Hedge Funds and Cyber Security



Similar documents
Cyber Security and the Board of Directors

Vendor Risk Management Financial Organizations

FFIEC Cybersecurity Assessment Tool

Cybersecurity The role of Internal Audit

Information Security Management System for Microsoft s Cloud Infrastructure

Address C-level Cybersecurity issues to enable and secure Digital transformation

Developing National Frameworks & Engaging the Private Sector

Payment Card Industry Data Security Standard

Italy. EY s Global Information Security Survey 2013

Blending Corporate Governance with. Information Security

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Information security controls. Briefing for clients on Experian information security controls

Strategies for assessing cloud security

Managing IT Security with Penetration Testing

Cisco Security Optimization Service

OCIE CYBERSECURITY INITIATIVE

Information Technology Risk Management

Managing Cloud Computing Risk

IT Insights. Managing Third Party Technology Risk

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Cybersecurity Strategic Consulting

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Security Practices for Online Collaboration and Social Media

Cyber Security & Managing KYC Data

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

CYBER SECURITY GUIDANCE

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Internet Reputation Management Guide. Building a Roadmap for Continued Success

Office of Inspector General

SANS Top 20 Critical Controls for Effective Cyber Defense

I D C E V E N T P R O C E E D I N G S

Information Security Services

Cyber security Building confidence in your digital future

BIG SHIFT TO CLOUD-BASED SECURITY

FINRA Publishes its 2015 Report on Cybersecurity Practices

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: What CFO s Need to Know

Teradata and Protegrity High-Value Protection for High-Value Data

Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives.

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

ISO Controls and Objectives

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Seven Things To Consider When Evaluating Privileged Account Security Solutions

CONSULTING IMAGE PLACEHOLDER

Stay ahead of insiderthreats with predictive,intelligent security

Logging In: Auditing Cybersecurity in an Unsecure World

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Simply Sophisticated. Information Security and Compliance

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security: A Perspective for Higher Education

Cybersecurity Enhancement Account. FY 2017 President s Budget

Continuous Network Monitoring

Defending Against Data Beaches: Internal Controls for Cybersecurity

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

A Case for Managed Security

North American Electric Reliability Corporation (NERC) Cyber Security Standard

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

IBM Security QRadar Risk Manager

I D C A N A L Y S T C O N N E C T I O N

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

fs viewpoint

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Mitigating and managing cyber risk: ten issues to consider

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

FIVE PRACTICAL STEPS

Managing cyber risks with insurance

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Nine Steps to Smart Security for Small Businesses

Transcription:

Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Hedge Funds and Cyber Security What fund managers need to know

About Delta Risk is a global provider of strategic advice, cyber security, and risk management services to commercial and government clients. We believe that an organization s approach to cyber security should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today s cyber environment by building on the people, processes, and technology they already have. 2015. All rights reserved.

Hedge funds need customized information security programs to address their specific cyber risks. W hen it comes to cyber security, hedge funds and some other buy-side entities in the capital markets are in a singular position among financial services firms: although their business models are heavily reliant upon information technology, they are subject to few compliance requirements for the security of this information and its supporting technology infrastructure. In short, hedge funds are on their own for cyber security. 1 A lack of regulatory requirements, of course, does not mean that hedge funds ignore information security or that they are ignorant of cyber threats. Given the IT-centric nature of the business and the seemingly unstoppable nature of the threats that exist in cyberspace, no hedge fund can turn a blind eye to the issue. But fund manager attitudes towards it cover a wide spectrum from near-paranoia to a more restrained anxiety. Across the spectrum, getting information security right can be tricky; it deserves priority attention. This Delta Risk Viewpoint offers the perspective that hedge funds should pursue a deliberate top-down and bottom-up information security program development approach that builds around an accepted risk management framework, yet is tailored to their size, structure, and operating model. Recommendations are made in three areas (summarized in Key Take-Aways on Page 11): Establishing a cyber security governance model Implementing a cyber security risk management framework Managing cyber security operations Fund managers may be tempted to search for an easy approach to information security a quick fix that would allow them to keep their focus on investment strategy and the markets. Seeking some canned set of security controls, or buying the best of everything, or just outsourcing cyber security completely sound like simple solutions. Though these ideas have merit, none is sufficient as an enterprise strategy. Cyber security risks should be managed deliberately and in a way that is tailored to the characteristics of the specific hedge fund. 1 Although the regulatory burden on hedge funds is increasing at both federal and state levels, requirements related to information security are limited, emphasizing information retention and archiving and protection of personal information. However, the success motive and market forces such as investor expectations and due diligence of a firm s Operational Risk Management are significant driving factors for firms in addressing information security risks. Page 1

The Cyber Security Challenge for Hedge Funds Hedge fund management firms are a diverse group, with a wide range of AUM, asset classes, investment strategies, clientele, IT infrastructures, and so on. With respect to cyber security, though, they have much in common. To start with, of course, what is at risk from cyber threats for hedge funds is the same as for any other firm in financial services: financial loss, disclosure of proprietary or private information, reputational damage, legal actions, poor performance, and ultimately even failure of the fund. As a group, hedge funds share a number of key cyber security challenges that stem from the particular infrastructure requirements of the business. For instance, hedge funds need external connections to market data sources, trading venues, and settlement organizations, as well as to their investors. External links always present potential security risks. Hedge funds also frequently want speed extreme speed both in their computing engines and their transactions. Technical solutions that reduce transmission times have both good and bad security implications. The integrity and confidentiality of trade execution itself, fundamental to investing, cannot be taken for granted. And front, middle, and back office functions that process large volumes of data from multiple sources pose not just data management challenges but data security challenges as well. In the industry as a whole, much is outsourced infrastructure, applications, and services. Usually security is offered by the service provider as part of the outsourcing package. Outsourcing security functions needs to be risk managed just as insourcing does because, of course, the risks are owned by the business, not the service provider. Hedge funds must also pay attention to the insider threat to guard against fraud, theft of intellectual property, and unwitting employee errors that can put information resources at risk. Security controls are required throughout the enterprise to address this often inconspicuous but very significant business risk. At the same time, hedge funds typically have less exposure to some of the cyber security risks faced by other types of investment firms. Most hedge funds operate discreetly and with a premium on investor privacy. With their select investor base, they generally do not have the same scale of customer account management, remote and mobile access, or identity management needs of retail investment firms. It also means that they have less need to be openly accessible on the Internet or visible to search engines, to have an active presence on social media such as Twitter and Facebook (though social media analysis may feed into trading algorithms), or to have flashy and highly script-laden websites. 2 The hedge fund s relationship with risk is also a distinctive characteristic of the sector. Fund advisors possess a sensitivity to the upside potential of risk taking, in addition to the downside. Indeed, being comfortable with the elevated risks that come with aggressive trading, and managing them wisely, are key factors for sustained success in the hedge fund business. This outlook stands in clear contrast to cyber security, where the effort is strongly concentrated on avoiding or reducing risk as much as possible. Like most companies, hedge fund firms are understandably reluctant to openly discuss their experience with cyber intrusion attempts and breaches. However, there is no doubt that the financial services sector as a whole is a prime target of sophisticated cyberspace hackers. Each firm must understand its own cyber vulnerabilities and implement controls to manage its security risks. Figure 1 summarizes many of the cyber security considerations pertinent to hedge funds. 2 All this may be changing as a result of the September 2013 amendments to SEC rules to permit hedge funds to engage in solicitation and advertising. Increasing a firm s public presence on the Internet raises information security risks that should be addressed in advance. Page 2

Figure 1 Some Cyber Security Considerations for Hedge Funds Risk Area: Protecting proprietary trading strategies and algorithms, and analytical methodologies This proprietary information should be classified at he highest level of importance and protected accordingly. Those who develop the algorithms ad trading strategies and implement them in software must be among the most trusted employees in the firm. Robust processes for managing personnel security risks should be in place. Strong controls over access to this information from both internal and external threat sources are needed. Data lead prevention and monitoring of inflow/outflow of data from host devices should also be considered. Risk Area: Securing Software Almost all cyber breaches from external threats involve the exploitation of vulnerabilities in software. The security of software is often neglected in the drive to get systems operational. This is true for commercial-off-the-shelf, outsourced, and in-house software development. Software assurance should be part of every enterprise information security risk management program. The Federal Financial Institutions Examination Council IT Examination HandBook (Information Security) and the BITS/Financial Services Roundtable Software Assurance Framework both have relevant and useful guidance on software security. Security controls are needed for software development and test, as well as for the production environment. Risk Area: IT Infrastructure for front, middle, and back office functions and external connections The IT infrastructure of established hedge funds may include a combination of legacy and new-generation systems, integration of diverse mainframe accounting systems, data management systems, service oriented architectures, data centers, clouds, risk systems, and others, with potential vulnerabilities at the interfaces. Smaller and newer hedge fund management firms may outsource most of their IT to specialized providers, which also requires security oversight. Access to execution venues, whether through brokers, direct market access, co-location, or other means requires attention to security, including end-to-end encryption, tight configuration and vulnerability management, and physical security at the interfaces. Risk Area: Other information security risks Shortfalls in physical security, either in the server room or the office suite, can lead to information risks. Information security risk management should identify controls to address threats and vulnerabilities associated with physical access to facilities and information resources. Electronic listening devices, convert recording, and tapping of telephones (switched or VOIP) can expose intellectual property, trading strategies, investor information, or other proprietary data. Insiders present one of the greatest threats to hedge funds. Without adequate security controls, insiders who are so motivated can use their trusted access to information to commit fraud, steal intellectual property, or leak proprietary information, which all present risks to the enterprise. Unwitting employee errors can also put information resources at risk. Precise access controls, internally-facing intrusion detection/prevention systems, data leak prevention, and training are some of the relevant control areas. Figure 1 is continued on the next page The Way Ahead At a top level, hedge fund management firms need a way of managing cyber security risks that affords the firm s leadership sufficient control and visibility into the state of play to direct the program and avoid Page 3

surprises. Needs also vary with the size of the firm. A firm with AUM of, say, less than $50 million has different cyber security needs from those of a large and established firm with $500 million AUM. Figure 1 cont d Some Information Security Considerations for Hedge Funds Risk Area: Outsourced services Cloud services. Cloud services can offer efficiencies and improved performance in application hosting, data management, disaster recovery, and business continuity, as well as reduced architectural complexity. In principle the cloud can provide improved security over typical in-house infrastructure, but specialized security considerations include: Multi-tenancy, management of virtual machine configuration, incident response and forensic analysis, identity and access management, encryption key management, and integration of security risk management processes in the firm. Cloud security controls and how they are to be managed should be specified in Service Level Agreements. SLAs should also address service interruptions and data loss or corruption. The cloud can enable improved data security within an enterprise-wide data management architecture that integrates siloed data stores. This can simplify security controls while achieving other operational efficiencies. A multi-cloud architecture may have advantages for firms with an on-premises cloud service at the co-location site to segregate high-value trading data and processes from business functions such as data warehousing, reporting, hosting of desktop platforms, email, and some back office applications. Multi-cloud architectures are frequently adopted as part of a redundancy, business continuity, and disaster recover strategy. In any case, careful planning of security architecture and controls is called for. Hosted IT environments and managed services. Hedge funds technology needs are often met through services offered by prime brokers, hedge fund hotels, or other providers. Services often outsources include market data access connections, business applications hosting, accounting and reporting tools, data management, e-mail, and disaster recovery. Other providers deliver order routing, FIX connectivity, pre-trade risk management, and market access. Outsourcing offers advantages such as reduced cost, simplified IT architectures, and often good security management. Transparency into security controls and a means to validate them should be addressed in the Service Level Agreement. Co-location. Co-locating trading systems and other assets at the trading venue, in addition to its operational advantages, can help address security, resiliency, business continuity, and disaster recovery. Despite the risks, cyber security is not the core business and must compete with other pressing demands for executive attention. What is needed is to institutionalize a cyber security risk management program that is defined and governed by the firm s leadership but executed by functional experts. Cyber Security Governance For IT-centric businesses such as hedge funds, the security risks to data and information resources are among the most serious operational risks to the enterprise. The cyberspace threat facing business today is no longer the troublesome techno-geek defacing websites. Highly sophisticated criminal syndicates and nation states are now primary actors, and they are not only capable of the most advanced attacks, they are also the ones spearheading them. Cyber crime rings are increasingly blending with transnational organized crime. The global nature of the Internet, the ability to hide under layers of encryption and anonymization techniques, and the varying cyber crime legal structures worldwide give cyber criminals many ways of avoiding detection and hiding from prosecution. Marrying cyber technical expertise with the classical fraud, narcotics trafficking, Page 4

extortion, and intimidation specialties of organized crime networks is a formula for the flourishing of criminal activity. In cyberspace the financial services sector is one of their main arenas. The inset box lists some of the things that cyber hackers may be able to achieve if they can exploit a hedge fund s information infrastructure. These risks should be addressed through a well-defined enterprise-level risk management program. Information security governance should reflect the overall enterprise risk management strategy and risk governance framework of the firm, and should address the elements outlined below. Each of these governance elements applies to every hedge fund, but should be tailored to the specific needs of the business. What Can Cyber Criminals Do to Hedge Funds? Gain control of your email accounts Risk appetite. If the hedge fund has developed a statement of risk appetite, then cyber security risks should be included in it. This statement should: link cyber risks with business strategy; align cyber security risks with other risk domains (such as investment risk, fraud risk, compliance risk) in a common template; and include risk thresholds that would trigger escalated reporting. If the hedge fund has a board of directors, the board should approve the statement of risk appetite. 3 Information security policy. Policy on information security should reflect the risk posture that the firm s executive leadership has decided upon and articulated in the statement of risk appetite. It should be issued by the executive leaders of the firm. An overarching policy statement should define the information security risk management framework and assign responsibility and accountability for key processes such as controls monitoring, risk assessment, threat analysis, and incident response. Additionally, the firm should issue specific policies on: information value classification and management s goals for the protection of information in each category; access to and acceptable use of the firm s computing resources; managing the security of the IT infrastructure and external connections throughout system lifecycles; security requirements for outsourced infrastructure and services; controls related to the insider threat; incident response and third party breaches; business continuity and disaster recovery; and other risks that can potentially have great impact to the firm s operation. A set of policies such as this can serve as the root of a policy tree that is filled out with additional detailed policies as required. Developing and managing these policies should involve the Chief Risk Officer, Chief Technology Officer, Chief Information Officer, Chief Information Security Officer, and others. Enterprise risk management. An executive-level directive should establish an information security risk management program that is consistent with the firm s broader Operational Risk Management processes and the governance-risk-compliance program. The program should include: Interrupt or corrupt your trading operations Conduct illicit financial transactions and other forms of cyber crime through your infrastructure Make servers and end user machines in your infrastructure part of an automated network (botnet) to perpetrate fraud or other cyber crimes Use your infrastructure as an entry point to the network resources of other entities in the capital markets value chain Gain access to voice or video teleconferences Exfiltrate proprietary or private data including research, trading algorithms, investor data Exploit your infrastructure to attain anonymity in other Internet activities unrelated to you 3 The state of the practice in formal statements of risk appetite is uneven across financial services. There is no requirement for hedge funds to promulgate a statement of risk appetite, though the practice is growing in the sector. Page 5

Aligning information security goals with business goals; Integrating information security risk management with that of other risk domains at the enterprise level; Assigning overall responsibility for cyber security risk management to a senior executive such as Chief Security Officer, Chief Operational Risk Officer, Chief Information Security Officer; Adding information security to the scope of the Chief Risk Officer (or equivalent) function; Establishing a senior risk board composed of the C-level executives and senior functional managers to oversee the information security program. Roles, responsibilities, and decision rights. Roles, responsibilities, and decision rights should be explicitly defined to insure that the relevant issues are being addressed and to provide for accountability. Items to address include: Definition of responsibilities within the information security risk management function (such as security controls definition, resource management, security operations), including decision rights and escalation thresholds up to and including the risk board; How responsibilities are overlaid on organizational structure; How cyber security risk management interfaces with the domains of IT risk, fraud risk, personnel security risk, and physical security risk management; Incident response and forensic investigation management. Top-level governance of the cyber security program is important for every firm, large or small. For a startup or small firm with a management team of just a few people, many of these elements collapse together, most likely to be driven by the head of the firm or one of the partners. However, addressing cyber security governance at this early stage will position a small firm to scale its cyber security risk management program as it grows. Similarly, an established firm with AUM in the hundreds of millions of dollars, more exotic investments, and more complex compliance, portfolio management, and accounting needs, benefits from a robust governance structure even though its priorities and how it allocates responsibilities probably differ from those of a small firm. In all cases, a pitfall to avoid is over-engineering the governance and risk management structure and processes. Finding the balance between better and good enough in this critical area requires experience and judgment. Recommendation Develop and implement a cyber security governance model, based on accepted practices but tailored to the scale, scope, and operating model of the hedge fund. It should include: Mechanisms by which the senior members of the organization Create and actively administer a formal statement of risk appetite; Set top-level objectives and hold the organization accountable for meeting them; Make strategic decisions about risks and resources. Definition of responsibilities and decision rights in the execution of the cyber security risk management program; Page 6

Organizational structure, processes, reporting templates, and tools to integrate cyber security risk management with the management of other key business risks at the enterprise level. Cyber Security Risk Management Information security today is not a battle that can be decisively won, and perhaps it never will be. It is a risk area that must be managed with continuous and sustained attention. Cyber security, like other operational risk domains, is not a set and forget proposition. Information value, security vulnerabilities, threat characteristics, and risk appetite are the independent drivers of enterprise cyber security programs. That is, how important are your information assets? where are they vulnerable? what things threaten them? and how much risk are you willing to accept? These are tough questions; getting answers to them calls for a focused effort in any enterprise. Cyber security risk management is inherently a qualitative endeavor and not entirely consistent with the quant culture of hedge funds. Neither deterministic nor stochastic, when done well cyber security risk management is driven by qualitative judgments based on a defined, systematic analysis process. 4 Risk Management Framework Figure 2 on the following page identifies several families of risk management guidance publications. All of these frameworks have strong similarities and any of them can be applied to the management of information security in hedge funds. Factors to consider in choosing a risk management framework for information security include: The ability to integrate information security risk management with the framework already in use by the firm to manage enterprise risk; The compatibility of the framework with those of other risk domains in the firm; Existing in-house expertise with a particular risk management framework; Ability to integrate cyber security risk management with core management processes and tools; Whether certification of compliance with an international standard is desired (e.g., ISO 27001). A risk management framework provides a structure for the supporting processes. Four important process areas, selecting security controls, managing outsourcing risks, managing software risks, and reporting are highlighted here. The operational dimension of risk management is addressed separately in the next section. Selecting security controls Security controls are the management, operational, and technical measures to protect information and information resources. Selecting controls should be done systematically based on the findings of a comprehensive assessment of the information security risks that the enterprise faces. Guidance on controls selection, implementation, and management is available from some of the sources listed in Figure 2; ISO 27002 and NIST SP 800-53 are good examples. If your firm has in house IT 4 This is an area that is changing due to increasing datafication of security management. Cyber threat intelligence platforms and advances in Security Information and Event Management (SIEM) technology are producing a wealth of data Big Data that may allow more quantitative analysis of risk in the future. We are not there yet however. Page 7

infrastructure, the selection and continuous review of controls should be recognized as a critically important set of processes. Similarly, if you outsource any or all of your IT, it is important to be able to independently verify how the service provider addresses this area. Figure 2 Useful Risk Management Frameworks Source Documents Comments FFIEC (Federal Financial Institutions Examination Council) IT Examination Handbook (IT Security) See the FFIEC IT Examination HandBook InfoBase, http://ithandbook.ffiec.gov/it-booklets.aspx Part of a comprehensive series of handbooks developed by federal bank regulators for use in bank examinations; Defines a risk assessment process that is straightforward and directly applicable to hedge funds. COSO (Committee of Sponsoring Organizations) Enterprise Risk Management Integrated Framework See http://www.coso.org/erm- IntegratedFramework.htm COBIT5 See http://www.isaca.org/cobit/pages/default.aspx Incorporates the COSO Internal Control Framework, which has been widely adopted to support Sarbanes Oxley reporting requirements, broadening the framework to embrace risk management across the enterprise; The COSO Model of Internal Control (COSO Cube) is well known to risk management practitioners and widely adopted by the auditing profession. Comprehensive organizing framework for information security, risk management, business continuity, intellectual property protection, assurance, and compliance; Emphasizes the business view of enterprise IT governance; Aligned with other frameworks including ISO 31000. NIST Special Publication 800-39, Managing Information Security Risk See http://www.nist.gov/customcf/get_pdf.cfm?pub_id=90 8030 ISO/IEC 27001:2013, Information technology Security techniques Information security management systems Requirements See: http://www.iso.org/iso/home/store Written to address U.S. government requirements, NIST SP 800-39 is broadly applicable to enterprises of all kinds; In combination with NIST SP 30 Rev 1 and NIST SP 800-53 Rev 4 the series provides a comprehensive approach to information security; Includes a detailed classification scheme for threat sources, impacts, and vulnerabilities. International standard that specifies the requirements for an information security management system; intended to be applicable to all organizations; In combination with ISO 27002 (Code of practice for information security management) and other standards in the 27000-series standards it represents an entire information security management ecosystem. ISO 31000:2009, Risk management- Principles and Guidelines See: http://www.iso.org/iso/home/standards/iso31000.htm International standard for the implementation of risk management principles. Provides principles, framework, and a process for managing risk; In combination with ISO/IEC 31010 which focuses on risk assessment, this series provides a comprehensive approach to information security. Note: Though to some extent these documents represent apples and oranges, they are all very similar in purpose and in a practical sense represent alternative conceptual frameworks, any one of which can help in establishing enterprise-level risk management structures and processes. Page 8

Managing outsourcing risks A large majority of hedge funds outsource at least some IT services, and in fact many retain little or no IT infrastructure of their own. Technology providers who serve the hedge fund industry usually include security with the packages they offer. Let the buyer beware, however. It is necessary to get past the buzzwords and truly understand what security is being promised and how the buyer can independently validate the quality of the security being delivered. 5 Due diligence on four aspects of a provider s security program are critically important in the selection process: policy, threat awareness, security controls, and security operations. Analysis of provider offerings will reveal differences in all of these areas. How responsive is the provider to the buyer s policy priorities? How does the provider obtain, manage, and integrate cyber threat intelligence to protect the infrastructure and environment? What security controls are available and how responsive is the provider to the buyer s needs? How well does the provider continually monitor, assess, and manage the security of the infrastructure? How does the provider respond to security breaches? What are the parameters for conducting forensic investigations? As in other due diligence efforts, it is important to drive to fact-based answers and historical evidence, not just policy pronouncements. Once a provider has been selected, the Service Level Agreement (SLA) is the mechanism for agreeing on security controls and management, as well as for how they are evidenced. Additional questions include what is to be disclosed to the buyer regarding a cyber event or exposure, how much visibility the buyer has to validate the controls and their effectiveness, who can access selected records from storage, how compliance requirements for records archiving and retrieval will be met, and whether data encryption will be used and how it will be managed. At a minimum, third-party attestation should be used to demonstrate that agreed upon requirements are being met. The American Institute of CPAs (AICPA) has defined a formal Service Organization Control review (SOC 2) that is based on a published standard addressing the areas of Availability, Security, Confidentiality, Privacy and Processing Integrity. The SOC 2 review provides third-party attestation of the controls and their implementation. 6 Whether the IT is outsourced or insourced, information security risks belong to the enterprise. Managing Software Risks Software underpins the entire capital markets system, yet software weaknesses make up the lion s share of exploitable vulnerabilities in the cyber world today. This is true for commercial off-the-shelf software, custom outsourced software, or software developed in-house. Measures to improve the security of software include establishing a strong culture of security awareness among software developers and procurers, elevating the priority of security in software procurement and in-house software development, and implementing a robust software assurance program that includes 5 Though providers typically advertise without elaboration that their systems are secure, information security professionals maintain that, like the mythical free lunch, there is no such thing as a secure IT system. The question is always about how the risks are managed, and for information security that is a continuous 24x7 undertaking. 6 See Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) AICPA Guide, 2012. American Institute of CPAs. Page 9

education and training for developers, specifies coding practices, and integrates security with development and testing. Reporting Protocols for escalating and reporting on information security risks should be incorporated into the risk management framework as it is implemented. Leading indicators (Key Risk Indicators) and lagging indicators (information security-related Key Performance Indicators) both have their place. Additionally, data on vulnerability scanning results, configuration management, certificate management, access controls, current policy deviations (e.g., ports and protocols, access controls, devices, passwords), and risk assessment results may also be reportable. Managers should define thresholds that will trigger actions to adjust controls. Recommendations Adopt and implement an accepted cyber security risk management framework and supporting processes. The process should provide for: identification of threats; the selection, implementation, and continuous monitoring of security controls; regular risk assessments; the identification of Key Risk Indicators; and reporting processes all tailored to the size and scope of the hedge fund organization and consistent with the governance model. Pay particular attention to security controls of software development and outsourced IT services. The Operational Dimension Often security technology is loosely equated with security. This is not accurate. The range of information security controls actually consists not only of technical measures but also administrative and physical measures. Even more importantly, technological devices and architectures are only part of what makes for an effective technical control: those devices must be configured and operated effectively and managed throughout their service lives. Information security thus has a very strong operational component. This operational dimension includes configuration and vulnerability management, regular risk assessments, continuous network monitoring, threat monitoring, and breach detection and response including forensic investigation. Whether outsourced or insourced, how well these operational activities are conducted can make or break security risk management. Additionally, regular assessments of the controls are needed, under a process usually called continuous controls monitoring. Are they implemented properly? Has anything changed in the infrastructure to negate their effectiveness? Does the control require adjustment? This is an especially tough challenge for cyber security in many enterprises because of the wide range of controls and the large volume of data associated with them. Audit logs and other data sets drawn from network devices such as firewalls, intrusion detection and prevention systems, vulnerability scanners, and security configuration assessment solutions can produce raw data by the terabyte every day in a large enterprise. But with a highly adaptive threat and new IT vulnerabilities continually being discovered, it is a necessity. Each control should be reviewed on a regular basis at a frequency suited to its function and operational dynamics. It should be noted that the need for continuous controls monitoring applies under both insource and outsource models. In the case of outsourcing, due diligence and independent attestation are the management levers to assure that the security advertised is being delivered. Page 10

Recommendations Invest resources in the 24x7 security monitoring, 24x7 operational management of security controls, and the lifecycle management of system security. For outsourced IT infrastructure, managed services, and application hosting, conduct due diligence of the cyber security capability of potential service providers, including their management of the operational aspects of information security. 7 Include specific cyber security requirements in outsourcing contracts and negotiate Service Level Agreements to ensure independent attestation that the security being delivered meets the requirements. Key Take-Aways Cyber security is a risk area of vital importance to hedge funds because of the IT-centric nature of the business and the existence of motivated and highly sophisticated cyberspace criminals. What is at risk from cyber threats for hedge funds includes financial loss, release of proprietary or private information, reputational damage, legal actions, poor performance and ultimately even failure of the fund. Figure 3 summarizes the recommendations. Figure 3 - Summary of Recommendations Establishing an information security governance model Develop and implement an information security governance model tailored to the scale, scope, and operating model of the hedge fund. It should define: How senior members of the organization set top-level objectives and hold the organization accountable for meeting them; Responsibilities and decision rights in the execution of the program; Organizational structure, processes, reporting templates, and tools to integrate information security risk management of other key business risks at the enterprise level. Implementing an information security risk management framework Adopt and implement an accepted information security risk management framework and supporting processes. Managing security operations Invest resources in the 24x7 security monitoring, 24x7 operational management of security controls, and the lifecycle management of system security. For outsourced IT infrastructure, managed services, and application hosting: Conduct due diligence of the cyber security capability of potential service providers; Include specific cyber security requirements in outsourcing contracts and negotiate Service Level Agreements to ensure independent attestation that the security being delivered meets the requirements. 7 Assessment of the cyber security of outsourced infrastructure and services is increasingly becoming a regulatory requirement in different parts of the financial sector. Page 11

Cyber security risk management should be institutionalized within a governance structure that establishes the broad parameters and risk boundaries, and with a management structure to implement and carry out the enterprise goals. There are many specific risk exposures stemming from the particular infrastructure requirements of hedge funds. IT infrastructure requirements in the sector are met by both insource and outsource approaches. In either case, the associated information security risks must be managed in a deliberate fashion. Delta Risk can help If your hedge fund management firm is challenged with establishing a tailored cyber security risk management program, Delta Risk may be able to help. We have expertise in developing enterprise cyber security programs and supporting the implementation of processes for risk management and the day-today management of cyber security operations. With our independent and objective focus on cyber strategy, policy, program development, and risk management, we can help you think through the ideas presented in this Viewpoint as they apply to your enterprise, understand and prioritize your cyber security challenges, and devise and implement tailored approaches to address them. Page 12

Contact Information To discuss these ideas please contact us at info@delta-risk.net Delta Risk offices: San Antonio, Texas 106 St. Mary's Street, Suite 428 San Antonio, TX 78205 210-293-0707 Washington, DC 4600 N Fairfax Dr., Suite 906 Arlington, VA 22203 571-483-0504

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information