Among the most relevant topics today is how to protect an organization from cyberrisk. The issue is important not only for client and proprietary data, but also for preserving one’s brand, reputation, financial position and future growth opportunities. A panel of experts shared their perspective on the actions that firms can take to mitigate their exposure within the current market environment and issues that management needs to be thinking about.
“Risks come up disguised as requests, so we have to be vigilant and careful. We can no longer continue with “business as usual.” For those used to working in a fast-paced environment, it’s a fundamental shift in operating behavior.” Lenore Kantor, Launch Warrior
Putting cybersecurity in the proper compliance context, Joanna Fields of Aplomb Strategy, referred to the SEC’s evolution over the past 6 years. The Consolidated Audit Trail proposal released in April 2016 addresses data warehouse protection, where cyber-security was not even a reference point after the flash crash of May 6, 2010. See excerpts from Joanna’s comments here.
Registered Investment Advisors (RIAs) are now required to be compliant and while 60% are reviewing their processes, only 1/3 of these are vetting the platforms they use to trade. Financial and technology firms should know their internal and external messages and with whom to communicate. Find out the information you need to know by joining an industry organization (see ISAO below) to stay in the loop as smaller entities may be farther away from the current issues.
“Every organization should have an Incident Response Plan in place that is practical – indicating who to contact. Policies and procedures are a regulator’s front door in. If these aren’t up to date and actually followed, that’s the fastest way for a regulator never to leave.” Joanna Fields, Aplomb Strategies
“No matter what the size of your organization, there needs to be management-level involvement in these issues. This has to be part of the DNA of the entity and how you do business, because the value of your business and ultimately the brand is wrapped up in this. If it’s thought of that way, it can be embraced as a market advantage.” Luke Dembosky, Debevoise & Plimpton
There is not a single technical or legal solution, but any internal governance structures need to be pragmatic, according to Luke Dembosky of Debevoise & Plimpton. The vast majority of cyberrisk cases are due to vulnerabilities that are widely known, but the liability has not yet righted itself in the software industry. Since the Panama Papers incident, clients are asking ‘how are you protecting our data?’ Organizations are learning that they need to segregate data and have multi-factor authentication to create barriers to entry. Management should affirmatively make choices and establish appropriate internal governance structures that protect the value of the business and brand. See excerpts from Luke’s comments here.
Marc Groz of CyberXplore pointed out that governance and cyber are both focused on control of your business. He advised to look for low-hanging fruit, such as policy changes and fixes that can be made quickly. Cross-reference any known risks to prepare your organization. See some of Marc’s practical suggestions here.
“Make sure to practice good cyber-hygiene.” Marc Groz, CyberXplore
Chuck Doerr of OpenFin, an HTML5 runtime technology platform used by many financial trading firms, discussed the importance of managing data on the desktop which may come from multiple source applications and is often unencrypted. In the current environment, many business and contractual relationships are not secure.
Particularly for trading environments, assume there is a hostile operating environment on both the desktop and mobile. Consider creating a wrapper around the desktop to have a sandbox and protect data loss. If you are going to use open source, you have to read the code and vet it. Do not neglect due diligence – this step should not be skipped. Even if you are not a deep technologist, you should know the right person to call.
“There is no security that is not open source. You can not trust a company that won’t show you their code. When you have such an interconnected network effect of data loss possibility and liability, you need to be sure when you bring your data to a desktop that you have ringfenced it properly. ” Chuck Doerr, OpenFin. See his comments on this issue here.
- Make sure to properly dispose of your old technology, you can’t just donate it. Look into Electronic Recyclers International.
- Join industry groups to stay abreast of cybersecurity information and ensure you are in the loop about best practices. Consider joining the Information Sharing and Analysis Organization (ISAO).
- Decommission your flash drives.
- Don’t click any links that you question.
- Have more than one back-up of your source data because ransomware is now targeting backup sources as well.
- For open source development, make sure to vet the licenses on every source code you are using.
- Get some perspective on dealing with phishing requests here.
LaunchTalks was hosted at Debevoise & Plimpton in conjunction with Innovative Markets Fintech Power Circle and NexChange. There were a broad range of perspectives represented with dynamic input from participants at leading hedge funds, banks, broker-dealers and other financial and technology firms across CTOs, COOs, risk managers and service professionals. Please contact us to learn more about attending or sponsoring our future LaunchTalks events.