Fund managers: Maintain SEC and FTC compliance with this cybersecurity best practice checklist
By Don Duclos, Linedata
Published: 28 November 2022
“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit
If you’ve seen the news about steep fines for cybersecurity breaches, you know the penalties can be severe — not to mention the damage to your brand and reputation. The consequences of even one data breach can result in millions of dollars in fines or even the end of your company.
To prevent such disasters, funds need to ensure their data and confidential information are secure. Unfortunately, what worked ten (or even three) years ago won’t necessarily work today.
Factors that have changed the cybersecurity landscape
The threat landscape has evolved since the pandemic, and firms must adapt to a changing world. What’s different now compared to a few years ago?
Remote work. When cities locked down due to COVID, employees began to work from home at unprecedented rates. And the easing of lockdowns didn’t stop the remote work wave. While many employees love this flexibility, remote work does create more vulnerabilities for cybercriminals to attack.
Increased cybersecurity activity. Partially due to the upward trend of remote work, companies have seen an increase in the sheer volume of cyberattacks. In fact, over 80% of global organisations surveyed have experienced an increase in cyberthreats since the COVID-19 pandemic.
New leadership in government agencies. Gary Gensler was appointed as SEC Chair in April 2021. Since then, he’s announced his intention to expand the commission’s regulations relating to cybersecurity, noting its importance to national security.
New regulations and proposals from the SEC and FTC. In addition to the FTC making significant updates to its Safeguards Rule, the SEC announced proposed rule changes, including requiring firms to report cybersecurity incidents within four business days, provide a detailed summary of cybersecurity policies and procedures, and likely add staff and technology tools, among other actions.
With these changes, companies can’t use the same cybersecurity playbook they’ve used in the past. And fund managers in particular, can’t afford anything less than diligent cybersecurity measures.
The great mystery: What to prioritise in cybersecurity
As an alternative fund manager, this much is clear: cyberthreats are on the rise, and cybersecurity practices have never been under more scrutiny. It’s obvious that you need to prioritise the protection of your digital ecosystem, but cybersecurity impacts so many business facets that it can be hard to know where to focus first.
Do you need a financially prohibitive, all-encompassing security solution to protect against the most common cyberattacks? The answer is almost always no. So, what can you do to keep your data — and your clients’ data — safe?
Start by adopting proven best practices
The following actions will help you boost data security quickly and create safe environments without years of planning, preparation, and onboarding. We’ll start with three best practices that focus on end users, followed by four organisational best practices.
As we move through each action, it’s important to remember that strong security is about layers. No single product or solution will cover all of your systems and keep them protected. You need to think about each solution as a spoke in your cybersecurity wheel. They all work together to strengthen your organisation’s protection.
Cybersecurity best practices checklist
Are you prepared to protect your firm from cybercriminals? Do you have the following cybersecurity best practices in place?
- Multi-factor authentication. The verification of a user’s identity with two or more independent credentials. Authenticating with an app or push notification is the safest route.
- Phishing training and testing. Train users to identify phishing emails and follow correct protocols. Education combined with testing at regular intervals leads to organizational compliance.
- Endpoint security. Protecting endpoints (desktops, laptops, mobile devices, etc.) utilised by end users is essential in our remote work environment. Fund managers should combine endpoint protection with monitoring and remediation.
- Infrastructure security monitoring. Observe and track security events on essential infrastructure (servers, routers, switches, etc.) to keep production environments up and running. Most firms look to agent-based and probe-based monitoring, often packaged into a Managed Detection, Response and Remediation (MDRR) solution from a reputable provider.
- Vulnerability assessment. It’s critical to patch known vulnerabilities in your (often robust) tech stack. While vulnerability scanning is essential, the ability to quickly scan, identify, and patch vulnerabilities with a proven process ensures more secure environments.
- Security for Office 365. Secure all applications within Office 365, which holds a bevy of confidential and sensitive information. Look to run an assessment and use optimal setting configurations.
- Incident response. Incidents are inevitable but having a documented response will save you precious time when an incident occurs. Create documentation that defines roles and actions to be taken by specific representatives, including reporting to external bodies, where relevant.
Want to learn more about this critical topic? Download the whitepaper 7 Cybersecurity Best Practices to Prevent Data Breaches and Regulatory Fines.
Protect your firm with industry expertise
Implementing the best practices outlined above will put your organisation on the pathway to better data security and stronger protection against cybercriminals. If you want to skip the trial and error, working with an expert provider will help ensure the highest level of security and compliance.
At Linedata, we help fund managers bolster their cybersecurity posture and information security with advanced Endpoint Detection and Response (EDR) and Managed Detection, Response and Remediation (MDRR) solutions, plus a broader range of cybersecurity services. With over 20 years as a Managed Services Provider to the alternative funds industry, we offer the solutions, experience, and value to meet your requirements and exceed your expectations.