The way that fund managers protect their data goes far beyond thinking about the four walls of their office. The way we work has revolutionised in recent times, as technology advances, especially cloud technology, redefining what the workplace actually is. With wifi, cloud platforms, and mobile phones, a hedge fund CEO could, if they wished to, run their business from a beach in Martinique. But with every upside there is always a downside. And today, that means that protecting one’s perimeter has become a far greater challenge.
The enormous flow of data between fund managers and their service providers, combined with their continued adoption of digital and social media platforms, has created a much wider digital footprint. The bigger that footprint is, the more vulnerable firms become to cyber attacks.
This formed the basis of an interesting panel debate last month at a cybersecurity event hosted by Global Fund Media on 16 March in London at The Reform Club.
The panel was moderated by Thomas Deinet (pictured), CEO of the Hedge Fund Standards Board and included Trevor Moore, a Security Consultant at Intralinks, Michael Marriott, Research Analyst at Digital Shadows, and Andrew Flatt, CTO of global macro hedge fund, Omni Partners.
Such is the ease with which hackers can build an organisational picture of one’s business that it is now becoming increasingly important for fund managers to put proper processes and controls in place, not only to protect the actual data being disseminated, but to ensure that they treat their corporate digital footprint as a risk management exercise.
Data extortion tactics
Marriott told the audience that organisations in different sectors of the global economy each face a different set of threats: company-specific, sector-specific, geographic-specific threats and so on.
“It’s impossible to avoid all the bad things that happen online. Understanding what the specific threats are is really important,” said Marriott. Digital Shadows helps assess external threats, providing its clients with what it refers to as cyber situational awareness. It aims to prevent, detect and help contain cyber-related incidents by analysing the organisation through an “attacker’s eye view”.
Discussing the current threat landscape, Marriott referred to last year’s USD81 million bank heist of the Bangladesh central bank’s account at the New York Federal Reserve. This was a highly sophisticated attack whereby the threat actors developed an in-depth knowledge of the bank’s internal software and workings. That is no easy task.
“It might have been through a disgruntled employee or because data was being accidentally leaked out by employees; regardless, the people involved used the data to map out the organisation and determine where the bank’s weak points were in its network, what software it was using etc.
“The point is, building up one’s knowledge of the internal structure of an organisation doesn’t necessarily require an insider, the data is already out there. But the good thing is there is a lot that companies can do to detect that information,” said Marriott.
The consequence of leaking too much data to cyber space, regardless of the company, is that it exposes them to ransomware attacks. Over the last couple of years, these have largely involved DDoS (distributed denial of service) attacks but these have now become more sinister and targeted, with threat actors extracting sensitive information which they threaten to release if their demands aren’t met.
One interesting variation on extortion recently involved a European bank. Instead of just taking data and threatening to release it if the bank didn’t pay a ransom, they actually targeted individual HNW clients of the bank and said ‘If you each pay us 5% of the ransom we won’t release your bank details’, completely bypassing the bank altogether.
As such, fund managers cannot afford to be laissez-faire in terms of the way they manage data and the types of solutions they use to encrypt and disseminate it.
“Planning ahead and trying to align processes to the evolving threat landscape is vital,” said Marriott.
At the end of the day, a lot of vulnerability revolves around the platforms that fund managers use. Intralinks’ Moore said that if an organisation has to look very carefully at its bottom line, it might not always invest in the type of security framework that is needed.
“The perimeters are starting to shrink. Rather than protecting the entire environment, as firms become more mobile and staff work remotely, the ring around securing data is shrinking down to perhaps the core elements and they don’t necessarily pay attention to the way data is distributed,” said Moore.
Email is still predominantly used to share information. It has become second nature to many of us but think about it. If you attach a document containing valuable information, the moment you hit send you are creating at least two copies of that data, possibly a third if its held on the exchange.
Using email can therefore result in a document being replicated many times over. And invariably that data, or fragments of that data, ends up getting distributed across the world multiple times without firms even being aware of the fact.
“What we do is provide a platform that is designed to share data with the right people using access controls, whereby people within the organisation are limited to accessing certain types of data,” explained Moore. “In addition, we use information rights management. Every item of data that comes onto the platform is given a wrapper, which is cryptographically applied. That wrapper has some intelligence, in that when you click on the data it knows whether or not you are permitted to access it.
“It also has the ability to call to a rights server and ask if the person in question is permitted to use the data, copy or send the data, or edit it in any kind of way. It controls the data in its entirety, irrespective of where that data is. What’s more, you can change those permissions. I could send a piece of data to a wide audience but only make it available for five days, after which the rights managements will kick in and effectively deletes the data.”
Think of it as extended version of Snapchat.
A second data management control that Intralinks has at its disposal is to apply cryptography to the data it shares on the Fundspace platform, providing each client with its own cryptographic key.
Intralinks uses a hardware security module to encrypt data when it is stored on the platform. By allowing clients to own the keys that are used to encrypt the data, they can keep it secure on their own premises. If they are worried about a data breach – maybe they are closing an investor’s account or finalising an M&A deal – they can destroy the key on their own premises and that deletes all necessary data.
“Above all else, it is important to emphasise that it comes down to the human factor,” added Moore. “We have a platform with very granular controls that enables any organisation to securely share any data they want, but the more granular the controls the more important the human element becomes: defining the policies, making sure the access controls are correct, and so on.
“You have to apply the right level of human oversight to manage information rights on data.”
Building awareness, and getting across that there is a right way and a wrong way of doing things, is clearly important.
Moore said that the Intralinks platform also has a metadata function to support data classification, which can be useful, especially for large fund management groups running multiple fund products and sharing data with third parties across multiple asset classes.
“We provide advice, especially to larger clients, on how to classify data and how to structure the data for sharing. There are a number of bespoke approaches that can be used. I think the information rights management tool is granular enough to support most cases,” suggested Moore.
For those who are thinking of using a third party cloud vendor, the FCA recently published third party vendor and cloud hosting guidelines: https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf.
Mobile device management
Mobile device management is an important aspect of controlling one’s digital footprint.
“We use Microsoft Intune. We make sure everyone uses a four-digit pin and each device is encrypted. We have pushed our work policy onto each device so that if one of our staff loses a phone or laptop, we can initiate a remote wipe of all necessary corporate (not personal) data,” confirmed Flatt.
Without proper controls in place, a company risks serious reputational harm if an employee accidentally leaves his or her mobile phone or laptop in a taxi, for example. It only needs to fall into the hands of the wrong individual for potentially sensitive data to be accessed and exploited.
This comes back to the human factor. You can lead a horse to water but you can’t make it drink. All the solutions in the marketplace that secure, encrypt and back-up data are great but they are only as effective as the person using them.
“The culture of the business is critical to protecting one’s data. Allow people to flag issues without them worrying about being shouted at or accused of wasting anyone’s time. All the toys are wonderful but unless people are trained to use them, and know when to raise issues or concerns, they are useless,” remarked Flatt.
Intralinks has its own mobile application capability, which enables end users to build and run their own applications in a secure container. The way the solution is used really depends on each organisation and how staff utilise mobile devices. “If you allow them to use their work device for personal use, you can control it as much as you want. If you are trying to encourage them to use their own device for business only, then you need one of these container solutions,” urged Moore.
Information rights management and mobile device management tools are fast becoming key parts of a hedge fund CTO’s toolbox to ensure that their organisation’s digital footprint is properly monitored and risk managed.
To that end, choosing the right service provider in this endeavour is critical. Managers should do careful due diligence and be assured that the platform provider has the right security certifications in place. Also, if, as part of one’s due diligence exercise, they fail to provide sufficient transparency, this should be treated as a red flag.
“Due diligence is a big part of the process when managers are assessing our cybersecurity framework,” confirmed Moore. “The bigger the organisation the more detailed the due diligence tends to be. I think Intralinks engaged in 180 penetration tests last year. If you try and do due diligence on Microsoft, for instance, getting access to one of their data centres is going to be pretty slim. It is a bit of a minefield because different service providers will engage in different ways.”
Risk is a key aspect to all of this. Within the context of one’s operating environment, look at your WISP and ensure that you are getting the right level of assurances from your service providers.
“Intralinks are very open in the way we approach due diligence. We’ve got as much to lose as our clients, so we treat it very seriously,” stressed Moore.
GDPR will focus minds
As if managers needed any further reason to focus their minds on data management, the industry faces the prospect of GDPR being introduced into Europe next year. In short, firms will be liable to fines equivalent to 4% of their total annual turnover if they mishandle personally identifiable information.
One of the things with GDPR, however, is that it offloads some of that responsibility to the people managing that data on behalf of fund managers.
“We will be equally as liable as our end clients, in terms of protecting personally identifiable information,” said Moore.
In conclusion, Marriott urged the audience not to fixate on the dark web. It doesn’t have a monopoly on cyber crime, he said, “there is a lot of banal stuff on there”.
Ultimately, the way fund managers can reduce the risk of external data falling into the wrong hands all comes back to the people and the company ethos. Technology only goes so far.