Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers seek ransom payments for private information of a prominent investor. Your fund headlines the paper when an attack crashes your trading network and disrupts the financial markets. AI funds need to step up their defenses to avoid the reputational and financial damage of a major cyber breach. Here are nine strategies to help funds battle cyber crime.
1. Rethink the governance model. Cyber security is a business problem, not just an IT problem. It should be treated as such and handled as such. A recent KPMG poll encouragingly found most funds (82 percent) have a dedicated information security officer, but all “C” level executives must be engaged in the prevention and response to an attack.
2. Manage the internal threat. As the universe of people with access to your IT infrastructure explodes, funds need to take internal security seriously, especially those with Bring Your Own Device (BYOD) programs, online operations, or applications in the cloud. Disgruntled employees, contract employers with privileged access, and fraudsters could all pose a risk.
3. Build a cyber awareness program. People are the weakest link. As such, employee training and development should be a core aspect of any fund’s security program, and firms should validate training through targeted social engineering. Effective user awareness is also critical for any external providers handling your data, which leads to our fourth strategy.
4. Improve third party security assessment. Third parties could expose funds to cyber risk. Major retailers, for example, have been compromised through their heating, ventilating and air conditioning (HVAC) vendors. Our poll shows that only 44 percent of funds are focused on third party data security oversight. As your third party network grows, look closely at what type of sensitive information you share, how it is encrypted, how vendors secure it, and how your organization can reclaim previously provided data.
5. Consider emerging technology risks. Closely review the security implications of moving to the cloud or sharing information on social media. Install security software on devices. And, like 64 percent of funds in our poll, block the ability to download or remove certain sensitive information. Given the dangers of advanced persistent threats, strong network protection and safety measures are especially important today.
6. Enhance security intelligence. Beyond installing the latest patches and managing firewalls, funds can step up security intelligence by collaborating with security intelligence aggregators, analyzing log data, and introducing new models for identity, trust, authentication and entitlements.
7. Develop an incident response plan. Unlike the majority of the funds we surveyed, you should have a formal cyber security incident response plan you follow in the event of a network compromise. And you should regularly test the plan, just like any other business continuity program. The plan should have both executive and technical components and identify all participants in your response, as your customers will expect to hear from business executives should an incident occur.
8. Conduct a risk assessment. The assessment can help you understand your cyber risk, including how you rank against peers and against industry standards, so you can focus resources on improving the most vulnerable areas that represent the highest areas risk to your business. The risk assessment should also include a prioritized action plan for strategic security initiatives.
9. Enhance data classification and management. Do you know what your most valuable data is, where it resides, how many copies exist, or even who owns it, let alone who is entitled to view it? A data classification program, which involves categorizing data according to its sensitivity, is an extremely important step in building a secure organization. To build a risk-based security controls program, funds should carefully consider how they define their levels of data. What’s more, you can no longer collect unimaginable volumes of data without consequence. Safeguarding it also requires a robust data privacy and security strategy.
Download the article for more on what fund managers face on the front lines of today’s cyber security conflict.