In April, 2015, The SEC issued cybersecurity guidelines for money managers and investment advisers. These guidelines provided best practices for mitigating information leakage risks and improving data security. Too often many smaller investment houses may not have knowlegeable staff to implement these SEC best practices.
These best practices are shaped around four key principles: compartmentalization; encryption; restricting remote access; and, controlling the usage of devices that may compromise internal security. The most critical considerations set forth are:
• Data encryption: Backups, portable computers, data that flows outside of the company;
• Network and system firewalls: Both hardware and software firewalls for network endpoints and individual systems;
• Restricting the use of removable storage media (e.g., flash drives);
• Deploying software that monitors technology systems for unauthorized intrusions;
• Network segregation to restrict access; and
• “System hardening” with the purpose of ensuring individual systems are locked down against attack.
Making practices a reality
To accomplish these essentials, you need to put in place both a policy and budget for active cybersecurity, consistent with the size and technological complexity of the operation. The basic important thought is that every system, network appliance, server, Internet connection, remote office (and its equipment) as well as portable devices, backups and other areas where data is transmitted or stored will need individual attention by a knowledgeable cybersecurity expert.
Investment managers without the needed internal cybersecurity expertise typically seek help of an outside consultant to deal effectively with this critical issue, and minimize potential exposure. An outside opinion most likely will shed light on overlooked but critical areas – such as the firmware version of a vulnerable network appliance, or remote ports that are exposed which don’t need to be open. These types of “invisible” or ignored issues may lead to large-scale breaches and other maladies.
The primary goal of the SEC’s Cybersecurity Guidance is to help set forth a common framework for institutional best practices, casting light on commonly overlooked security flaws and spelling-out common sense steps to address them.
More importantly, however, it is a critical change in the landscape of the our regulatory and legal environment. With all of the recent (and ongoing) breaches — and given what is at stake for investment managers if their systems are hacked — it makes sense to shape and adopt a cybersecurity plan. It makes even more sense to put the plan into action before cybersecurity becomes a problem for your operation.