Just a decade ago, the cyber threat landscape was far less pronounced, but thanks to significant advances in IT, mobile technology and digital platforms, the threat of cybercrime has grown exponentially and poses risks across the global industry and for national critical infrastructure (power stations, hospitals, dams, financial services).
As managers in the financial services industry increasingly adopt digital technologies, they increase the number of attack surfaces and weakness points within their networks. As a fund manager introduces a new counterparty into their network, the exact increase in risk is unknown but it may likely be substantial.
“Unless you are running a shutdown, fully closed network environment, the reality is you are always going to have the risk of someone trying to gain access to your network,” says Mark Coriaty (pictured), Chief Strategy Officer, Eze Castle Integration.
“That said, when you look at the different technologies that exist today – next generation firewalls, endpoint protection, active threat protection – there are many ways to keep on top of cyber risk. These layers of protection can be enhanced by real-time monitoring by security analysts. Companies that operate a security operations centre (SOC) can bring a human level of interaction too. They will proactively monitor for active threats across thousands of networks, which gives them an advantage in identifying and preventing intrusions. ”
Outsourced providers: Proactive not reactive
Due to the breadth and depth of cyber-attacks today, the vast majority of alternative fund managers simply do not have the ability to manage and mitigate cyber threats internally.
Seven or eight years ago following the financial crash, the introduction of new regulations (Dodd-Frank, AIFMD) forced the CFO into becoming a CCO and/or a COO.
Multitasking was possible in terms of getting a handle on compliance rules, but when one jumps into cybersecurity, it is a highly dynamic, technical role that one needs to be on top of at all times. It is generally not something that a C-level exec can take on as additional work, as the CFO once did for compliance.
“Outsourcing the role of the Chief Information Security Officer (CISO) is highly recommended to our clients: they can either use us or a third party, but either way, it has become a vital role,” suggests Coriaty.
He says that the best way to look at outsourcing is, ‘How do I get a third party who will be proactive with both my maintenance and cybersecurity needs?’
A lot of times, those who handle things internally tend to become reactive. They put a solution in place and review things, say, on a quarterly basis, whereas an outsourced provider will be reviewing cyber threats on a daily basis, installing updates. When the WannaCry incident took place last month, Coriaty says that Eze Castle had to be on top of it in real time, as it played out.
“Someone at a fund management group might not necessarily be able to do that, especially if it happens over the weekend. So in my view, outsourcing is proactive whereas insourcing is reactive,” comments Coriaty.
The logical argument for outsourcing is quite clear. Why would firms want to spend time and capital constantly updating software license agreements and system capabilities, monitoring activity, and managing permissions and internal access to data, when the alternative is to hand it over to a specialist? One who spends every working minute keeping on top of cyber developments and who can bring the benefits of scalability to bear.
A good example of this is third-party active threat protection service providers. Firms such as Eze Castle Integration, for example, can closely monitor different ransomware, viruses, and penetration activity across thousands of different endpoints and look to apply updates to their endpoint sensors to prevent anything nefarious from getting into their clients’ networks.
“If you are trying to insource that, you are basically hoping that your endpoint sensors are good enough, rather than being proactive. Putting together solutions takes considerable time. There are probably five or six components that go into a security bundle, and making sure that you do that properly really should be left to the experts.
“We constantly monitor, evaluate and rollout as appropriate all of the various updates; these could be standard updates or critical updates. It’s important to put together a schedule with the client to ensure that we are monitoring everything and that we are notifying them when and if necessary, especially for things like new patches, given the WannaCry incident,” explains Coriaty.
WannaCry & patch management
This was an intriguing attack and one that demonstrated that failure to keep IT systems up-to-date has the potential to cause real disruption to critical infrastructure; the NHS in England, for example, had multiple system shutdowns because hospital computers were using an outdated version of Microsoft’s operating system.
WannaCry worked precisely by exploiting a vulnerability within that operating system. Even though Microsoft released a patch in Q1, many firms failed to apply it, for whatever reason.
“Everyone runs their operations differently. All those who were impacted by it had simply not done basic patch management. That is precisely one of the services that we offer. We will go in and update the client’s network.
“The key takeaway here is that patch management is important but can be overlooked if firms rely on legacy technology or do not prioritize technology management. Clients have to ensure that they regularly back-up all their data, either internally or by using a third-party vault, and guard against their IT technology becoming outdated,” advises Coriaty.
In that regard, it is vital that fund managers perform regular risk assessments of infrastructures to identify gaps, including those caused by lapses in patch management. When it comes to risk assessments, this should be done at least annually if not more frequently, in Coriaty’s view.
“Technical budgeting to include cybersecurity protections is also important, but cost should be evaluated in the grand scheme of risk mitigation so the IT budget is aligned with critical functions. What is of primary importance is making sure that you are mitigating risk. Budget accordingly for the year, but update your documentation and review your service providers on a quarterly basis.
“Our product team and engineers are constantly looking at new technologies, new methodologies for deployment and remain aware of any conflicting technologies in the market. We spend a significant amount of time doing that. On the business side, we dedicate time to complete DDQs for fund managers as well as work with clients on budgetary planning and business continuity planning to ensure that our clients’ business goals align with their technology goals.”
We live in a dynamic world. Technology is becoming faster and outsourcing increasingly makes more sense.
“When you look at the overall risks to a firm, paying for an outsourced service provider seems not only to be a value-add but, increasingly, a necessity. When you get events like WannaCry, clients start to see the fruits of our labour in terms of maintaining their overall systems.
“Ultimately, we want to make sure we put together an infrastructure and solution set that is proactive against future cyber events,” concludes Coriaty.
