CIT Presents at Backstop Solutions User Conference
The concepts of risk, information management, cybersecurity, 3rd party due diligence, and vendor management are nothing new for the Alternative Investment industry.
One of the investment industry’s leading software technology companies, Backstop Solutions, brought these topics center stage during their user conference in Chicago, IL.
Expert Panel Discussion
CIT’s Lawrence Cruciana addressed the conference on the topic of the CyberSecurity landscape in the Alternative Investment space. He was joined by Backstop’s VP of information security, Michael Newman, and representatives from ACA/Aponix and SecureWorks.
The panel addressed many relevant topics, including the shift of attackers from larger targets to smaller organizations, especially smaller banking and financial services organizations.
Heavily discussed was the shift of regulatory oversight by the SEC as Rule S-P begins to be enforced, as were the changing demands of the due diligence process (including the rapidly shifting expectations of firms to quantify the Information Security and privacy controls that their vendors and external asset managers employ). The entire information ecosystem of a subject firm, including their vendors and privacy controls, now must be incorporated into Third Party / Operational Due Diligence (3PDD/ODD) processes.
These topics were brought into an even more applied form when famed security researcher Chris Roberts joined the panel for a discussion focusing specifically on ODD. Roberts’ unique perspective brought this very salient topic to the forefront as one of the most critical issues facing both the alternative and traditional investment industries.
The overall security and custodianship of information continues to be a focus of cybersecurity efforts in the investment space.
As we’ve shared previously, the shift from technical safeguards to those which cross human-systems continues.
The Importance of IT Security for Software Users
For many attendees, the most remarkable take away from this conference wasn’t the excitement surrounding new tools within Backstop’s software, or the candid platform for discussion of relevant topics in the Alternative space, or even the impressive line-up of InfoSec talent that was present… though, it was really impressive.
Rather, it was that a software company dedicated a substantial portion of their user conference to discuss cybersecurity in an industry that has historically focused such conversation only to “IT” or “Security” events.
Backstop’s Michael Neuman and their entire executive cadre has brought needed visibility and conversation to a broad base of investment professionals.
Cybersecurity responsibility and awareness isn’t limited to IT any longer. It impacts every individual within an organization.
Investment and other financial-services firms are especially vulnerable to human-vectored cyber-attack due simply to the nature of the industry.
More software companies in this space should take a lead from Backstop and include “Cyber” in their broad-audience conversations.
Thank you Backstop for taking such a proactive approach to Cybersecurity!
Conference Takeaway: The Risks of Technology Growth that Affect Everyone
To balance the nearly limitless possibility and opportunity brought by this brave new world is a risk.
Risk mitigation, avoidance, and management have long been central to the financial industry.
With increasing oversight and regulation, firms face more numerous and onerous regulations dictating how acceptable risk is defined.
In recent years, it is not difficult to understand why – a long list of potential perils that now including insider and cyber-based threats.
By its very nature, the digitization of the industry and therefore the information underpinning it is borderless, fast moving, and intended to extend the reach far beyond the four walls of any firm.
These same attributes bring risks never before present in the industry.
Small Businesses are at Risk
The traditionally paper-and-person way of doing business is being rendered seemingly obsolete and antiquated as borderless digital services make what was once a financial services fantasy an attainable reality.
The industry has been left trying to reconcile many post-depression-era safeguards with a 21st-century workflow and customer base.
As cybersecurity risks increase, which most experts predict they will especially for smaller firms, so too must a firm’s ability to quantify and adapt to a new blend of risks.
IBM/Ponemon reported that in a 2015-2016 study of over 1,300 financial firms which were victims of a cyber attack or data breach, on average a single compromised record cost these organizations $257.
Most firms have thousands to tens-of-thousands of records. When the financial penalties that can come regulatory bodies from a reportable cybersecurity incident are factored into this equation, the direct financial costs of such an incident become daunting.
Often missed from the impact analysis of a security incident are the soft cost of client trust and firm reputation.
The net result is highly unfavorable from whatever the vantage point.
Firms must recognize and learn how these risks can be effectively mitigated to allow the amazing potential and empowerment of a borderless and hyper-connected financial services industry.
Adopting a few simple guidelines can provide tremendous value and protection to the information firms rely so heavily upon.
Given the overwhelming sea of cyber-based threats and the daunting downside concequences of a data breach, the first suggestion that we would offer to private investors, fund managers, and firm executives is to understand the landscape and vernacular.
Caught in the mire of cybersecurity risk, regulation, and mitigation this may seem like an unrealistic objective. However, applying basic risk management and mitigation techniques to cyber issues is step one.
To accomplish this, we advocate the following steps to begin to quantify and control information-centric cyber-risk.
Mitigating Your Risk
1. Adopt a framework.
These cybersecurity frameworks are both derived from the extensive research and practice of the U.S. Government as published by the National Institute of Standards and Technology (NIST) 800 series of guidelines. Why use a framework? Simple. These frameworks provide a common language for executives, technologists, auditors/examiners, and consultants to communicate with each other. They establish common and pragmatic goals that are largely divorced from the increasing sophistication of industry jargon and the attack-du-jour.
2. Understand the firm’s information assets.
Once a framework is chosen for the firm, the next step is to establish understanding what information is being stored, accessed, or generated and where that information resides.
Categorize the information into large category-wide silos based on its C-I-A; Confidentiality, Integrity, and Accessibility needs.
These silos often transcend organizational units, departments, and even business units.
This process, considered strategic information asset categorization and classification, allows for appropriate protection of these assets.
3. Identify appropriate protective methodologies.
Armed with the location, nature, and CIA of the firm’s information, prioritize the silos with information that is sensitive or regulated in nature.
Special attention should be given to silos, which contain Personally Identifiable Information (PII).
With silos defined, define a data protection plan, which enumerates how to best and most appropriately protect that information.
It is important to note that “how to best protect” information must transcend office walls and corporate headquarters.
The technical, physical, administrative, and associative protection modalities of such methodologies must be considered.
To emphasize the borderless nature of information, every point from which information can be accessed must be taken into account when formulating a data protection plan.
4. Validate and document information security controls.
Securing the information assets and validating those security controls completes the process.
A commonly overlooked first step is to document the firm’s information assets and the protective methodologies associated with each asset.
Once completed, validate the information security controls using an established methodology.
This practice may come in the form of an information security assessment or a review by a qualified security assessor.
Regardless of how an assessment is conducted, utilizing the firm’s established security framework permits a common, consistent, and repeatable assessment process.
Special consideration must be given to the nature of the assessments above; both engagements differ from a “Penetration Test”.
Penetration tests are complex and multifaceted technical engagements, which evaluate an external adversary’s ability to gain access to an organization, move throughout that organization while avoiding detection, and to access sensitive information.
Simply, these tests are the culmination and validation of security efforts across an organization.
Undertaking a penetration exercise prematurely devalues the assessment results themselves and commonly results in inaction.
This undertaking would be akin to requesting Special Forces soldiers to test their ability to gain access to a home. Clearly, the locks on the doors would be no match for high explosives and a trained breach team.
Many firms waste precious time and resources engaging in such penetration exercises when even the most basic security controls have yet to be implemented.
Notice, the lack of acronyms or buzzwords. That is intentional. Buzzwords will change, technology will change; However, the nature of a financial services firm will not fundamentally change.
Firms large and small exist to deliver value to their clients, investors, partners, and shareholders.
The modality of value delivery will most certainly change but not the fundamental mission and purpose of the industry.
Rooting a cybersecurity strategy in information-centric risk mitigation and management model permits easy adaptation as technology and attacks change.