internal policies and an auditing programme for managing the information security programme and our vendors.

“Now, in my role as CISO at Intralinks, I look after the firm’s traditional information and security governance programme and policies, technical controls, as well as our Customer Security Assurance programme that interfaces with our customers’ risk programmes to assure them of our security.”

Critical security measures

One of the problems that hedge fund CISOs face today is making sure that the level of certification they put in place to protect their network is commensurate with the size of the firm, and, importantly, the perceived level of threat to a fund’s assets. 

Sure, you can adopt a risk-based methodology like Intralinks and follow an ISO 27001 approach, perform a risk assessment against ISO 27002 and determine what the gaps are, but that is a very costly exercise. ISO 27000 is a series of standards to help organisations manage the security of financial information on behalf of their clients. 

“What the industry is starting to discover is that there are some things, given today’s cybersecurity threat landscape that most companies should be doing,” says MacCuish.

“As an example there’s a programme called Critical Security Controls for Effective Cyber Defence. It is a list of 20 controls given in order of their ability to stop successful attacks but it’s not to suggest that managers need to implement all the controls; they can focus on the ones that are most relevant to the size of their organisation. 

“This programme can be used to help firms guard against the kinds of cyber attacks and threat environment of today; the idea being that you apply these controls in this order and you’ll get the best bang for your buck. It’s a very practical approach to reducing a firm’s risk and applying the most effective controls first,” he adds.


 

Curious about a vendor’s security? Download these guidelines on how to get a more in-depth look at privacy and data security controls when considering a cloud SaaS provider.


 

These Controls were codified by the SANS Institute. The latest version is Version 5, which anyone can download from their website.  The Austrialian Governments Signals directorate publishes a similar set of controls titled “Strategies to Mitigate Targeted Cyber Intrusions”.

This is a good compromise for hedge fund firms who are acutely aware of the lack of perceived standards when it comes to applying cyberecurity measures; what might be suitable for one manager will not necessarily be for another. 

For smaller managers, many of whom will likely not have a CISO on the team, adhering to these Critical Security Controls gives their IT team a chance to put some good controls in place without needing to have security specialisation expertise, to shore up their network security and reduce their risk to the highest cybersecurity threats that exist currently. 

The CIA principal

Before highlighting what it is a hedge fund CISO should look for in their SaaS provider it’s worthwhile understanding exactly what it is that MacCuish is doing to protect Intralinks’ own system security. Making sure that clients’ data is secure at all times is the number priority, with MacCuish explaining that the firm’s approach is based on the CIA principal:

  • Confidentiality 
  • Integrity 
  • Availability 

“With respect to confidentiality, I’m primarily concerned that our customers’ information is only viewed by whom they desire it to be viewed. Regarding integrity, is this the information they put there in the first place? Availability is about ensuring the data is there as and when our customers need it. 

“For every CISO, their number one job is to figure out what matters most to their company; what are the crown jewels that need to be protected? In some firms, they may know what is important but not necessarily how or where to access it. Equally, other firms know where all their information is but have yet to determine what is the most salient to protect. 

“A lot of the work centres around this issue of figuring out what is most important information of the firm to protect. At Intralinks, where we store clients’ investor information, as the CISO I know what the most important information is, and where it is. That takes a lot of pressure off of managers,” outlines MacCuish.

The next obvious question is, ‘what is Intralinks doing to protect that data? And how do you manage the protection of that data?’

MacCuish confirms that protection comes through an ISO 27001 programme. That gives them the framework within which to manage its information risk programme. There are a number of technical controls that are employed to monitor and uphold the security of client data. These typically include:
 

  • Intrusion detection and prevention 
  • Firewalls 
  • Platform encryption
  • Data access and auditing controls
  • Application security – for example, how secure is the code that has been written to run the application?

“We spend a lot of time focusing on how secure the code is – what’s the risk of any given vulnerability within that code and what can we do to fix that? We also spend a lot of time allowing our clients to audit the platform and allowing them to perform their own testing. 

“I therefore spend a lot of time thinking about what are the controls I have around that environment that houses our clients’ data, what are the risks to the code underpinning the system technology, and making sure that we adhere to the CIA principals referred to above in respect to that data,” confirms MacCuish. 

A SaaS provider has to offer usability not just security

This brings us on to what a hedge fund CISO should look for when assessing their vendors. 

When asked what the typical questions and concerns are that CISOs share with Intralinks, MacCuish points out that they aren’t actually asking enough questions, period. 

“My team actually coaches them to ask the right questions for two reasons: we get to educate our customers and we get to differentiate ourselves from the competition. When they come to audit us and they present a 20 point questionnaire we’ll happily fill it out but then we’ll say, ‘Here’s what you should be asking,’ and we provide a more complete questionnaire to them,” says MacCuish. The aim of this exercise is to help Intralinks’ customers better understand what to look for in a vendor.

Therefore, the first assessment a CISO should make is just how willing the vendor is to open themselves up. To what extent are they willing to expose their programme and allow you to audit them? Are you able to test application code, as they do at Intralinks? 

“Smaller managers might not have the in-house expertise so we help them by providing the right kind of questions they should be asking. We use a de facto standard information gathering questionnaire for vendors,” adds MacCuish.

These detailed questions may include the following:
 

  • How are your networks connected with one another?
  • Are you doing application security testing?
  • How do you know your applications are secure?
  • What’s the programme for testing those applications?
  • Do you have any certifications and how do they make you more secure?
  • Do you have third parties assessing you?

“We have SOC 2 certification that we provide to all of our customers. Any of the big audit firms or third party security firms can come in and try and breach our security, look for ways in etc. We perform our own testing and network security assessments on a regular basis,” notes MacCuish.

He adds that, from his earlier days at Bain Capital, the number one concern when selecting a cloud service provider was usability. For any hedge fund CISO, they should be aware that it isn’t simply a case of selecting a vendor with the most security; they’ve also got to be user-friendly in terms of the functionality on offer to ensure adoption.

It is probably fair to say that for quant-based funds, choosing the right vendors is even more critical than other types of funds because of the amount of intellectual property – trading algorithms, measurements of market data etc. – they have at their disposal. These funds offer a potential treasure trove of information for cyber hackers. 

“My guess is the SEC is going to start saying, ‘We need you to protect that information in a particular way because if someone gets their hands on that they will have the ability to manipulate the markets,’” suggests MacCuish. After all, the whole point of a targeted attack on a hedge fund is to get inside the minds of those running the strategy. 

Although large systematic funds have the financial resources to protect their IP information internally, they must still ensure that any third party vendor is delivering the same exacting standards. As MacCuish points out earlier, the more open and amenable a SaaS provider is, the more confident a CISO can be that the right level of data security is in place.

Information rights management

One enhancement that Intralinks is currently making to its platform centres on information rights management, or IRM. 

Whereas tradition security protocols only provide information protection behind the firewall, IRM provides document-level protection, which allows users to control and revoke access to the information outside of the firewall.

“Having shopped for useable file sharing tools in the past I can tell you that one thing all of them lacked was the ability to easily (no plug-ins, no in house infrastructure) manage the access to a document once the document left the confines of the company network,” says MacCuish.  

“Intralinks IRM capability provides exactly that capability.  All the document owner needs to do is turn IRM on and the recipient merely needs to authenticate to view the document, which will open in the appropriate application (MSOffice, Adobe).  Should the document owner decide to rescind a receiver’s access then the document will become unreadable regardless of whether it is access via the Intralinks web interface if the document has already been downloaded to the receivers own computer.”

By way of a closing remark, MacCuish offers the following advice to hedge fund CISOs:

“Firstly, what is important to your business? Resist panicking and executing any security framework, and take the time to figure out what is right and specific for your firm. Secondly, make sure you are being secure, not just compliant. SEC guidelines are good and should be considered, but they need to be applied and measured in a risk-adjusted way.


Curious about a vendor’s security? Download these guidelines on how to get a more in-depth look at privacy and data security controls when considering a cloud SaaS provider.

 

Like this article? Sign up to our free newsletter

MOST POPULAR

FURTHER READING

Featured