Backstop recently partnered with Akin Gump LLP for a live webinar discussion on cybersecurity. Panelists Michael Neuman and Natasha Kohne covered a range of topics relating to information security for the institutional investment community, including potential threats, regulatory challenges, preventative measures and response plans.
In case you missed it, here were our top 10 takeaways:
1. Threats – and regulations combating those threats – continue to evolve every day.
From hacktivist groups like Anonymous, to nation states, organized criminals, kiddie hackers, and corporate espionage, threats are coming from seemingly every direction. And what’s scarier, attacks have advanced from malware and antivirus, where a hacker tricks you into clicking on something inappropriate, to sophisticated phishing attacks.
2. Understand where your data is going and map it out.
Fully understanding who has access to your data, especially when working with third-party vendors, is critical. Oftentimes, the list is much longer than you realize, as it’s common for vendors to use backup systems and data recovery for storage. Going through the exercise of mapping your data also clarifies which laws you would be subject to in the event of a breach.
3. Carefully review your vendor contracts.
When negotiating contracts, pay close attention to usage rights and restrictions so that you get an understanding of what the vendor is actually allowed to do with your data. You should also secure terms around breach disclosures, and determine how the vendor will remove and destroy your data when you’re no longer a customer. Remember that in the event of a breach, regulators will consider whether you did the proper due diligence in advance.
4. Form partnerships with your vendors.
When you find the right vendor, don’t just check the box and move on. Take the time to understand the organization’s privacy policies, and keep an open dialogue throughout the partnership. Learn how your vendor has architected its systems, and how it’s mitigating access with encryption, particularly for offline backup systems.
5. Security is a business (not tech) issue.
While security once sat with the CTO, it has grown into a board-level business issue. There is no one size-fits all for governance structure, but you need to be sure whoever is in charge has the right expertise. Oftentimes, a special committee is appointed.
The SEC wants boards to ensure management is assessing risks and dedicating resources to breach plans. Congress is currently reviewing a bill, the Cybersecurity Disclosure Act of 2015, which would require data security initiatives to be released in annual reports.
6. Create a culture of awareness.
Continually educate your entire staff, starting at the new hire level. Rather than distributing an annual reminder of privacy policies, create meaningful training sessions. Try relating security measures to how employees can protect themselves outside the workplace, and use terminology that everyone in the company can understand. Some companies have even staged phishing scams to test how the organization would fair in the event of a real attack.
7. Take precaution wherever you can.
While it may be a nuisance for employees, taking small precautions is as important as encrypting your data. Require your employees to change their passwords on a regular basis, and regulate the strength of those passwords. Many firms also prohibit the use of data backups like Google Drive and DropBox.
8. Know your regulators.
There’s an alphabet soup of regulators, but if you’re in the fund space, the Securities and Exchange Commission (SEC) likely serves as your main data security cop, in addition to the Federal Trade Commission (FTC) and state attorneys general. With the SEC’s commitment to focus on cybersecurity in 2016, it’s important to ramp up your cybersecurity compliance game, whether it’s through a mock OCIE examination, simulated data breaches or a tailored compliance program.
9. Regulators will not overlook small violations.
The SEC takes a “broken windows” approach to regulation, meaning it won’t overlook small violations. Even if you’re a small fund manager, you have to have tailored policies and procedures that are tested, reviewed and followed. A lawsuit could be fatal, and in recent litigations, courts have ruled that proving a substantial risk of future harm is sufficient to satisfy the standing requirement.
10. Have a plan, and in the event of a breach, act quickly.
To mitigate damage, understand which types of attacks endanger your company, line up the right legal team and have an Incident Response Plan in place. The 24 hour-period following a breach is the most critical time to act, and the company is expected to act quickly. As early as possible, get a grasp on the true scope of the breach so you can properly assess and mitigate damage.