Is Your Administrator a Cybersecurity Risk Weak Point?
Apr 5 2016 | 6:45pm ET | Risk
Editor’s Note: Alternative investment managers know that risk comes in all shapes and sizes, and most have very detailed ways of quantifying and dealing with them. However, cyber risk often flies below the radar, especially when it is associated with third-party partners like administrators and data partners increasingly connected to a fund manager’s most sensitive information though online systems and cloud-based resources. In this contributed article, Rod White, director and regional CEO of fund administrator Equinoxe Alternative Investment Services, writes that managers must view third-party cyber risk with the same thoroughness as the other risks they face.
Is Your Administrator a Cyber Security Weak Point?
Last year will go down as the one in which cybersecurity made it to the top of the priority list for hedge funds. As cyber criminals – whether they are financially-driven organised criminals, state-sponsored industrial saboteurs or hackers trying to prove a political point – become more sophisticated in both their methods and their identification of targets, the industry has reacted. The increased focus of the U.S. Securities and Exchange Commission on this issue during 2015 has brought it home to firms of all sizes and has precipitated the rise of the CISO – the chief information security officer.
However, upgrading and staffing internal systems only goes so far. A cyber security program is only as strong as its weakest points. Fund investors rightly scrutinise their managers’ preparedness, but they need to be assured that the entire ecosystem of service providers with which the manager exchanges significant amounts of sensitive data complies with the same high standards. Research by consultancy KPMG conducted this year suggests that as few as 44 percent of alternative investment managers are focused on third-party data security oversight. This represents a vast and largely unmitigated cyber risk.
As an administrator to hedge funds of various sizes, we are expected to comply with the practices of our most stringent and secure clients. Administrators can themselves be the subject of a cyber attack, or can present a cyber security issue to the manager through its own actions. What follows are the most important aspects of cyber security, some questions that are frequently asked, and some that are not asked nearly enough. They should apply equally to other third parties, such as IT integrators, data warehousers, order management system providers, and any other organisation that is granted access to a manager’s network.
Does your administrator secure access to your data using industry best practices? For example, system identities should be tied to individual users through the use of both credentials and sector factor authentication. Furthermore, your administrator should ensure authorized users can only access data and perform actions within their appropriate privilege level and take steps to secure against “privilege escalation” attacks, whereby system users exploit flaws to elevate their access level and gain access to restricted data.
Allied to this, the administrator should ensure best practice is followed with respect to passwords by employing “salted password hashing” techniques and enforcing password complexity among users.
Your administrator should ensure that any data is encrypted using industry best practices, and the encryption applies to backup as well as production data. When in motion between manager and administrator, data should be encrypted using, for example, Secure File Transfer Protocol and certificate-based authentication.
Managers looking for complete encryption between themselves and their administrator should take steps including ensuring their email server accepts TLS (Transport Layer Security) encrypted email, and using an encrypted portal to upload/download files and provide statements to investors.
Access to manager’s data should be granted on a principal of minimal privilege basis, ensuring that the controls are in place to limit access to those who need to see the manager’s data in order to fulfil their job.
Administrators must as a matter of course have the capability in place to detect any intrusion at both the network and host level. The software behind this should be updated continuously as updates become available from the software provider. As well as being alerted to any potentially malicious intrusion, the administrator should notify the manager in a timely fashion. In order to maintain the strength of the perimeter, penetration tests should be performed by an independent third party. Normally, the administrator itself will commission the penetration tests; in these instances, fund managers should be granted access to the full report of the test results.
The fund administrator should undertake measures to ensure its infrastructure – both physical devices and web-based platforms – is secure. One such measure is the maintenance of an audit trail, logging all system activity and access. In best practice, the audit trail will be housed off-system to prevent any manipulation of the data. Administrators should use firewalls to separate perimeter networks from endpoints hosted in the private network, and update them on a regular basis as software updates become available. As well as the aforementioned third-party penetration tests, the administrator should perform regular scans of both the internal infrastructure and perimeter through embedded adaptors through a third party PCI scanning vendor.
Culture and correct governance play a vital role in a robust cyber security program. At an organisational level, your fund administrator should have a written cyber security policy that is revised on an annual basis and effectively communicated to all employees and any service providers. The policy should cover employee departures and the resulting restriction of their privilege levels and password facilities. Additionally, the firm should have a dedicated security and compliance function. Within the workforce, all employees should receive sufficient training – which is periodically revisited – to put the security policy into practice. A manager may well wish to see evidence that their administrator’s employees are fully trained in this regard.
Similarly, physical security plays a vital role in protecting data. Your administrator should ensure that access to facilities in which client data is being held or processed is appropriately restricted, with server rooms and archival backups protected with key cards, locks and physical alarm systems.
With sabotage an increasingly common motive for cyber criminals, business continuity planning plays an integral part in cyber security. Managers should be able to ask their administrator to see their written business continuity plan as it applies to a variety of different business interruptions. The plan should contain details of the target time to return to normal levels of operation and details of the administrator’s back-up plans.
The above is by no means an exhaustive list of all measures that your administrator should be undertaking. However, it should provide an overview of what to expect in the way of best practices. Many of our clients like to schedule annual meetings between members of our staff and their senior team to discuss both the measures we have in place to protect them and whether there are any patches, fixes or developments from the industry that can be integrated into our stewardship of their data. Your administrator should understand that their networks and data are only as secure as you make them, so we recommend a collaborative approach to cyber security that evolves to meet new threats as they materialize.
Rod White is director and regional CEO for Bermuda-based Equinoxe, where he is responsible for the firm’s U.S. and Bermuda operations. He joined Equinoxe in 2008 from JPMorgan Hedge Fund Services, where he worked as the group manager responsible for client relationships and compilation of complex valuations. He is a Canadian Chartered Accountant and spent three years with Deloitte as an auditor.