FEATURING ACA Aponix // eSentire // Eze Castle Integration //netConsult Ltd // SS&C GlobeOp // Tancroft

STAFF TRAINING The end user remains a key catalyst

PREPARATION Prevention is better than cure

UP-TO-DATE TECHNOLOGY Software that evolves in conjunction with threats

CYBER RISK AND SECURITY 2 0 1 6

WEEKHFMS P E C I A L R E P O R T

www.acaaponix.com

Holistic Cybersecurity and IT Risk Assessment

ACA Aponix is a team of

highly specialized and

experienced technologists

from large banks and

hedge funds. We take a

holistic approach to

assessing cybersecurity

and technology risk, from

your investment workflow

to your security at the

front door.

Cybersecurity Reviews | Independent, Holistic Risk Assessment | Vendor Due Diligence

Network Testing | Staff Security Training | Phishing Testing | Documentation | Ongoing Advisory

sales@acaaponix.com

H F M W E E K . CO M 3

he world of cyber-security is changing. Cyber criminals, who seek to extort, trick and steal from firms and individuals alike, are becoming braver in their methods of infiltration.

Generally, companies have only had to deal with desktop breaches alongside other computing threats, but, due to the increasing vulnerability and lack of protection, mobile is quickly

becoming the predominant target. This platform provides a different means of attack, from fraudulent apps to the rise in bogus WiFi hotspots.

In terms of reaction, the financial services community is behind the hacking community by roughly 10 years. This special report investigates how a lack of investment in cyber-security initiatives, inadequate cyber risk education and a lackadaisical approach across the industry continues to hinder defence progress. Ultimately, firms need to wake up, and wake up quickly.

In this HFMWeek Cyber Risk and Security Report 2016, we hear from a range of leading cyber experts, who provide essential insights into developing a reliable and protective barrier, no matter what size your fund is or where it may be located.

Tom Simpson

TC Y B E R R I S K A N D S E C U R I T Y 2 0 1 6 I N T R O D U C T I O N

LONDONThird Floor, Thavies Inn House, 3-4 Holborn Circus, London, EC1N 2HAT +44 (0) 20 7832 6500

NEW YORK 200 Park Avenue South Suite 1603, NY 10003T +1 646 891 2110

REPORT EDITOR Tom SimpsonT: +44 (0) 20 7832 6535 t.simpson@pageantmedia.com

HFMWEEK HEAD OF CONTENT Paul McMillan T: +1 646 891 2118 p.mcmillan@pageantmedia.com

HEAD OF PRODUCTION Claudia Honerjager

SUB-EDITORS Luke Tuchscherer, Mary Cooch, Alice Burton, Charlotte Romeyer

GROUP COMMERCIAL MANAGER Lucy Churchill T: +44 (0) 20 7832 6615 l.churchill@hfmweek.com

HEAD OF BUSINESS DEVELOPMENT AMERICAS Tara Nolan T: +1 (646) 891 2114t.nolan@hfmweek.com

PUBLISHING ACCOUNT MANAGERSAlex Roper T: +44 (0) 20 7832 6594a.roper@hfmweek.comDavid Butroid +44 (0)207 832 6613 d.butroid@hfmweek.com William Peters+44 (0)207 832 6637w.peters@hfmweek.comAlexandra Bethanis +44 (0)207 832 6618a.bethanis@hfmweek.com

CONTENT SALES Tel: +44 (0) 20 7832 6511 sales@hfmweek.com

CEO Charlie Kerr

HFMWeek is published weekly by Pageant Media Ltd ISSN 1748-5894 Printed by The Manson Group © 2016 all rights reserved. No part of this publication may be reproduced or used without the prior permission from the publisher

SECURITY

WHAT’S OLD IS NEW AGAIN Eldon Sprickerhoff, of eSentire, explores the devastating effects of ransomware attacks and how, despite living in an age of technological advancement, the key to protection lies at the fingertips of the operator

FUND PROTECTION

CYBER-SECURITY PROTECTION AND SECURITY MONITORINGPhil Ashley, from netConsult, offers an insight into the dangers of cyber-security and what the best protection practices are

SECURITY

ARE YOU A VICTIM OF CYBER CRIME?Bob Schwartz of SS&C, examines the nature of cyber-attacks and outlines the best way to determine how secure you are

SECURITY

DEALING WITH CYBER RISK Partner at ACA Aponix, Marc Lotti, speaks to HFMWeek about the growing significance of cyber-security, what the best means of protection are and how firms’ lackadaisical approach must change

FUND PROTECTION

MOBILE SECURITY RISKS EXPOSED Nick Reid, technical director at Tancroft, highlights when, where and how mobiles are most at risk from attacks and the best methods of prevention

MANAGEMENT

FOUR STEPS TO BUILDING A CULTURE OF SECURITYBob Guilbert of Eze Castle Integration, discusses the significance of staying cyber safe and unveils the best practices to avoid disasters

05

08

11

12

14

16

How did SS&C become one of the world’s fastest growing fund

administrators? First we built the industry’s most experienced team of

fund accounting experts. Then we gave them the industry’s gold standard

in fund accounting and management software, which we own, support,

and enhance ourselves.

Outstanding experience, expertise, security, technology, independence,

and transparency. That’s how SS&C drives the future of fund administration.

Driving the future of fund administration

HEDGE FUNDS   |   PRIVATE EQUITY FUNDS   |   FUND OF FUNDS

ssctech.com/fundadministration

S E C U R I T Y

H F M W E E K . CO M 5

C Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

Over the past few years, we have borne wit-ness to an incredible rise in sophisticated att acks. Th ese att acks are without a doubt the most serious threats that we’ve en-countered to date. Th e rise of ransomware (thanks to CryptoLocker and CryptoWall)

has emerged as a particularly lucrative att ack technique. Th ere has been an ebb and fl ow to ransomware but it hasn’t vanished completely.

A host of healthcare-related att acks grabbed headlines across the globe at the start of this year and these high-profi le cases have thrust ransomware back into the spot-light. Th e att acks have successfully crippled day-to-day operations at a multitude of healthcare facilities. For those organisations, access to digital data can literally make the diff erence in life or death circumstances. Th e success of the recent att acks means that they’ve vir-tually opened the fl oodgates for similar att acks against businesses beyond the borders of the healthcare industry.

As well, there are indicators that the newest generation of ransomware targets servers – specifi cally publicly-facing servers oft en hosted within a demilitarised zone (DMZ) or at third-party hosting providers. Whereas pre-vious versions of ransomware required some initiation or interaction by an end-user, server-focused ransomware uses vulnerabilities on the servers themselves to gain access and lock fi les. Th e exploited server can also then be further used to host ransomware and infect those who visit it.

HFMWeek (HFM): How does ransomware work and what do fi nancial fi rms need to watch out for?Eldon Sprickerhoff (ES): Ransomware is a form of mal-ware that is spread by drive-by-download (while the user is surfi ng) or through a fi le att achment spread through email. In the latt er case, malware is typically embedded (or att ached as a download) within a seemingly legitimate fi le. When the fi le is opened, the payload downloads and encrypts fi les on the user’s hard drive, making fi les inac-cessible. Once the fi les are encrypted, unlocking them becomes impossible without a decryption key, which is typically delivered when the ransom is paid.

Like many of today’s sophisticated att acks, technology alone can’t guard against employees clicking malicious

links. With ransomware, users must remain vigilant to prevent accidental clicks.

HFM: What should a fi rm that has been targeted by a ransomware att ack do?ES: Let’s assume that practically every fi rm is, in some way, susceptible to a ransomware att ack. Given the popularity of this att ack vector in the last two years, this shouldn’t be a diffi cult assumption to make. Keeping this in mind, we suggest this series of steps to prevent a successful att ack:

1. Harden the endpoints (ensure patches, anti-virus are up-to-date)

2. Test your backups regularly 3. Restrict end-user access to ‘least-privilege’ within

your fi le server 4. Reduce inbound vectors (e.g. gmail or other personal) 5. Train users to bett er recognise mali-cious inbound att acks 6. Disable macros within Offi ce if not needed; otherwise use Micro-soft Reader products on suspicious inbound documents7. Improve rigour of inbound email services (bett er analysis of inbound content)8. Implement a continuous monitor-ing/embedded incident response service to watch and alert for unusual behaviours and work through the incident to an “all clear” state9. Implement a behaviour-focused monitoring method (which alerts if

a single user accesses more than n (where say n=5) fi les a minute).

HFM: Are enough fi rms prepared against ransom-ware att acks? Is there an issue with education?ES: Like many of the att ack types we see today, a fi rm’s greatest security weakness is its employees. Even with lay-ers of technology in place, hackers can fi nd entry to a fi rm’s network through employees. Today, people are busy and can easily become distracted. Oft en times when skimming through email they can be simply be caught off -guard by something that looks legitimate or is received from a fa-miliar source or contact. Awareness training is an essential, ongoing tool to combat inbound cyber threats. Every em-ployee is vulnerable and must be made aware of the subtle

LIKE MANY OF THE ATTACK TYPES WE

SEE TODAY, A FIRM’S GREATEST SECURITY WEAKNESS IS ITS

EMPLOYEES

”

ELDON SPRICKERHOFF, OF ESENTIRE, EXPLORES THE DEVASTATING EFFECTS OF RANSOMWARE ATTACKS AND HOW, DESPITE LIVING IN AN AGE OF TECHNOLOGICAL ADVANCEMENT, THE KEY TO PROTECTION LIES AT THE FINGERTIPS

OF THE OPERATOR

WHAT’S OLD IS NEW AGAIN

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.

S E C U R I T Y

6 H F M W E E K . CO M

C Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

tell-tale signs of bogus emails laced with malware. Through training and rigour, it is possible to convert a firm’s greatest security weakness into security advocates.

HFM: Ransomware is becoming increasingly promi-nent on mobile platforms, how can firms protect against mobile attacks?ES: Ransomware on mobile devices tends to work a little differently, though the effect is still the same. On mobile devices, ransomware can be disguised as ads or pop-ups. which when clicked, launch the malware and infect the de-vice. The same premise of prevention still applies; in this case, users must exercise caution when clicking. There are products available specifically for mobile platforms (e.g. containerisation) that can help protect against ransom-ware attacks.

HFM: What are the best forms of protection and how effective are the methods available?ES: Prevention is crucial when it comes to defending against ransomware attacks. In addition to the suggestions above, below are some tips we recommend to protect your firm’s mobile devices:

1. Make sure you’re running the newest version of the operating system

2. Investigate security options within your mobile device management solution

3. Train your users to be suspicious when receiving at-tachments

4. If possible, restrict the downloading of apps5. Don’t let your employees jailbreak their mobile devices6. Regularly back up your mobile device’s files and con-

figuration (weekly, if not daily)

7. Monitor the authentication profile of all users’ mobile devices (to watch for unusual remote access)

8. Notice and alert if battery usage is suddenly worse than previous days, given the same usage

HFM: What will happen to firms that fail to protect adequately? What can services such as eSentire offer firms in the form of protection, support and moving forward?ES: Without adequate prevention and protection, firms put themselves at greater risk to devastating ransomware attacks. Once ransomware finds a hold on a firm’s network and takes control of network data, many firms often feel their only choice is to meet ransom demands. While pay-ing the ransom is the fastest way to recover encrypted data, it isn’t the best option. Ransom payments validate the success of these kinds of attacks and will only fuel the hacker’s appetite, which is why our core message focuses on employing preventative measures to guard against at-tacks. There is also no guarantee that the attacker has not retained a toehold within the organisation and might con-tinue their extortion campaign.

When it comes to evolving cyber threats, technology just isn’t enough. What today’s threats reinforce is that in spite of the layers of traditional technology (firewalls, anti-virus, intrusion detection systems, etc.) firms use, it alone can’t stop employees from clicking on malicious links. At eSentire, our combination of people, process and technol-ogy complements the existing technology that firms have in place with advanced security defences and the keen eye of security analysts, who monitor network traffic 24/7, looking for the kinds of indicators of compromise that technology alone might miss.

SPECIALISTS IN MOBILE CYBER SECURITY

TANCROFT COMMUNICATIONS LTD48 MONMOUTH STREET, COVENT GARDEN, LONDON, WC2H 9EP

0207 557 9818 e:nick@tancroft.com www.tancroft.com

8 H F M W E E K . CO M

C Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

Phil Ashley is the chief information officer at netConsult. A trained analytical scientist, he has over 15 years’ senior IT experience across a range of industries, with several years’ running both internal IT teams and external IT service provider in the finance industry.

HFMWeek (HFM): How would you describe the cur-rent state of cyber-security?Phil Ashley (PA): Cyber-security is becoming more preva-lent in everyone’s minds and is a frequent topic of discus-sion within the industry. Th e rate of incidents continues to escalate, alongside ever-increasing media coverage. Cyber-att acks are pervasive across the landscape today and the threats continue to grow, evolving in sophistication. How-ever, many of the cyber-att acks we see today are similar in nature to those we have seen over the last few years.

Th e impact of cyber-security incidents is growing in terms of the reputational and fi scal impact, which has resulted in driving more organisations to address cyber-security risk with more focus and substance. Some or-ganisation’s security practices are still developing despite the continuing publicity around cyber-security, a fact that cyber criminals are acutely aware of. We regularly see our client base’s IT systems being programmatically scanned, typically by autonomous systems, looking for security weaknesses as well as several real-world att acks each month. Cyber-security threats can materialise very

quickly, creating a challenging environment to maintain suffi cient and eff ective cyber-security defences.

HFM: What should funds be considering when it comes to cyber-security? PA: Th ere is a vast array of security technologies, sys-tems, solutions and providers in the marketplace off ering various levels of protection. Assessing all their features, eff ectiveness and appropriateness can be a complex task. A good breadth of basic protections, well implemented, securely confi gured and properly monitored can be a solid starting point. Enterprise anti-virus and fi rewalls, access controls and data protection are not overly onerous to im-plement and can quickly provide a fair level of protection. It is oft en possible for an organisation to achieve a good security posture with a few simple additions and profes-sional confi gurations.

Focusing on a breadth of solutions can oft en be more eff ective than a few specifi c, advanced solutions. However, most security technologies need involved confi gurations, sett ing and forgett ing them can be dangerous. Ensuring

PHIL ASHLEY, FROM NETCONSULT, OFFERS AN INSIGHT INTO THE DANGERS OF CYBER-SECURITY AND WHAT THE BEST PROTECTION PRACTICES ARE

CYBER-SECURITY PROTECTION AND SECURITY MONITORING

F U N D P R OT E C T I O N

H F M W E E K . CO M 9

that security solutions are professionally installed, well integrated, securely configured and regularly or continu-ously monitored is key.

Responding meaningfully and in a timely fashion to a realised or near-miss security incident is also very impor-tant. Attackers are likely to be aware that organisations might not detect or may take time to react to a successful attack or data breach. This can often result in future repeat attack as a technique to avoid detection and attempt fur-ther security breaches.

Establishing a business-led cyber-security strategy is likely to be the most successful approach. Ultimately, tech-nology solutions can only ever achieve so much. Business practices, employee awareness and a mature risk strategy can ensure that levels of cyber-security protection are not only appropriate but deliver the best value and protection to the organisation. Understanding the organisation’s current secu-rity practises and how well they are operating can help achieve focused and effective IT security im-provements as well as develop a mature security position. Working with third-party providers and consultants can not only bring added value but also demonstrate to investors and regulators that cyber-security is at the forefront of the business. Although, having a clear cyber-security strategy in place will ultimately help to get the most out of such third-party engagements or partnerships.

HFM: What is cyber-security monitoring and what protection does it offer? PA: Cyber-security monitoring is about utilising all the security information that you have available, making sense of it and taking action in response to cyber threats. It aims to provide immediate detec-tion and response in the event of an attack on any system and adopting a proactive approach to secu-rity. Having the ability to gain and extract security infor-mation from numerous sources such as firewalls, intrusion detection systems (IDS), active directory, web servers and SIEM platforms can provide a security operations team with invaluable information. This enables the addition of a layer of human insight into cyber-security protection to augment what can be achieved with technology alone.

Cyber-security monitoring is potentially best understood as a methodology. It is an approach to protection which brings security protection into the heart of the business. Understanding how the business operates, if the security software is functioning as expected and listening and react-ing to what the current defences are saying could potentially provide an organisation a substantial level of protection.

Not only does a monitoring solution enable a valuable layer of protection, but it can also determine how well existing IT security systems, and indeed infrastructure systems, are operating to ensure they are healthy, efficient and configured correctly. Enabling further security inte-grations as well as forensics repositories which can not only be invaluable when responding to potential threats, but also when remediating after a data breach. Coupled with regular cyber-security reporting, all elements help to increase the organisation’s security awareness as well as cyber-security maturity.

HFM: Are there any particular cyber-attacks you see regularly? PA: Cyber-attacks can be broadly classified into two cat-egories: targeted and untargeted.

• Targeted attacks, with distinct intent to target a specific organisation, are becoming more common-place and increasingly more elaborate. No longer exclusively the realm of state-sponsored or corpo-rate espionage, targeted attacks can be effective with relatively minimal effort. A phishing email, for ex-ample, for maximum success, needs to be relevant and specific to its target; but with access to some basic information, which is readily available in the

public domain, this can take merely a few min-utes to construct. • Untargeted attacks, while more generic, can still be damaging and have substantial impact to organisations. Generally, netConsult see more untargeted than targeted attacks; for example malware, spam email and compromised web URLs. One of the challenges for IT security is that often the targeted attacks use many of these same techniques to mask or misdirect away from the real attack.

Potentially the biggest challenge for IT securi-ty providers is that many attacks are often unique and not overly repeating. Zero-day vulnerabili-ties and advanced persistent threats also come into this category. Cyber criminals have a wealth of security weapons at their disposal and can try a series of different attacks. They only need to win once; IT security solutions have to win every time.

Ransomware attacks have been very prevalent recently and netConsult have responded to sever-al such incidents over the last few months across

our client base. Whilst ransomware can be specifically targeted at organisations, several of which have been reported recently in the media, many are often generic. However, even a simple CryptoLocker incursion can be highly disruptive. Catching it executing or actively en-crypting can be achieved, although reacting to it quickly enough is much more difficult. Having generally sound and well-managed IT practices can help mitigate any po-tential damage, i.e. good backups and effective IT sup-port, and minimise any business impact.

HFM: Can cyber insurance help?PA: Cyber insurance is becoming more widely discussed in the UK, though still very much more widespread in the US. There is value in considering cyber insurance, be selective, as many insurance policies appear quite gener-ic and, without many claims against them, it is difficult to tell how effective they might be. In the not too distant future however, it is likely that insurance underwriters in the UK will develop more robust cyber insurance. This may well start to take into consideration the security posture of an organisation as well as its exposure and risk profile. Risk consultants and insurance brokers are established specifically to tackle cyber insurance so it is likely to continue to be a developing area. 

CYBER CRIMINALS HAVE A WEALTH OF SECURITY

WEAPONS AT THEIR DISPOSAL AND CAN TRY A SERIES OF DIFFERENT

ATTACKS. THEY ONLY NEED TO WIN ONCE; IT SECURITY SOLUTIONS HAVE TO WIN

EVERY TIME

”

2015US TECHNOLOGY

AWARDSWINNER

ELITE

Say good-bye to thousands of alerts and hello to the elite

intelligence team that manages them for you.

SMART

Moving far beyond IPS and SIEM to detect the threats

that they can’t see.

AGILE

Trusted experts protect your network 24X7 and respond

instantly to threats.

WE DETECT THE CYBER THREATS THAT OTHER TECHNOLOGIES MISS.

REIMAGINED SIEM & IDS/IPS | 24X7 GLOBAL SOCS | REAL-TIME RESPONSE

REGULATORY READINESS | INCIDENT RESPONSE PLANNING | VULNERABILITY ASSESSMENTS

SECURITY AWARENESS TRAINING

Active Threat Protection™ ServiceBY

info@eSentire.com www.eSentire.com

S E C U R I T Y

H F M W E E K . CO M 11

C Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

HFMWeek (HFM): What key areas are the most vulner-able to cyber-att acks? And how are these best protected?Bob Schwartz (BS): People are oft en considered to be the weak link in securing environments against cyber-att acks. Th e art of manipulating people into divulging information or performing actions which are detrimental to the security of an organisation is known as social engineering. Criminals employ social engineering tactics because it typically requires less resources and less technical expertise to trick a human into providing information than to discover ways to hack into computer systems.

Social engineering can take on many diff erent forms and the fi rst step in protecting against these threats is in under-standing the diff erent methods which are used, and then training your employees on how to identify and avoid these scenarios. Th e most basic form of social engineering involves the victim receiving a phone call with the perpetrator asking the target to com-plete a task such as providing passwords in order to perform IT support.

Another more technical form of so-cial engineering is ‘phishing’. In these att acks, fraudulent emails are craft ed to lure individuals to disclose information, transfer funds or to instigate an action such as opening a malware laden att ach-ment, or clicking on a malicious web link. While ‘Nigerian Prince’ scams are still doing the rounds, the more modern scams can be harder to spot.

While some phishing att empts cast a wide net, others are targeted directly at organisations or even individuals. Th is is known as ‘spear phishing’. Th ese com-munications can look highly convinc-ing, can use valid company logos and can appear to be from a legitimate email domain. Th ey may ask you to perform a task which is considered a normal part of your work day, or they may ask you to click on a link that ap-pears to be related to your job.

Such is the threat of social engineering. I would suggest that you include it as a topic in your annual information secu-rity awareness training.

HFM: Where do cyber threats come from?BS: Cyber criminals are becoming more organised and profi t-

driven. Wherever there is the potential for fi nancial gain, an att ack could take place, and it could be conducted from any-where in the world. An entire underground economy exists to support cyber crime and hackers are able to trade in vulner-abilities and infected computers for Bitcoins, or for informa-tion that they could use to mount an att ack.

Due to the online nature of cyber crime and the use of servers across borders, it requires the continued cooperation of international enforcement agencies in order to successfully track and close down malicious sites. Recently, Interpol and the FBI have announced that they are forming closer ties to address cyber crime and this can only be a good thing.

HFM: How has regulation moved to combat cyber risks?BS: Th e regulators such as the UK Financial Conduct Author-ity (FCA), the Central Bank of Ireland (CBI) and the Securities

and Exchange Commission (SEC) have all published guidance in the past 18 months on addressing cyber risks. It is encouraging to see that the regulators are aligning their objectives and covering key themes such as governance, risk assessment, policies and processes, and awareness.

Th e regulations are clearly pinning the responsibility for cyber-security on the board of directors, but the regulations do not necessarily provide the answers on how to achieve a robust information security programme to combat threats. Th ey do however, indicate that risk as-sessments are a key factor in an organisa-tion understanding the threats that they face and how their existing controls may mitigate those risks.

HFM: How do you assess how secure you are? What are the processes?BS: We assess how secure we are through governance processes such as completing

self-assessments provided by the regulators as well as mapping to common standards such as ISO27001 and NIST. We also perform risk management to assess the extent to which the layered controls we have in place reduce the probability and impact of threats. In addition to our in-house team, we engage outside security experts on a regular basis to independently test our technology environment to ensure we are employing best practices and closing known vulnerabilities.

SUCH IS THE THREAT OF SOCIAL

ENGINEERING I WOULD SUGGEST

THAT YOU INCLUDE IT AS A TOPIC IN YOUR

ANNUAL INFORMATION SECURITY AWARENESS

TRAINING

”

BOB SCHWARTZ, OF SS&C, EXAMINES THE NATURE OF CYBER-ATTACKS AND OUTLINES THE BEST WAY TO DETERMINE HOW SECURE YOU ARE

ARE YOU A VICTIM OF CYBER CRIME?

Bob Schwartz is a chief technology officer and has more than 20 years of experience in managing large global technology teams and projects, particularly for the financial services industry. Schwartz joined SS&C from GlobeOp (now SS&C GlobeOp), where he was chief technology officer.

1 2 H F M W E E K . CO M

C Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

HFMWeek (HFM): How has regulation moved to improve cyber-security and does it need to do more?Marc Lott i (ML): Over the past few years, regulation has moved incredibly swift ly. Th is is due partially to President Obama’s 2013 executive order on cyber-secu-rity, which informed SEC Chair Mary Jo White’s March/April 2014 roundtable, which resulted in the OCIE’s fi rst guidance on cyber-security. Th e guidance itself when fi rst issued wasn’t very prescriptive; it was a list of ques-tions comprised of what fi rms should be considering re-garding their cyber-security policies and procedures. In hindsight, it is very interesting that these questions were included because they were asked without context or were general and unfocused. It appeared that regulators were looking to collect data on the topic and the inquir-ies were more reconnaissance rather than probing.

Now, based on a number of exams we have heard about, the SEC is moving toward more targeted ques-tions on specifi c topic areas, and there is no limit to where they can go with these questions, as their do-mains range from fi rm to fi rm. In the past month alone, we have seen an increase in cyber-security examina-tions. We have heard from various fi rms that they are now being exam-ined for cyber-security programmes and protections by the SEC’s cyber division.

Does the SEC need to do more? I would argue that firms themselves need to do more and follow the SEC staff ’s guidance, which has effective-ly stated that this is important and firms need to do more. It appears that, after delving into firms’ cyber-security questionnaire responses, SEC examiners found that firms are simply not doing enough. Perhaps this is why there has been an increase in exams and also why the SEC might be more focused and aggressive in pursuing deficien-cies in firms for lack of adequate cyber-security protec-tions and controls.

HFM: Was initial regulation implemented early enough?ML: Most people don’t realise that cyber-security pro-tections have been enforceable since 2002 under Reg-SP. Furthermore, it is also not commonly known that the

SEC had a fairly aggressive initiative in 2005 to focus on cyber-security initiatives.

To quote an anonymous and reputable source: “Th e SEC was side-tracked by some of the events that hap-pened in the housing crisis in the US.” Based on this view, the SEC was essentially distracted from around 2007 until fairly recently, around 2014. Cyber-security regulation has been in force for a considerable amount of time and some fi rms have yet to fully take it seriously.

Finally, in general, the fi nancial services community is behind the hacking community by about a decade, and this is obviously a huge factor that encompasses the whole industry and highlights the inadequate invest-ment in cyber-security initiatives.

HFM: What are regulators expecting from a fi rm’s cyber initiatives?ML: Many fi rms, especially smaller investment advis-

ers and fi nancial services fi rms, aren’t equipped with the right personnel, and in many cases with the right ven-dors, to put together a formal cyber-security programme. So, where do they begin? Th is is obviously a dif-fi cult question for the inexperienced to answer. Generally, regulators have explicitly provided guidance on the reference framework that should be used; and the SEC staff has recom-mended that fi rms look to NIST. Th is is not surprising as NIST was born out of the government sector, and the SEC being a government agency, naturally looked to it as other govern-ment agencies were already using it.

NIST is a very large framework that has a lot of “baggage”, so being able to manage it, align it and right-

size it to fi rms is something the inexperienced would fi nd challenging. Th is is where a fi rm, or the fi rm’s internal technology team, would look to outside guidance from fi rms that have the experience or capability to interpret and align that framework with a fi rm’s programme or initiative. Maybe they are not the prescriptive measures that regulators are expecting or advocating for, but they are certainly intimated if not explicitly stated. Th at is, you need to have assessments to understand where you are, you have to perform due diligence on your vendors, you need to train your employees and you need to have

DOES THE SEC NEED TO DO MORE? I

WOULD ARGUE THAT FIRMS THEMSELVES NEED TO DO MORE

AND FOLLOW THE SEC STAFF’S GUIDANCE

”

PARTNER AT ACA APONIX, MARC LOTTI, SPEAKS TO HFMWEEK ABOUT THE GROWING SIGNIFICANCE OF CYBER-SECURITY, WHAT THE BEST MEANS OF PROTECTION ARE AND HOW FIRMS’ LACKADAISICAL APPROACH MUST CHANGE

DEALING WITH CYBER RISK

Marc Lotti is a partner at ACA Aponix, the cyber-security and IT risk division of ACA Compliance Group. In all of his activities, Marc applies his extensive experience as a senior business and IT strategist, IT alignment and governance specialist, and thought leader. He has over 15 years’ experience in the financial services sector, five years in hospitality and five years in the start-up space.

S E C U R I T Y

H F M W E E K . CO M 13

adequate policies and procedures in place. The last must demonstrate that you’re actually committed to this pro-gramme in writing and that you have evidentiary support of policy compliance and process efficacy.

HFM: Are enough firms prepared? What needs to change in firm’s incident responses?ML: As mentioned previously, firms are generally in the same place with incident response planning as they were around 10 years ago with business continuity plans, where firms didn’t have anything in place and didn’t understand resiliency requirements internally or how to protect against single points of failure. They are very much in the same boat with incident response planning today, which is evolving as firms increasingly realise that they need to have something in place to be prepared.

Many firms don’t have an incident response plan and the majority of firms that do have plans need to evolve them in order to consider multiple scenarios and test these scenarios with table-top exercises. This can be done very much like how you would test your disaster recovery plan to determine its effectiveness and then where you need to improve.

HFM: Will threats to cyber-security ever be quashed? Or is it simply an issue that firms will have to learn to live alongside?ML: The risk will always be there. What needs to be

addressed is how well you protect against it. It’s like being robbed. There’s always the chance it will happen, but you learn over time not to walk down the dark alley if you want to stay away from a thief or at least reduce that risk.

The same goes with cyber risk. It is an absolute ne-cessity to have baseline protections in place. A lock on the door for example, but firms must make sure that the lock is used effectively. The best lock in the world won’t be effective if it’s left open. And it doesn’t stop at the front door. There are various ‘pickets’ in the risk fence, and all of the pickets need to be at a reasonable level, not just for regulatory reasons, but to protect against operational risks as well. Because ultimately, even if a regulator isn’t mandating it, an investor might, and if something does happen then, you’ll contend with repu-tational risk and ultimately financial risk as a by-prod-uct. This holds true to any firm and the threat is not a one-time event.

As mentioned previously, cyber-security programmes are ongoing and every firm should have a defence. The initial plan will evolve and mature over time, but it must be in place at some level. As the years go by, the pickets in the fence will be elevated to add additional protection. Undoubtedly, it’s hard for firms to put everything in place at once, but I don’t think the regulators are expecting as much. As long as your firm has an action plan and you are taking reasonable measures to mitigate cyber threats, you’re in a good position.

1 4 H F M W E E K . CO M

C Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

HFMWeek (HFM): How are threats posed to mobile cyber-security diff erent from computing security threats?Nick Reid (NR): Key diff erences are that a mobile phone is portable and typically goes wherever the owner ventures. WiFi also serves as an interesting dif-ferentiator, in regards to a mobiles ability to connect to WiFi prett y much anywhere. It is now possible to con-nect to an abundance of WiFis while out and about, and unfortunately, people are not completely aware whether they are secure or not secure. A desktop in a fi xed loca-tion, will typically have far more security provided and ready to protect it. Even a laptop is more protectable compared to mobile devices. Although, most companies still don’t see mobiles being so much of a security risk as their technological relatives.

Historically, companies have only had to deal with desktop breaches and com-puting threats, whereas mo-bile is becoming increasing-ly vulnerable and a far easier target as a mobile phone is generally easier to hack. Luckily, in some ways, the hackers haven’t quite caught up with it, albeit those that have, are becoming more aware and more advanced in how they are hacking. Th e main diff erence between mobile and computing se-curity threats is the manner of the att acks, mobile at-tacks are exclusively a more dedicated and personalised att ack. Th is is not similar to a computer att ack, where the common method is for a hacker to ‘throw’ a virus out there and see who it hits. To hack a mobile there must be an identifi ed target, and if someone is going to go to the eff ort to hack, then they are defi nitely going to make a more sustained eff ort to try and get the information/data that they seek.

Th e biggest risks are the end user not having a se-cure device, lack of training and WiFi. You can connect a mobile handset at a train station, a coff ee shop or an airport, and most people simply agree to accepting any terms and conditions without knowing the ins and outs because they want instant WiFi. Th at is the most

vulnerable point, at the moment, for a device as it is the easiest point to att ack.

HFM: How important is education in protection against mobile cyber threats?NR: Education is very important, and specifi cally for the end users. End users are the weakest point in the system, you can put various forms of protection within the device, but if you go back to the WiFi scenario and the individual still decides to click “yes”, as no one has ever warned them of the risks, then no matt er what protection is on a device, someone has been allowed straight onto it. Without education, everything else that you can do will be neutralised and you will only be able to get halfway there, in terms of what can be prevented and stopped.

HFM: Th ere has been a huge rise in security appli-cations for smartphones, yet only around 50% of smartphone users admit to knowing they exist. Why is there such a lack of knowl-edge surrounding these apps and are they worth downloading?NR: Some of the security apps we come across on apps stores are there exclusively to make a fi nancial profi t for the creators. A large number of products say that they will protect against a whole host of threats and risks, but at the end of the day they don’t.

In addition, those apps that are best for protection, aren’t very good at promoting themselves. Th ere are applications out there which are proven to work very well, but they don’t promote themselves enough. I suppose, there is more of a focus on creating a good security app than promoting it through PR and marketing. Too many companies rely on word of mouth and I think they could do much bett er.

From a company point of view, it falls on both the customers and the mobile providers to research and rec-ommend suitable products. People can come to Tancroft for a conversation or go to their own IT company and ask what their opinion is, what services are provided and which apps to choose from.

THE SIGNIFICANCE OF PREVENTION IS UNPRECEDENTED AS ONCE

YOU’VE LOST YOUR REPUTATION, ESPECIALLY IN THE HEDGE

FUND INDUSTRY, THAT CAN BE EVERYTHING

”

NICK REID, TECHNICAL DIRECTOR AT TANCROFT, HIGHLIGHTS WHEN, WHERE AND HOW MOBILES ARE MOST AT RISK FROM ATTACKS AND THE BEST METHODS OF PREVENTION

MOBILE SECURITY RISKS EXPOSED

Nick Reid is an ex-Sandhurst graduate who after five years in the army, retired and after a brief stint in retail, joined Tancroft Communications in 1999. Initially tasked to set up and grow a corporate department, Nick then went on to be part of a management buyout in 2003. Since then, Nick and his team have grown the corporate base to over 200 clients and have created a bespoke telecoms provider who are perfectly suited to FS industry, as well as blue chip clients who demand flexibility and bespoke services to match their requirements.

F U N D P R OT E C T I O N

H F M W E E K . CO M 15

The rise of cloud-based network attacks have cer-tainly bought these issues into to the public eye. A num-ber of companies that produce “protection apps” also rely on the news to say: “He was hacked through this or that,” rather than highlighting that prevention is better than cure.

Some companies also consider themselves “secure”, until it happens to them and then they do something about their mobile security. The significance of preven-tion is unprecedented, as once you’ve lost your reputa-tion, especially in the hedge fund industry, that can be everything.

HFM: What are MDM services and how do they combat cyber-security risk?NR: MDM solutions are complementary services and don’t exclusively combat the cyber-security risk, but they are certainly part of the solution. An MDM solution will provide an initial level of security on a device i.e. you can lock it down, force a password, track the device or even wipe it remotely. MDMs are very beneficial apps and we highly recommend them, they are useful for controlling an end user and applying a level of security to that device

individually and so when something does go wrong you can actually do something about it. However, the process is more reactionary, you are waiting for something to happen, then deal with it.

In terms of applications for security, there are apps such as Wandera, who will actively monitor the data going through your device and will look out for and prevent an attack. Wandera will guard against anything from rogue applications, man in the middle attacks, phishing, false WiFi, etc., and is a far more proactive way of approaching mobile security. Our advice is to use a security gateway app in conjunction with an MDM, although, having just an MDM solution should be the bare minimum.

HFM: Do you anticipate mobile security threats to continue for the foreseeable future?NR: Yes, mobile security threats are only going to be-come more advanced and sustained, as hackers work out that mobile devices are often more vulnerable. Attacks will become more targeted, in terms of hackers wanting specific information, from a specific company. I think this will only increase, it happens on desktops, but it will start to become more prevalent on mobiles.

1 6 H F M W E E K . CO M

C Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

In February 2016, hackers executed a cyber-attack that allowed $81m to be taken from the Central Bank of Bangladesh’s foreign exchange account at the Federal Reserve Bank of New York. As more information is released, it appears that the initial point of entry for the hackers was a spear-phishing

email, potentially sent weeks before the fraud took place. Through the email, hackers gained entrance and were

able to remotely monitor and probe the bank’s networks without detection.

With sophistication of cyber crimes increasing, it is imperative that firms couple layers of security with hu-man safeguards. What is needed is an internal culture of security that is centred on an ongoing, organisation-wide commitment to defining and adhering to careful,

thoughtful policies that reduce or eliminate “people vulnerabilities” through assessments, awareness and education.

Following are four elements Eze Castle Integration has identified as vital to creating an internal culture of security.

1. CREATE A COMPUTER SECURITY INCIDENT RESPONSE TEAMYour first step is to find the right people who can oversee your information-security policies and be part of a “com-puter security incident response team”. Although, IT pro-fessionals are responsible for overseeing and maintaining your computing infrastructure, you also need business users to play a central role in your security initiatives. Af-ter all, they’re the ones who use these resources – and the

BOB GUILBERT OF EZE CASTLE INTEGRATION, DISCUSSES THE SIGNIFICANCE OF STAYING CYBER SAFE AND UNVEILS THE BEST PRACTICES TO AVOID DISASTERS

FOUR STEPS TO BUILDING A CULTURE OF SECURITY

M A N A G E M E N T

H F M W E E K . CO M 17

ones who can represent the biggest vulnerabilities and risks. While the team’s responsibilities can vary, many CSIRTs are active in several key areas:• Create a plan – development and writing of an informa-tion security plan, and working closely with their peers out in the various departments to implement and maintain the plan.• Create training programmes – this opera-tionalises the fi rm’s security plans and poli-cies.• Respond to incidents – business users can add valuable insights, assess the business impact of breaches, determine who must be notifi ed and more.• Communicate with peers – CSIRT team members spread the word to colleagues and keep security top-of-mind. They also help co-workers self-assess security risks and encourage constant awareness.

2. DEFINE YOUR TERMSBefore you can secure your confidential in-formation, it’s important to define exactly what you mean – and ensure everyone in your organisation is literally and figurative-ly on the same page.

Many firms create a 10- to 20-page writ-ten information security plan that formal-ises the definitions and policies that govern the creation, access and deletion of confidential infor-mation and computing services. That can be everything from a description of user access privileges and physi-cal access controls to policies regarding USB ports and opening suspicious emails. What matters is that you’ve explicitly and unambiguously documented all aspects of your company’s at-risk assets and services. A multi-disciplinary cross-functional team often works best in these efforts.

3. DELIVER COMPREHENSIVE TRAINING“Creating a security-conscious culture” – it’s a mouth-ful to say, but it’s still important to recognise. All of the documents, committees and meetings won’t have any meaningful impact if the proper security practices don’t spread quickly and uniformly across the organisation. And the way that starts to happen is through systemic and comprehensive training practices.

Service providers, such as Eze Castle Integration, can help you develop the right curriculum – tailored to your business’ unique needs, preferences and policies.• Face-to-face – many organisations find that face-to-face, instructor-led, hands-on training is the best way to instil the security culture. The emphasis needn’t be (and shouldn’t be) on the bits-and-bytes with a lot of tech-speak. Instead, focus on what business users need to know to keep IT resources secure and protected. These scheduled sessions – which should last no more than 30 to 60 minutes – let people learn visually and practically and send a strong message about the impor-tance of security.• Video refreshers – when employees have quick ques-tions or when face-to-face sessions aren’t practical,

on-demand video lessons can fi ll an important gap. Start by taping your face-to-face sessions and edit them into quick fi ve minute segments. A library of key topics can be a great resource.

• Start early – underscoring the importance of security, many employers are making security training part of their ‘onboarding’ process – and asking employees to start training before their date of hire. Make sure new hires recognise their responsibilities from day one.• Keep it going – make sure the awareness doesn’t stop with the training. Regular newslett ers about data security are a good strategy. Periodic reminders from top man-agers can also reinforce your security-ori-ented culture. Update your teams about new and emerging threat strategies and sources.

4. REMEMBER THE INTERNAL CULTURE REACHES OUT EXTERNALLYEven when you have locked down your in-ternal systems, implemented best-practices policies and procedures, and trained your employees to think “security first”, there’s still more work to do, culture-wise.• Assess third-party risks – perhaps the weakest link in the security chain is one you have little (or no) control over: the

performance of your partners. For example, have you analysed the security practices of your strategic busi-ness partners? Does your payroll provider follow strin-gent practices that eliminate openings for hackers and other bad actors? Are your clearing house and transfer agents taking the right steps to prevent intrusions? After all, when you tightly integrate with their systems and share data securely, you’re still vulnerable to whatever keystroke loggers enter your environment. Or are those elite access credentials getting stolen elsewhere – and used to access your systems?• Regulatory risks – following the right security prac-tices will enable you to achieve clean audits from indus-try and government regulators. What you do inside will greatly affect your external reputation.

CONCLUSIONHaving proper perimeter defences and rigid security controls are, of course, non-negotiable requirements for any financial services firm. But the new front lines in corporate IT security aren’t technical – they’re peo-ple. By developing an internal culture of security, the organisation does far more than deploy and configure bits-and-bytes. It commits to defining and following thoughtful, far-ranging policies to eliminate the need-less internal vulnerabilities that often go unrecognised.

From a properly trained and staffed computer inci-dent response team to carefully defined policies and procedures to complete training, financial services firms can take simple but important steps to prevent breaches, strengthen security, improve regulatory com-pliance and increase customer confidence. For more information, visit www.eci.com.

EVEN WHEN YOU HAVE LOCKED DOWN YOUR INTERNAL SYSTEMS, IMPLEMENTED BEST-PRACTICES

POLICIES AND PROCEDURES, AND TRAINED YOUR EMPLOYEES TO

THINK “SECURITY FIRST”, THERE’S STILL MORE WORK TO DO,

CULTURE-WISE

”

Bob Guilbert, managing director of Eze Castle Integration, is responsible for leading all of the company’s marketing, partnership and product development functions. Prior to joining Eze Castle, Bob was vice president of business development at Virtual Iron Software.

1 8 H F M W E E K . CO M

S E R V I C E D I R E C TO R YC Y B E R R I S K A N D S E C U R I T Y 2 0 1 6

Tancroft, Nike Reid, Senior Account Director and Partner, Tancroft Communications Ltd // 48 Monmouth Street, Covent Garden, London WC2H 9EP // T: 0207 557 9818 // e mail: nick@tancroft.com

Over the past 10 years we have learnt a huge amount about the mobile communication needs of businesses. At Tancroft we have over 200 satisfi ed clients, who all benefi t from the high quality bespoke service that we provide. We understand that your business demands are very specifi c and that everyone has different wants and needs – this is why theTancroft mobile solution is right for you. By recognising each company’s individuality, we can leverage your spending and maximise the effectiveness of the service you receive.

CYBE

R-SE

CURI

TYTE

CHNO

LOGY

TECH

NOLO

GYTE

CHNO

LOGY

TECH

NOLO

GYTE

CHNO

LOGY

eSentire, Mark Sangster, VP of Marketing // T: +1 519 651 2200 // 1 Penn Plaza, Suite 4501, New York, 10119 // www.esentire.com

eSentire® is a proven industry leader, keeping mid-sized organizations safe from constantly evolving cyber attacks that traditional security defenses simply can’t detect. eSentire combines people, process, and technology to deliver an unmatched, premium level service that detects, remediates, and communi-cates sophisticated cyber threats in real-time, 24/7. Protecting more than $3 trillion in Assets under Management (AuM), eSentire is the award-winning choice for security decision-makers in mid-sized enterprises. eSentire has received multiple accolades for exceptional service, including the HFM (Hedge Fund Manager) Service Provider award (2013, 2014, 2015). In 2015, eSentire was named to Deloitte’s Technology Fast 50TM and Fast 500TM lists, and included in the 2015 “Cool Vendors in Cloud Security Services” report by Gartner, Inc.

ACA Aponix, Raj Bakhru, Partner, ACA Aponix // T: 212 951 1030 // email: sales@acaaponix.com // James Tedman, Managing Director, ACA Aponix // T: +44 (0) 20 7042 0500

ACA Aponix is the cyber-security and risk strategy division of ACA Compliance Group. We offer fi nancial services fi rms a holistic, tailored approach to technol-ogy risk and governance. Our team of fi nancial technologists works with CTOs, COOs, and CCOs at a broad range of fi rms to improve security infrastructures, provide advisory services, and conduct cybersecurity reviews. Our services go well beyond network perimeter testing and look for hidden vulnerabilities that lie elsewhere. For more information, visit our website at www.acacompliancegroup.com.

Eze Castle Integration Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 650 alternative investment fi rms worldwide, including more than 100 fi rms with $1 billion or more in assets under management. The company’s products and services include Private Cloud Services, Cyber Security Services, Technology Consulting, Outsourced IT Support, Project & Technology Management, Professional Services, Dedicated Private Network, Telecommunications, Voice over IP, Business Continuity Planning and Disaster Recovery, Archiving, Storage and Colocation. Eze Castle is headquartered in Boston and has offi ces in Chicago, Dallas, Hong Kong, London, Los Angeles, Minneapolis, New York, San Francisco, Singapore and Stamford.To learn more about Eze Castle Integration, contact us at 800-752-1382 or visit www.eci.com.

netConsult Ltd, Holden House, 57 Rathbone Place, London, W1T 1JU // T: +44 (0)20 7100 3310 // F: +44 (0)870 318 3126 // www.netconsult.co.uk // David Mansfield, COO // T: +44 (0)20 7100 3310 // dmansfi eld@netconsult.co.uk // Laura Zverko, CMO // T: +44 (0)20 7100 3310 // lzverko@netconsult.co.uk // Established in 2002, netConsult is an award winning provider of managed IT Services to the global alternative investment industry. We aim to provide a high level of technical expertise to our clients combined with a dedication to customer service. Our ethos is based upon designing secure IT platforms which are manageable over the long term. We are a trusted technology provider to a large portfolio of clients ranging from small start ups to large global funds. netConsult provides a bespoke service to its clients and provides a full suite of IT services including cloud services, outsourced IT, BCP, virtual CTO and IT security.

SS&C Punit Satsangi, EMEA Managing Director // psatsangi@sscinc.com // T: +44 (0)20 3310 33041 St. Martins Le Grand, London, EC1A 4AS // www.sscglobeop.comSS&C GlobeOp is a leading fund administrator providing the world's most comprehensive array of fi nancial technology products and services under a public, independent, single platform. Our expertise in business process outsourcing supports complete lifecycle capabilities, available on a stand-alone basis to hedge funds, fund of funds, private equity funds, family wealth offi ces, and managed accounts. Furthermore, our dedicated regulatory solutions group com-bines expertise and technology to provide our clients with the infrastructure and support they require to stay compliant. By outsourcing to SS&C GlobeOp, clients can reduce their technology investment and operational risks, leaving them more time to focus on asset generation and portfolio management.