In the wake of the recent cyber-attack on Sony, private corporations, such as hedge funds, must become increasingly vigilant in developing effective response protocols and mitigation techniques in preparation for similar threats and vulnerabilities.
The destructive nature of this type of attack has cost Sony financially and has resulted in severe reputational damage that, at best, will take years to repair. For smaller companies, specifically hedge funds, it becomes even more imperative for proper precautions to be put in place to protect themselves from cybersecurity hacks.
As a priority, hedge funds should put forth every effort to reduce risk within their organizations by executing some of the actionable steps below.
1. Assess Your Vulnerabilities
It is crucial for chief compliance offices, chief financial officers and hedge fund directors who oversee operations of funds to identify sensitive assets, such as investor or employee personal information and financial statements, and risks associated with those assets. In addition, identifying sensitive assets within the organization, the digital life cycle of such assets, and the business workflow is essential for the protection of its investors, employees and business partners.
During this identification stage, hedge fund executives must also be cognizant to include third-party service providers and business partners from which they share, process, transmit and/or store sensitive information, as these assets may also be at risk and could be easily overlooked.
2. Take Precaution with Vendors
Your enterprise is only as secure as its third-party providers. It is necessary that hedge fund executives conduct ongoing due diligence on all vendors with whom they conduct business to ensure the safety of the fund’s assets. They must be confident that vendors, which can range from law firms, accounting firms and even janitorial companies, have the ability to protect those.
In fact, recently one of New York States top financial regulators, Benjamin M. Lawsky requested a dozen banks provide their policies and procedures for governing relationships with third party providers and outline their due diligence processes. Hedge funds must take that extra step and look beyond their own security perimeters for any weaknesses.
3. Properly Train Workforce
The human element is key and is the most important to be considered; after all, this is the key factor that contributes to a successful attack for hackers. It is critical that all users within hedge fund organizations are not only made aware of potential risks, but are also made aware of ways to avoid, reduce and escalate any risk that they may encounter within the organization in order to reduce the level of damage incurred. Many companies are now starting to put in place mandatory information security awareness training for employees as part of their orientation, as well as receiving ongoing reinforcement to ensure proper compliance with policies. This is to ensure that third party service providers have the same level of information security awareness for their employee.
And while security training definitely plays a large role in preventing breaches, mistakes are bound to happen. This is where an added layer of security – such as tools that monitor and detect for security lapses – comes in handy.
4. Stay Vigilant for Unexpected Attacks
An essential step in maintaining a level of preparedness for the cyclical nature of cyber security is having the ability to prepare for, respond to and recover from an incident. This must be coupled with the ability to maintain the flexibility to adjust to the business needs, which is an ongoing and essential process. Maintaining visibility into your digital business workflow is crucial to ensuring protection of your sensitive assets. Utilizing tools to keep a watchful eye on where you sensitive assets are flowing and how they are getting there; will help in your response should an incident occur. Establishing internal and external partnerships is also crucial to fostering a proactive approach to incident management.
This includes developing an incident response plan and conducting table-top exercises to ensure that the plan will assist the organization in identifying, responding to, and recovering from a perceived threat. Most critical, the response plan must mitigate the incident effectively and efficiently, within a minimal time frame that will not negatively impact the organization’s production, financial status or reputation.
With the shifting cybersecurity landscape, hedge funds should constantly be alert when it comes to cyber risks. The liabilities or loss of income for a small hedge fund could leave a huge dent in profit and cause irrevocable damage. By taking these steps, hedge funds can properly protect themselves from risks that could to result in a major cybersecurity disaster.
Brian Lozada is director of information security for Abacus Group.
