Ep. 37 The Long-Short | Are you cyber resilient? Are you sure?

Published: 03 August 2022

The Long-Short is a podcast by the Alternative Investment Management Association, focusing on the very latest insights on the alternative investment industry.

Each episode will examine topical areas of interest from across the alternative investment universe with news, views and analysis delivered by AIMA’s global team, as well as a host of industry experts.

The need for cyber-resiliency was thrown into sharp relief in 2020, when the world voyaged into a new era of digital working. This radical shift in how we work has triggered a permanent arrangement regarding hybrid working. This in turn has ramped up the need for more sophisticated conversations about the risks and challenges with digital working and cyber-security.

This week we are joined by George Ralph who has been at the forefront of helping fund managers ensure they are cyber-resilient. George is Global Managing Director and Chief Risk Officer RFA, which is a financial cloud and cyber-security services provide it to the investment management sector.

Listen to this episode and subscribe on Spotify

Listen to this episode and subscribe on Apple Podcasts

Listen to this episode and subscribe on Google Podcasts

Listen to this episode and subscribe on Amazon Music

Read the transcript 

Hosts: Tom Kehoe, AIMA; Drew Nicol, AIMA

Guests: George Ralph, Chief Risk Officer at RFA

Tom Kehoe, AIMA  00:05

You're very welcome back to The Long-Short. The need for what's now known as cyber-resiliency was thrown into sharp relief in 2020, when much of the world was forced to work remotely in a fully digital environment for the first time. Two years on, what was initially predicted to be a short stint working at home has radically changed working practices as many of us have shifted to a more permanent arrangement regarding hybrid working. This in turn has ramped up the need for more sophisticated conversation about the risks and challenges that come with the new digital tools that we've adapted to ensure maintaining business operations.

Drew Nicol, AIMA  01:33

For the alternative investment industry, AIMA has produced a series of resources to help members navigate these issues. And we are joined today by someone who has been at the forefront of helping fund managers in this regard. George Ralph is Global Managing Director and Chief Risk Officer RFA, which is a financial cloud and cybersecurity service provided to the investment management sector. George, welcome to The Long-Short.

George Ralph, Chief Risk Officer at RFA  01:54

Thank you for having me.

Drew Nicol, AIMA  01:58

So let's go back to 2020 when everyone was first sent home, and had to figure out what zoom was, the COVID pandemic didn't start the trend of embracing digitalisation, but certainly accelerated it. So, how challenging was that period for the average fund manager to pivot to maintaining BAU processes in a digital environment, essentially, overnight?

George Ralph, Chief Risk Officer at RFA  02:21

It's a great question, and it's one that keeps coming up. Technology is very similar to running a business, you learn your greatest valuable assets in terms of strategy from the lessons you've learned the hard way. And I think the key thing for the average fund manager, if we ignore RFA clients and think about the sector as a whole, is that firms who had very traditional technology, maybe they've not moved into a public cloud yet and they're using systems like Citrix where you've got server resources licensing to think about, a lot of those tools were considered just simply for business continuity purposes.

For example, you have a firm with 100 users, it may be that as part of their business continuity strategy, they have 20 licenscs for Citrix, because there's never an assumption that everyone's going to need to be on the system at the same time. And so, a lot of firms that were not prepared for that or cut costs around licensing then had to suddenly scale up licensing, scale-up server resources so that everyone could be on the system at the same time. That was a lot of firms that had been well established and had technology, they hadn't quite evolved properly.

I think the challenge we had across our client base, because we've been promoting public cloud since 2014 now, was all about logistics. And it was about projects that we could remain delivering, projects had to go on hold. So, what I mean by that is, if you've got a really good flexible working model, from an infrastructure perspective, if you've got a mobile-first strategy with things like SharePoint and Exchange Online, and you don't have a big server infrastructure, when someone has to suddenly move from an office to satellite offices, you suddenly need to work out how do we get their monitors to their house? Or do we just buy a new set of monitors? Do we want computer screens with arms? Do we want one big screen? Do I need an ergonomic office chair? Or am I going to have problems in six months with that? And then you had this challenge where people didn't want to do all the purchasing because they assumed it was only going to be for a couple of months.

So, a lot of it was around logistics, rather than the technology and then it kind of evolved into more of the governance and policy and risk side. So, there were queries about how are we securing people's home networks, it's not actually an office location, we can't dictate to them. We, for example, set up a COVID-specific website, which had tips and tricks and advice on changing WiFi passwords, so it was more secure and that kind of thing. But from a compliance and risk perspective, it was more around, what are we going to do about printing? We can't just have people printing documents out in their house, because there's no way of tracking it. How do we know what's been printed? Where's it gone? Why did they print it? And so, it became more about queries around that, in terms of risk and sort of the practical side. But I think the main thing in terms of BAU was the logistics challenge for people.

Tom Kehoe, AIMA  05:52

And George, just thinking about that, from the onset of the pandemic, we're looking back to early 2020, right to the height of the pandemic period. You've mentioned some of these issues, are there any common issues because you've got a variety of clients large and small? But were there any common issues, then that you're having to come back time and time again, working with your clients to resolve? You've talked about the risk side of it, and that has obviously become a lot more important, particularly when people working in a hybrid setting, but give us a sense of the nature of the work you were doing with your clients at the peak of the pandemic, and how you're looking to do that now today as well?

George Ralph, Chief Risk Officer at RFA  06:34

I think if I could hone in on a particular problem that we had, that wasn't necessarily a repeat issue, was very much about legacy systems. So, this is a general technology problem, when people develop their own platforms, generally they're not a SAS platform, they're generally something that's running on a development environment, you've got a test server, you've got production servers, it's how people access those that remains a problem. It is still a problem now because people are working from home and it's how they access that securely. And generally, with legacy systems, you're limited to how you can connect people to that, so, a lot of what we've been doing with our development team is to try and take people's legacy systems and turn them into SAS products just because it's more secure, and you can containerise the access to a browser.

The other thing that's slightly related to that, I have to be careful how I phrase this, is that there are certain products out there that are licensed by the actual physical device. And for that, you have to be at the physical device, which may be in their office. A lot of people were then needing systems to connect to the computer back in their office to access the system, because if they didn't, they'd have to buy a copy of that system and have it in their house, which then doubles the price of the licensing. So, people were asking us to come up with weird and wonderful solutions to access these platforms, because they didn't want to double their licensing cost and commit to a year of the licensing costs when they thought that they might only be doing it for two months. And so, we've been talking with the manufacturers of some of these licensing software products to try and help them come up with a sort of a BCP licensing model. Maybe you can pay for the licence based on what's on at the time rather than the physical device numbers.

Though those are the main things from a technology perspective, I think the other thing that remains a challenge, and I don't think this is specific to our sector, or even technology, is sort of project challenges. So, one of our clients, for example, was very clever in the way they did this, we always do fixed fee projects for our clients, because we want to show them that it's a shared risk. You know, we know how long it should take to do a project, but they don't necessarily know how long, so, it's a fixed fee shared risk commercially, that kind of thing. And we had one client who needed to do a desktop refresh for 120 people. We planned it for the end of March, right just as COVID arrived.

Our plan was to do a coffee-shop-like engagement to do the refresh of this equipment. So, they were moving from desktops and Lenovo laptops to Microsoft Surface Pros, we had all these Surface Pros pre-configured for the staff. We were going to have lunchtime sessions where people would come in, 10 to 20 people at a time. We had to have sandwiches, coffees and things, and then we would show them how to use the Surface Pros and to put their profiles on the new one, and then the old ones would go to recycling, and they would go away with a new Pros. It's great way of teaching them the new device. You're not having to go around to people's desks and disrupt the business. When we entered the COVID era, all of a sudden, we had people in Madrid, California, like all over the world, but we still needed to roll these machines out because they'd been purchased. And it was a fixed-fee project. So, the client had a timeline, we had a timeline, in the end, what we had to do is collate all of the engineers at RFA who had motorbikes, and then try to get groups of people together out and around, obviously, it took longer to deliver. But it was a bit of a logistical challenge. And I think things like that are still a challenge for people.

As a result of COVID, we host startup hedge funds in our office here in Berkeley Square, I've got seven clients who have offices here, because they don't need to commit to a long-term contract, they want flexibility. So, we're trying to encourage people to come to us more, rather than this sort of branch effect of having to go around to everyone, and I think everyone has that challenge.

Drew Nicol, AIMA  11:05

One of the things I'm most keen to hear from you is how we've evolved to where we are now as opposed to where we've come from. But just before we get there, the other thing I wanted to bring up was, we heard so much at the time, around this big uptick in cyber criminals trying to take advantage of the period of flux that we're in as everyone was adjusting to home working, maybe not as secure as they were, at least initially. And we heard a lot of stories around phishing scams and all these things going out and trying to get our data or extort money from businesses.

I don't know about you, but I was always querying this, because, for example, I got one the other day that was saying, you know that someone has been authorised to have £100,000 invested, and they're looking for investors, and they found my LinkedIn, and they think that I would be great and if I could just give them my bank details, they'll send me £25,000, and I can start investing. Obviously that’s pretty laughable, attempted it, they haven't got back to me since I sent them across, I assume that's coming, but I don't understand. Are we now beyond the stage of people getting scammed out this stuff? Are these phishing scams a real threat? And maybe if we were still susceptible to them back in 2020, have we as  an industry been on a real crash course in managing that?

George Ralph, Chief Risk Officer at RFA  12:40

That's a good question. Actually, I think there's a couple of things we should talk about in this perspective. As a technology firm, who's looking after a very specialist, niche, sort of sector, it's easier for us in a way, because we get a lot of feedback from the clients, we can help other clients learn lessons from other clients, it means I'm not going to an insurance company in the morning and talking about their management database and then going to a hedge fund and then going to a charity. You know, it's easier for us in a way because we can really hone in. But this is one topic which affects everyone. As you say, it affects you guys at AIMA, it affects me at RFA, affects my mum who's a teacher, obviously, she teaches IT.  

But you have to remember that cybersecurity, and what it was in 1994 when I was specialising in Information Assurance which is exactly the same thing. It's all event driven. And they play on people's emotions. And the fact that we as a sector are in a rush.So, most people when they are caught out, it's because they're in a rush. And it's email, it's another form of electronic communication. You know, we've got WhatsApp, we've got Telegram, we've got Slack, we've got Teams, we've got email, we've got phone calls, although people don't tend to pick the phone up anymore. But there's so many forms of communication, it means it's more of a risk that someone's going to make a mistake. And what happened with COVID is, we are communicating even more electronically, right, and we'll talk about video type conferencing in a minute, but it means the amount of emails that people getting just shot through the roof. You can't just turn around to the person next to you and go “oh, hey, Bob, come and have a look at my screen. What do you think I should do with this?” An email goes out, “Oh, I've got this”, they do a screenshot, another email chain. So, the volume of email went up, which meant more people were at risk of making a mistake. I think that's one point to note.

The other is that we're in very emotional place. You know, for me personally and my executive team, my business partners, the motivational factor of having 400 staff across the 11 locations, some of which suddenly found themselves in a studio apartment with a desk and a bed, and that's where they lived for a year, emotions for our staff, emotions for our clients, not knowing how long they're going to be working from home, when they're going to come back, the whole thing with COVID, it means that people are again, very distracted. So, their awareness level goes down again. The other thing is, it was incredibly public, every single hacker and chancer in technology to try and make some money around the world knew that in every single business across the world, there was disruption with technology, they knew that people were working at home remotely connected, it was a perfect opportunity.

So, it wasn't necessarily a technology result, or anything like that, it was emotions, it was a change that's very public. And most hacks that are phishing, in fact, pretty much all of them, they're just chancers, they're never really targeted. What I've been trying to do is raise much awareness as possible, you know, we do e-learning for all of our clients, every quarter, we try and do it when new people join the business, because a lot of them come from outside of the sector. So that, for example, if someone's new to the sector, and they've come in as an intern into a hedge fund, they might not know that's a phishing email, they might think, oh, this is part of the process. Maybe they're not the right intern if they think that but you see what I mean. And what I was trying to do during COVID, was actually do more video training with people. So, I'd get everyone from the business on a call for an hour, I would do a PowerPoint presentation. Not quite death by PowerPoint, because I had some jokes in there which tried to make it more engaging. And I did videos with people, you know, what is phishing? What is smishing? What does malware mean? What's ransomware? How do you spot a malicious domain? All of this kind of stuff to try with my clients, but then also allow them as a firm to give examples of what they've seen, so that they're teaching each other with experience. And we just tried to do that as much as possible. It's all about awareness in this world.

Tom Kehoe, AIMA  17:22

You have a new one on me, George, what is smishing? I’ve not heard of that before, pardon my ignorance, but what is smishing?

George Ralph, Chief Risk Officer at RFA 17:30

It's basically a text message, SMS, right? That is one thing that's really come to the forefront because of COVID. Because we're getting messages from the NHS, from companies who did our tests, you know, and they were using that a lot to catch people out.

Tom Kehoe, AIMA  17:51

It's very helpful, and very insightful, George. If I can go back to 2020 again, the move to remote working, which was really done to solve the immediate problem where we all had to work from home, but now most of us are embedding some form of hybrid working into our work process. And no doubt, there has been a learning curve. I'm thinking about for our industry regarding what particular fund managers are doing, or don't need to be aware of when operating their business remotely. So, what are the tools fund managers are using the most today? What should they be considering using to help them stay as competitive as possible when it comes to the internal collaboration or managing the middle and back-office processes?

George Ralph, Chief Risk Officer at RFA 18:39

I think the key word here is collaboration and process, right? A lot of what we're trying to do, and I'm kind of starting at the end of the topic here and then working backwards, I think it's easier, but we're trying to help people automate the operational processes more. So, a lot of people traditionally would get in a meeting room for 10 minutes and go right, “you're going to do this task, I'll do this task, how do we get the process down? Let's just get it done. Okay, it's finished.” Now, you don't have that ability as much. And so, getting the processes right in advance about the deal flow, for example. And then automating some of those is going to help the businesses move faster forward, without a need for so much collaboration. Because as we know, human errors is the cause of a lot of challenges in funds. The other thing is using initiatives and technology to make people feel like they’re still in the same room. Because I think what people forget is we may be in a position where we say to people, you have to come to the office three days a week, but if the two particular people who are doing something and not in the office on the same day, those three days you still have exactly the same problem.

So, we've got chat rooms that we have with clients where every single person has a team's video on the whole day. So, it's like the old turret systems where you could do a single click to your trading colleague who is in New York, and you're in London, and it immediately opens, it's about having that open all the time, so that they can see what each other are doing. But not from a supervisory perspective, but just to allow that flow of conversation to keep stuff going. We do a lot of that with clients, and that's really helped. I think the other thing is, you know, there are regulatory challenges, you have to supervise traders. So, a lot of traders were having to come into the office during COVID anyway, and so having these live video feeds means that you can kind of get around that too. Then I think the other thing is really trying to make use of the tools that are off the shelf available to people. So, things like Microsoft Power Automate, Microsoft Flow which is an automation tool. So, it allows us to help automate products, but also from a graphical perspective.

We teach clients how to use that themselves, using things like teams, but using SharePoint in the back end for file collaboration. So, everyone's working on same spreadsheet at the same time, they can chat at the same time, and then that chat channel leads into project management tools like planner. So, making use of the tools that people are already paying for, because most people have Exchange Online with Office 365, or they use G-Suite, which has a similar set of tools. And so again, I think it's very much about education and showing people what they have, making use of the technology, but without disrupting the users by suddenly rolling out new products, because of a business change, and just doing things gradually and encouraging user adoption by showing them the advantage.

Tom Kehoe, AIMA  21:56

Many businesses have also moved to the cloud, how has the move to using cloud technology more changed cybersecurity protocols for alternative investment firms?

George Ralph, Chief Risk Officer at RFA 22:11

This is a huge area. It's very much about personal opinion. You know, I remember back in the day with pepublic cloud, I was explaining to people when they said, “which is more secure, RFA’s cloud or public cloud?” I was saying, well, generally speaking across the whole world, I think everyone's heard of Microsoft, but not everyone's heard of RFA, so on that basis, RFA might be more secure, but then RFA don't invest billions every year in cybersecurity tools. So, there was always that kind of swings and roundabouts conversation. But I think if you think about technology, and how you secure it, it's back to a knowledge really of the configurer of the server infrastructure.

You know, I think it was the Capital One breach that happened because an IT guy spun up a server, but he hadn't done any of the security configuration, it opened the door. And so, I think utilising the tools in the cloud is going to give you those feature sets, like I just talked about, as an example from Office 365. But it's about the configuration. It's about locking that down; we try and treat the cloud and infrastructure and endpoint security as one single piece of the puzzle. So, we secure it as if you're putting a cloud around the cloud, basically. And that tends to work better from a cybersecurity perspective, because you don't have lots of entry points. You're locking everything up as one. I hope I've explained that right. And then you're looking at things where there's this sort of collaboration of files and data, where a lot of people used to have FTP servers to transfer spreadsheets and things between them and the fund administrator. In fact, I think a lot of them still do. But now you can utilise things like SharePoint, to share files securely, you can set expiry dates on it, recipient lists, if I sent you guys a spreadsheet to give you a reference of what we've talked about today, afterwards, for example, I could say only the people on this call can read it. If you want to share it with someone else, I then have to give further permission.

So, there's better uses of it that allow people to do things more securely, but they have to know how to do that, and that's what I was saying about education. You know, one of the firms that we started working with during COVID, they had a very traditional technology model before we got engaged, now they're fully public cloud. They use things like teams and SharePoint before they had an email server and a file server and a VPN. And what happened is one of the new investment professionals came in, his job was to invest in technology. So, he was very clued up on tech, and he'd sort of implemented shadow IT without knowing it. So, a new technology solution that the IT firm weren't aware of. He basically set up Office 365 and rolled out teams and SharePoint to all the staff.

The IT firm didn't know this. For whatever reasons, probably because they weren't able to go to their office, or I don't know what the reasons were. But then he didn't realise that if you create a SharePoint site, it creates a team's channel. So, he'd created an HR site, he'd created a marketing site, he created a client site, which was the right thing to do. But then he didn't lock down any of the Teams components. So, staff could see every single team's channel so they can chat. They're thinking “oh, go to the HR chat, because I want to find out what our compensation plan is going to be in April”, and then they realised, oh, there's a files tab in the HR chat. So they go to files, all of a sudden, they can see all of the payroll information, all of the CVs, a massive data breach. And this firm just spoke to their prime broker, and they said “oh, you should talk to George, because they’ve be rolling out Teams out for the last four years and he can lock it down”. So, then I immediately did a piece about locking down Teams configuration and put it on our COVID portal for clients and things like that, to make sure that no other firms were impacted by it. But the risk of public cloud is fantastic. And it can give you so much collaboration and tool sets. But if it's not configured properly, that that's the main risk.

Drew Nicol, AIMA  27:23

Maybe this is a good segue for this then, because underpinning all of this, and we've alluded to it several times is a greater reliance on service providers, obviously, many hedge funds, especially the smaller ones do not have large IT teams on hand who can spin up servers. When COVID did hit and now all this tech stuff does come from service providers, and I think AIMA has been observing for some time now in our own research that whereas maybe a lot of fund managers were quite hesitant or suspicious of service providers, especially around certain core processes, in the past, that perception is changing. And now even people are talking about outsourcing, trading and outsourcing all sorts of things that before were maybe sacrosanct. But just to really put that in context, what is maybe an emerging trend? Can you help us understand how far that's come in terms of a greater openness to using service providers? And whether there's any trends in terms of just a smaller funds, or just larger funds? Or maybe a bit of both?

George Ralph, Chief Risk Officer at RFA 28:45

Yes, good question. So, I think the point now is that it's not, you know, should we outsource or not? It's more, as you rightly say, what components should we outsource? What do we feel comfortable outsourcing and to who? I think a lot of that comes down to due diligence and experience of the people launching the fund, it tends to be the trend that, you know, if you're launching a hedge fund, you need to focus on getting your AUM up and performing the two are combined, right? You don't want to be spending £250,000 a year on a CTO to configure Office 365 and support your users because that person is going to be incredibly bored. They're also going to never sleep because they're going to get phone calls all the time saying my monitors not working or I can't work out how to do this macro in the spreadsheet. It's just not a way to do it anymore.

I think in the past, and obviously following focusing on IT here for outsourcing, you would have server infrastructure, you'd need firewalls, you'd need switches, it needed someone there to maintain the system. To them, it's just not needed anymore, and I think, in general, as long as people are focusing on good due diligence on their vendors, and they're doing it regularly, there has to be an element of trust there. I think for me, one of the value items that I see from outsourcing is, I talked about this at an event in New York a couple of weeks ago, but it's the kind of education and knowledge component. So, if someone comes to me and says, “oh, we're launching a long-short equity fund, very vanilla, is going to be 12 of us”. I think I've done 32 launches this year, just in London, I can say some don't bother looking for an office, you don't need it at the beginning. You know, you need a fund administrator, you need an auditor, you need a strategy, you need to fund the structure, you need a lawyer, you know, all of these kinds of components. I can't say to them, “oh, I'm going to give you an amazing automation platform, and a snowflake data warehouse, and all of this, they just don't need it. But they might not know that. And obviously, marketing impacts every sector.

For me, it's about saying, look, I've got two clients that I launched six months ago that are doing exactly the same thing as you, why don't I introduce you, we can either go to the pub and have a quick beer, and I can introduce you if you don't want to do electronically, or do a phone call. Just helping people learn from each other and experiences, and the other thing with outsourcing is obviously purchasing power, if I’m buying Global Relay or Mimecast licensing, I'm doing it for like 80,000 people, they're doing it for five, I'm going to get a much better price for that. So, there's loads and loads of benefits. And I think, now more than ever, and this is going back to the bigger firms and what they outsource. A lot of people don't want the headache of HR, managing people, and mentoring them, when they never see them. It's difficult to do. The trend I'm seeing on outsourcing for us, which is a challenge for us as well, and everyone else in the world is they just can't recruit people. And you know, they might have furloughed their IT staff during COVID, and now they need them back because everyone's coming back to the office and they can't, they can't get any because the IT people want to work remotely. And so, we are augmenting IT teams around the world at the moment for our biggest firms, you know, like top-10 private equity clients or top-20 hedge funds that have got a lot of people were actually seconding our staff, so that we're doing the mentoring and we're doing the training, we can provide cover for sickness or holiday, rather than them doing it.

The trend I keep seeing is, they're going to just keep it like that. Originally, it was a temporary thing while they tried to recruit, and then bring in people but they've started to realise, this is a much better way of doing it. We should have just done this before, we don't have to worry about any benefits packages, we don't have to worry about holiday because RFA will send someone else who's got knowledge. You know, we don't have to worry about mentoring and HR components. That's a trend for us with our bigger clients massively. So outsourcing, I think it's definitely grown because of COVID. I think it's helped people streamline their operations more than just focus on the job and learn from the experience of their partners.

Drew Nicol, AIMA  33:41

The other side of this conversation is that, as with all things with technology, when it works, it's great and easy. But there is also a huge question around compliance. And regulators and policymakers were also scrambling to get their heads around this new way of working. Actually, in researching for this episode, I was reminded of a PCU it did for the AIMA Journal, where you highlighted a report that came out from the World Economic Forum called Global Cybersecurity Outlook. And I think that came out at the start of the year. I just wanted to ask you, whether you think that gives some indication that regulators and policymakers and other stakeholders are up abreast of the new risks that we've discussed so far. And, whether they will be leading in this new cyber-resilience revolution? And this is a huge question, but should we expect a lot of regulation in this regard to come in the near to medium term?

George Ralph, Chief Risk Officer at RFA 34:53

The short answer is yes. I can tell you one of my concerns at the moment is cyber-attacks for things like crypto dusting, which is when people put a small amount in lots of people's wallets? No one notices. And then it's gone. You know, crypto funds aren't regulated yet, so I can't really answer that question. but it's a concern of mine. At the moment, I'm trying to help all our crypto clients get educated on that. I think they are abreast of it generally. In the UK, for example, it helps because we've got things like the NCSC, which is the national cybersecurity firm that works for the government to educate us. There's lots of portals and things that have free guidance. I think that helps businesses in general. Things like Cyber Security Plus, where you pay a couple of £100, someone comes in and tells you what firewall you should have, and does sort of an audit and things like that.

But if you think about recent cases with the FCA in 2017, I think they did something called the FP 16-5 or something. I'm going geeky now, but it was about outsourcing to third-party relationships, which everyone assumed was cloud. And it talks about doing proper due diligence. It talks about doing regular security, testing pen tests, but importantly, it talks about risk management processes, and making sure that you've got a good risk management process in place, so that the people at the board level are aware of risks and can make informed decisions. They updated that last year to sort of remind everyone to do due diligence, it's important. A lot of people don't necessarily realise that all of your vendors are connected to the fund, you're communicating with them. If they get breached, you get breached. I mean, it's all a trickle effect. And I think the recent changes that the SEC have introduced which is about policies and IRP, or incident response planning and things for them, they're more dictator-like in the way that they approach it to people to give proper guidance, whereas the FCA is more sort of guidance, and you can interpret it.

I like what the SEC have done, because they've said, look, these things do happen, but you need to let us know so that we can help the sector and also just have a plan. You know, they've gone kind of gone down the route of you know, I raice Caterhams, and everyone always says, it's not if you have a crash, it's when and how bad, a bit like motorcyclists. I think SEC has gone down that approach, they like that it's not if, it's when. So, just make sure you've got plan, make sure that you can recover from it quickly.

We’ve got a lot of tools we're rolling out, which is about public opinion of companies, perception monitoring, that kind of thing, so that you can see like a score comparing you to other funds to see how good you look from a PR perspective. Immediately, if someone has a data breach, and they notify a regulator, someone else is going to find out about it, it's going to be in the news, your public reputation score is going to go completely down, you're probably going to have a bit of drawdown. But if you can evidence that you dealt with it really quickly, you learn from it, you're less likely to have a breach again. You know, so you want to make sure that if you do, and I hope anyone listening to this never has it, obviously, but if you do, it's very small, you containerise it quickly, you know, you learn from it, you notify the right people you move on. If you don't have a plan, it's very likely that that very small one is going to get very big very quick.

Tom Kehoe, AIMA  38:53

And, George, in that recent piece that you wrote in the AIMA journal, you concluded with the following paragraph and if I may quote you, you say, “as the world looks ahead to the rest of 2022 and beyond, it is essential that business globally, see cybersecurity as a strategic business issue that drives and influences decision making. So, it is no longer a question of how firms are protected in terms of cybersecurity, but rather how well they are protected with a key focus on sophistication, effectiveness and fortitude.” From your perch down at RFA and soliciting with the fund management industry. What is your sense as to how sophisticated firms are now in safeguarding themselves against the threat of cyber and related attacks?

George Ralph, Chief Risk Officer at RFA 39:48

I think from a technology perspective, generally firms are well protected in terms of sophistication on the tech side. I think they have a lot of options. I think people should always be pragmatic about it. I remember speaking to a startup the other day, you had an office and they were like, do we really need two firewalls? And do we need this? And do we do that? And I said, well, not really, because you guys hardly ever go to the office. So, when you do, turn the firewall on, and when you leave, turn it off, you know, turn it on when you're there, turn it off when you leave, because if you're not connected, you can't be breached. So, it has to be pragmatic. But I think from a technology perspective, the sector's good.

We've talked about cybersecurity a lot, because we're trying to get good awareness and educate. I know AIMA do a lot around cybersecurity, I try and give my experience as much as possible to help the sector. But it must be pragmatic, and as I said, I think the technology side of it is very good. I think the awareness of the risks of cyber and what people do to mitigate it could be improved as a sector. You know, a lot of firms that I take on as a business, they don't necessarily have a risk matrix for cyber-security, for example, they don't know who's doing integrity checks on the backups? Is it read once write many, how is it configured, who's responsible? Is our IT service provider responsible for checking? Who in our firm and fund, on a director level, is responsible for checking? You know, having a risk matrix is very easy to put together, get the IT firm to list out all the risks, put a scoring in about likelihood versus impact, make someone responsible for managing that risk. Then the board can actually make an informed decisions, say, at the moment, this is our highest priority risk. So, we should probably spend some money on resolving that or increase the mitigation actions we're doing right. I think that's really important. And that's kind of what I meant about having more awareness from a business perspective. If you explain that risk to a board member, they will go, “ah, okay, I understand that now”. That's what we're doing to mitigate it, and actually that's how it would impact the deal flow process. So, it's pretty important, maybe we should focus on removing that risk, or reducing the impact of it by doing these mitigating actions, or etc.

So, when I sit on risk committee meetings with my clients, and I’ve got about 22 globally, where I’m actually chairing those meetings at the moment, it’s really important that they’ve got visibility and awareness of what’s going on, they have to make the decision. I can’t really say, I can steer them in a direction that I think is right for them, but they should make the decision because if the worst ever happens, and the other point I’m going to come on to is planning, they are the ones that need to react, you know, they are ingrained in the business, they know the impact, they know who they need to inform, etc.

Then I think the other thing is really good planning. You know, people need to plan for the worst. We always have the old adage, you know, plan for the worst hope for the best. I'm an IT guy. I was fixing problems in 1994/1995, for people's Netscape Navigator. I only know issues. That's what I tried to fix. So, I've always had to plan, but hope for the best. And I think people need to do this with cyber, you have to plan, you've got to be prepared. I think that's an area that we could improve on. We always talk about technology products. I've just been talking about reputation monitoring. We've always had security operations tools; we've always had anti-virus anti-malware behavior analysis. I don't think we talked enough about incident response planning and things like that. I think that's an area that could be improved across the sector.

Drew Nicol, AIMA  44:02

I think that is key, because very often, and I think you've given a few examples of this already, that the breaches often come from simple things not being done. But it seems to be often a case of you don't know what you don't know, and people aren't doing it out of negligence. If you don't know how to do a small security tag or whatever it might be, then all of a sudden, you've left yourself exposed. And the last thing I wanted to bring up was around this point about education. I know RFA and AIMA aims have been aligned for some years now in trying to help the industry generally get to where it needs to be. I know you also contributed to our guide ‘sound practices for cyber-security’, which came out this year and was an update on a prior edition. And we set out pages and pages of best practices and examples and we go into all those different types of cyber-threats that are out there, and it's a really valuable resource. So, I just thought we would close by just maybe, if you could, give us your top tips for cyber-resilience. And I know you've mentioned some quite complex things, but maybe just top five things that a listener might walk out of this, and maybe go to their team and just check that those things were being done.

George Ralph, Chief Risk Officer at RFA  45:25

I think right now vendor due diligence, it's something that all the managers can do. There's a certain set of questions you can ask, evidence you can ask. I want people to go away thinking, who's connected to my business that if they have a breach I'm impacted? I think that's the first thing people need to do, just really good due diligence on their vendors, make sure that they're secure. There was an article yesterday, someone's systems were hacked, a fund admin I think, it's impacted some personal data.

The manager came to us and were like, "what's the impact on our systems", and I'm like, “it's not your systems, it's someone else's, but it's still your data”. So, due diligence is really important, I think more than anything right now. And then I think awareness, just make sure your staff are doing awareness training, 99% of breaches happen because of someone clicking on something in a rush or making a mistake, you let me know when that £25,000 comes in, Drew. But, it's very much about that component as well. And on YouTube, there's so many free videos, you know, I'm sure Tom Kehoe is going to go on to YouTube after this and look at what smishing is, you know. My explanation probably wasn't good enough. But anyway, there's so much free stuff and free content on YouTube. Just get up, get skilled up and be aware. So, awareness and due diligence, I think they're the two takeaways, I could go on all day about what people can do. I think they're the two hot topics that I think people should think about now.

Drew Nicol, AIMA  47:07

So finally, just looking more broadly, it sounds like our industry, much like every others, is on somewhat of a journey when it comes to digitisation and all the things that come with that cybersecurity being one of the main ones. But what's next for our industry, so we've gone from this mad rush in 2020, to maybe reaching somewhat of an equilibrium now and embedding in digitisation in a more permanent basis. But what's next? Where are we going?

George Ralph, Chief Risk Officer at RFA  47:39

It's going to be more serverless architecture, and SAS-based products. We're on this drive at the moment, I think as a sector, but I think it's happening worldwide. In every sector is data centralisation, and cybersecurity. Decentralisation, if that's the right phrase, people are more desperate, I mentioned at the beginning its not home working, it's satellite offices, that's how businesses have to think about it, because people are not just there because they're sick, that's actually now part of the organisation. So, there's going to be an evolution in terms of the decentralisation of cyber, we, as a business, for example, focus very much on the data at the endpoint of the user, rather than office locations, because it's irrelevant.

Now, we use a lot of behavioural analysis tools, so that we can help our company's HR department get a bit ahead, if they think someone's going to leave, because we can see a change in their behavior patterns, that's the way the world is going. Now, it's not necessarily Big Brother, because we can't see what they're doing. But we can see the way they're using the data and how hard they're using Excel and things like that. That's kind of evolved now into an ESG conversation, because we can now monitor work life balance in terms of usage, but I'm not going to go into this different topic. So, there's more sort of decentralisation of that. And then I think there's more data centralisation, if you think about all the different applications and products people used to have now, a firm aside from their LMS, PMS, you could literally use Office 365 for the whole suite. You can collaborate on Teams, you can use SharePoint for file access, you've got Exchange Online for email. So, there's a simplification process going on around the technology stack as well as for infrastructure. I think there's going to be more focus on the SAS products rather than having a server-based setup, that's been happening for a long time. It will be more about the security and the monitoring from a cyber perspective of how people are using ETL and API. So, the integration between the SAS products, how data is moving between them, how we're visualising the data, data warehousing, that kind of thing, and this focus on security will start pivoting towards that kind of tech.

Then I think the last thing is, and again this is a little bit cyber-heavy, but I think there's going to be more products coming out around DevOps. So, monitoring of code, monitoring of configuration items, things like that, we have a SAS monitoring tool now, for example, that looks at all of the office 365 configuration, all of Salesforce configuration, and we get an alert, if a new feature of configuration comes available, or one goes away, or someone makes a change to configuration, because again, like I said earlier, someone configures something wrongly, that's again when a breach happens, and I think there's going to be more and more tools that come out like that.

Drew Nicol, AIMA  50:42

Well, I mean, I think it's clear that we've been talking for a while, and we've only really scratched the surface of this topic. We could go on and I happily would because I do have a certain sense of morbid fascination with these horror stories of the breaches, and you've certainly renewed my fear that I will be the breach one day. I will certainly go and take on those tips, and as I say, this is clearly a topic that's going to become increasingly important as time goes on. So, no doubt we'll have you on again. But for now, thank you so much for your time and joining us on The Long-Short.

George Ralph, Chief Risk Officer at RFA  51:17

Thanks for having me. It's been great.

This podcast is the sole property of the Alternative Investment Management Association (AIMA). This audio production and content are intended as indicative guidance only and are not to be taken or treated as a substitute for specific advice, whether legal advice or otherwise. AIMA permits use or sharing of the content in media or as an educational resource, provided always that proper attribution is made. The rights in the content and production, including copyright and database rights, belong to AIMA.