Cyber Security & Managing KYC Data

Transcription

1 SPECIAL REPORT Cyber Security & Managing KYC Data The views and opinions expressed in this paper are those of the author(s) and do not necessarily reflect the official policy or position of Thomson Reuters.

2 TABLE OF CONTENTS Introduction 3 KYC and data security 3 Investment managers and the need for cyber security defences 4 Data lifecycle and security risks 5 Cyber resilience and compliance 6 Conclusion 7

3 Cyber Security & Managing KYC Data 3 INTRODUCTION Cyber crime is continuing to grow, with the financial services sector as a whole particularly vulnerable to this menace. This report looks at the cyber risks faced by investment managers, who handle strictly confidential data on a continual basis, whether they perform KYC due diligence on their own clients or respond to KYC requests from their banks. It further explores some possible solutions to mitigate these risks. Cyber crime is a technology-fueled threat that has significant consequences for all parties involved in Know Your Customer (KYC) due diligence. Investment managers, whether they are responders to KYC requests or performers of KYC due diligence, handle highly confidential identity data on a daily basis. They must therefore be aware of the scale and nature of the risks they face as well as the most effective methods of managing and protecting confidential data. KYC AND DATA SECURITY Cyber crime is a very real threat to investment managers; according to PwC s 2014 Global Economic Crime Survey, 39% of respondents from financial services said they have at some point been victims of cyber crime. The aim of KYC regulations is to mitigate risk at every level within an organization. Thorough due diligence is required to ensure current and potential clients identity is checked and proven. In the past, banking and financial relationships were mostly conducted on a personal level and more often than not in a single geographic area. Increasing globalization, despite offering organizations the advantage of being able to conduct business anywhere in the world, has brought with it a new problem: increasing the complexity around understanding exactly who you are doing business with in unfamiliar territory and differing jurisdiction. Along with increases in regulation, the global KYC/AML (antimoney laundering) landscape is extremely difficult to navigate. The problem is exacerbated by the fact that there is no consistent KYC standard across the industry. This has two knock-on effects: - when performing KYC due diligence, many firms exercise caution and request more information from clients than is actually necessary, and - different organizations interpret legislation in different ways, leading to further requests for information from clients. The result: the pace of business slows; vast amounts of time and effort are needed to collect, validate, store and maintain large quantities of information; and, crucially, risks surrounding the delivery, storage and security of strictly confidential information increase exponentially. This last point is good news for the cyber criminal. In essence, investment managers are custodians of large amounts of highly confidential identity information. As performers of KYC due diligence, they have access to their clients identity information and documents. This can include names, addresses and dates of birth of directors, and passports of signatories. As responders to KYC requests from their banks, they are disseminating vast and varied identity documents to the various banks they do business with or are looking to do business with. The consequences of potential lapses in security are significant, as evidenced by several high-profile cyber attacks, including those on JP Morgan and Fidelity. Investment managers find themselves in a precarious position. Regardless of where in the spectrum they sit; a responder or performer of KYC due diligence, data management and cyber security issues are complex and challenging issues and challenges that must be acknowledged and addresses to ensure diligent KYC compliance.

4 INVESTMENT MANAGERS AND THE NEED FOR CYBER SECURITY DEFENCES Investment managers are noted for their significant spend on trading technology. To gain an edge in a very competitive, highspeed market environment, no expense seems too much when investing in sophisticated information and state of-the-art trading systems. However the same cannot be said about investments in building defenses against cyber crime. Many investment managers outsource their back-office IT infrastructure to third parties. This is particularly the case for relatively small or medium-sized firms in terms of assets under management. Unlike the largest funds in the industry, which often maintain proprietary systems, the vast middle make up the lion s share of the sector and appear to be far behind in their defenses against cyber threats and data security breaches. According to Raj Bakhru, Chief Executive of Aponix Financial Technologists, an advisory firm to hedge funds, there is some ignorance in relation to the importance of cyber security amongst investment managers; There are three types of [investment managers]. Those who are really on top of it and these would include the biggest players and quant firms - but the majority are in the second bucket and somewhat confused and not sure what to do...and then there is a significant head in the sand bucket who don t care It s an educational process. Previously cyber crime was considered as something more likely to affect large banking institutions, whose high profile was seen as making them prime targets for all kinds of hackers. JP Morgan s admission that it had been on the receiving end of a massive attack in 2014 only highlighted the threats faced across the financial services sector and the need for investment, in general awareness and education, to keep pace with cyber criminals.

5 Cyber Security & Managing KYC Data 5 DATA LIFECYCLE AND SECURITY RISKS Investment managers must be aware that personal data (both their own and their clients ) goes through stages of movement and use. Data must be fully protected at these three distinct stages: 1. DATA IN USE As the name suggests, this is data that is still being created, amended or otherwise used. During this stage there is potential danger that data could be physically stolen, incorrectly captured or hard copies disposed of in an insecure manner once electronic versions have been created. 2. DATA IN MOTION At this stage data is being transferred between the investment manager and their bank or client. There is no guarantee that the methods of transfer are efficient and/or secure and include , post (hard copies or USB/DVD copies) or uploading unencrypted data to websites. Delivery to the right person cannot be guaranteed and data can be intercepted or misdirected. Electronic copies are often easier to protect than hard copies, but because many KYC and AML regulations were written before the digital age, some organizations still insist on original documentation, further exacerbating the problem. That is not to say that sending documents via is always secure either, as firms may not have the correct procedures in place to ensure that information is sent securely. 3. DATA AT REST Here data is in storage, either in databases or shared drives, and risks exist at this stage also. Once information has left the investment manager, they have little or no control over how it is stored and who can access it. In addition, if the investment managers are the ones who are storing the data, effective controls must be in place, for example, to encrypt data held in databases. Robust disaster recovery and backup policies are also a key requirement. The common thread throughout the three stages outlined above is the human element. Even the most advanced control environment is at risk from human error and organizations must therefore ensure that their employees are properly trained and are able to create and maintain a secure work environment at all times. In addition, limiting the amount of information held to that which is absolutely necessary will go some way towards reducing cyber risk. Risk Stages Data Lifecycle Data in Use: Data when in use at the endpoint (i.e. laptops, workstations, etc.) Creation Usage Data in Motion: Data when transmitted outside of the secure network (i.e. , web, etc.) Transmission Data at Rest: Data in storage (i.e. file shares, databases, etc.) Preservation Retirement

6 6 Cyber Security & Managing KYC Data CYBER RESILIENCE AND COMPLIANCE Before the financial crisis, compliance officers had well defined roles, with clear boundaries in relation to their day-to-day responsibilities. They were the second line of defense and they updated policies in line with changes in the relevant rulebook, monitored all aspects of conduct of business and reported up to the risk committee. However, the perimeter of today s compliance officers job description is ambiguous and is driven by regulatory developments about good customer outcomes and conduct risk. Compliance officers are not expected to become technological experts but they do need to ensure that cyber risks are effectively identified, managed, offset, monitored and reported on within their firm s corporate governance framework especially if they are asking for and sending strictly confidential data. There are some basic measures which compliance officers and their firms need to consider, and they must be prepared for increasing levels of regulatory interest in these areas: WHAT INFORMATION NEEDS TO BE PROTECTED? Risk, compliance and IT control infrastructures can only be designed to protect processes and assets that are known. In general everything from customer data to operational networks, the use of the cloud systems (outsourced as well as in-house), links to payment infrastructures and exchanges, to levels of user access to information need to be mapped and included in the governance infrastructure. Care should be taken to ensure that manual work-arounds, often a legacy of businesses acquisitions, are not excluded. The process may be manual, and therefore not cyber, but the human factor may well be the entry point into the firm s wider systems. The compliance function needs to ensure cyber risks are included in the full range of risks considered by firms. They must be able to identify the types of cyber security risk management process standards they use, such as those by the International Organization for Standardization (ISO). In addition, the practices and controls used for the protection of the firm s networks and information should be documented and readily available. WHAT ARE THE RISKS TO THE FIRM S INFORMATION? Financial services firms are very familiar with the concept of risk appetites. This should be extended to all information assets. It is essential that all risks are identified and that assessments keep pace with technological advances. WHAT MEASURES ARE NEEDED? Management information and reporting is not a one-size-fits-all and must reflect the nature and activities of the relevant firm. However, there are steps firms can take: Information risk management regime Establish an effective governance structure and determine the firm s risk appetite, maintain the Board s engagement with cyber risk and produce supporting information risk management policies. Every firm should have a full understanding of what data is stored within the firm, plus the consequences of losing the data. As well as understanding it, it is recommended that data stored should also be classified as: Strictly confidential e.g. personal information, passports Confidential e.g. company information Public publically held information Home and mobile working Where applicable, develop a mobile working policy and train staff to adhere to it, apply the secure baseline build to all devices and protect data both in motion and at rest. User education and awareness Produce user security policies covering the acceptable and secure use of the firm s systems, establish a staff training program and maintain awareness of cyber risks. Incident management Establish an incident response and disaster recovery capability, produce and critically test incident management plans and, where needed, include them in recovery and resolution planning or living wills. Managing user privileges Establish account management processes, monitor user activity, control access to activity and audit logs and ensure the complete removal of access as part of the firm leaving process. Removable media controls Develop and implement a policy to control all access to removable media. Monitoring Establish a thorough monitoring program using external expertise where needed by, for example, employing professional hackers to test system firewalls and other access controls. Secure configuration Ensure that security patches are applied in a timely manner and that the secure configuration of all relevant systems is maintained and evidenced. Malware protection Establish and maintain strong anti-malware defenses and ensure continuous scanning for malware across the firm. Network security Protect networks against external and internal attack, manage the network perimeter and regularly monitor and test all security controls.

7 Cyber Security & Managing KYC Data 7 DO SECURITY MEASURES WORK? A fundamental part of cyber resilience is testing to ensure that the measures in place work. Although it is not necessarily something for the compliance function itself to perform, the process does need to ensure that the effectiveness of, and adherence to, the control infrastructure is thoroughly tested, and any gaps or issues are followed up. Physical disaster recovery plans may look fine on paper but often they do not work as designed in practice. Firms also need to consider what they would do if the worst happened and they became victims of a full-blown cyber attack. Carefully thought-through and tested incident management and contingency plans need to be agreed, pre-emptively, at the highest levels of the firm. These should include communication protocols (to media, regulators and customers as well as other stakeholders) and the authority levels needed to invoke disaster or recovery plans (for example, the switching of operating systems to a secure back-up location). An inherent part of testing whether planned security measures work is the follow-up investigation to assess any attack and the lessons to be learned. As regulators focus on the need for consistently good customer outcomes delivered by firms which have strong compliance cultures and a watertight approach to conduct risk, cyber risks have arrived rapidly on firms risk radars. The compliance function needs to ensure cyber risks are expressly included in the range of risks considered by firms, and that the Board is prepared to discuss the actions taken to ensure that all reasonable measures are in place to embed cyber resilience throughout the firm. CONCLUSION Cyber risk is not just for technology specialists; it is part of a broader issue of how organizations defend themselves against potential risks. Extensive consideration and effort is needed to ensure organizations are cyber resilient. Whatever type of data is handled and wherever it may be in the data lifecycle (in active use, in motion or at rest), it is open to potential security breaches. The need for security specifically around the KYC process is particularly important when firms are dealing with large amounts of highly confidential identity information. Spend on cyber/data security is a vital necessity; investment in trading technology ensures firms achieve alpha, however investment in cyber security ensures a firms ultimate existence. The head in sand attitude some firms have towards having defenses against cyber crime needs to end. The potential of lapses in data security cannot be ignored and must be part of the firms overall operating rhythm. The compliance function needs to ensure cyber risks are included in the full range of risks considered by firms. This requirement does add to the already heavy workloads of compliance professionals. Appropriate processes, technologies and people must be deployed in the fight against cybercrime. Due to the sensitive and serious nature of cyber threats and the time and effort needed to mitigate this risk, a viable option is to use third party organizations specializing in KYC data management not only to partner with service providers that offer a KYC managed service, but also to ensure there are no lapses in data management caused by the heavy burden on compliance professionals.

8 RISK MANAGEMENT SOLUTIONS FROM THOMSON REUTERS Risk Management Solutions bring together trusted regulatory, customer and pricing data, intuitive software and expert insight and services an unrivaled combination in the industry that empowers professionals and enterprises to confidently anticipate and act on risks and make smarter decisions that accelerate business performance. For more information, contact your representative or visit us online at risk.thomsonreuters.com 2015 Thomson Reuters GRC03350/9-15 Thomson Reuters and the Kinesis logo are trademarks of Thomson Reuters.