[BreachExchange] Alternative investment sector compliance in a rapidly changing cybersecurity landscape

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 28 14:06:19 EDT 2017


http://www.bobsguide.com/guide/news/2017/Jul/27/
alternative-investment-sector-compliance-in-a-rapidly-
changing-cybersecurity-landscape/

There are a number of priorities that firms in the alternative investment
sector must attend to, but in today’s increasingly cyber environment, the
biggest must be cybersecurity. Following closely behind, is compliance with
mandatory regulations. The two priorities are often intrinsically linked,
and should be approached as one.

But where to begin? The increasing adoption of cloud services has brought
huge benefits to the alternative investment sector, allowing firms to scale
quickly, utilise cutting edge technology without high levels of investment
upfront and meet the needs of a hyper mobile workforce. Cloud services also
provide the power and space for firms to deliver client-facing services
over the internet, and to take advantage of CPU hungry applications like
big data analysis tools. All of this can contribute to a much needed
competitive edge, but against a backdrop of increasingly sophisticated
cyber security threats, and complex regulatory compliance obligations, it
is difficult for firms to know how to best proceed. Businesses need to
manage enterprise security across an array of applications and
infrastructure, while remaining 'open' and 'hyper-connected' at the same
time.

Mobile devices are easily lost and in order to protect data held on them,
firms must demonstrate that devices can be protected even in the event of
loss or theft. Remote wipe technology is ideal. MiFID II’s communication
recording element means that firms should only allow employees to use
corporately approved devices, or devices where they have the facility to
record calls, text messages and instant messages, if they relate to a deal
or possible deal. Wireless data encryption, or mobile VPN access can
protect data in transition too.

Cloud services add complexity

Most firms are using cloud services of one type or another, many have a
multi-cloud environment, which brings great flexibility and efficiency, but
can cause compliance headaches. When researching a cloud service provider
it is key to look for one with a standards-based cloud environment and a
security offering that meets the same regulatory policies and procedures
you have to comply with. Be sure to check the contract and service level
agreement carefully to determine how the provider meets specific compliance
requirements. The provider should be able to provide assurance that they
meet compliance requirements, and can prove it if required by a regulator.

Prepare to be hacked

With perimeters becoming blurred by mobile workforces and multi-cloud
environments, firms can expect to experience hacking attacks on systems
holding client data, or attacks in which trading systems are manipulated
for financial gain or simply to cause disruption. These are probably the
most obvious types of attacks that an investment firm should expect to see
and can be guarded with a multi-layered cybersecurity strategy which
secures end points, correctly deployed next generation firewalls, and
regularly updated AV software. Technology which uses machine learning is
also becoming more prevalent as a method of detecting new threats and
coping with the sheer volume of emerging threats. Artificial Intelligence
allows the technology to learn from the threats that are known and identify
shared characteristics which could indicate a new threat.

Ensure employees are well trained

Fake calls and phishing emails sent to employees containing malware are
more difficult to mitigate against, and will require traditional cyber
security defences combined with robust employee training and spot testing.
Multi factor authentication, preferably containing some biometric
authentication, are essential for fraudulent attempts to breach security,
but for employees who are authenticated, there needs to be regular and
robust training which triggers a warning and helps employees to identify
fraudulent activity. Predictive analytics can monitor and aggregate
employee behaviour and trigger alerts if one or more anomalous behaviours
occur. Anomalous behaviours can include higher numbers of downloads,
encrypting data, accessing the network from machines not previously
recognised. Sophisticated systems can also pull in data from the HR
department which may indicate problems, such as increased sick leave or
poor performance reviews.

Compliance relies on cybersecurity

Many of this year’s biggest regulatory challenges have an intrinsic
cybersecurity element, with data protection being a huge concern especially
with the looming General Data Protection Regulation (GDPR). Firms must be
able to prove that they have taken all necessary steps to protect their
clients’ data and to ensure that they have not allowed a security breach to
take place. The primary objectives of GDPR are to give individuals back the
control of their personal data and to simplify the regulatory environment
for international business by unifying the regulation within the EU. Whilst
the GDPR is a European regulation, any firm that provides goods or services
to a customer in the EU must comply. Compliance with the GDPR means that
firms must inform the individual that their data will be collected and what
it will be used for, plus the risks, rules and rights in relation to the
processing of that data. They must only keep personal data for a limited
time, erasing or reviewing the data at the end of the allocated time
period. There must be a process in place for individuals to request access
to their data, make changes or withdraw consent to use the data at any
time. In the event of a data breach where that data is unencrypted, firms
must notify individuals within 72 hours. This is where a cyber incident
response plan will be essential. Larger firms, with over 250 employees, or
over 5000 customers in a 12 month period must also appoint a data
protection officer.

For finance and investment firms, who have a requirement to collect
personal data to adhere to money laundering regulations and guidance on
investor suitability for the different financial instruments on offer, GDPR
will prove onerous. In addition, it allows huge fines to be levied for
non-compliance, so it has a real bite.

More data needs more protection

Many current regulations increase the reporting burden on firms, requiring
them to generate, collect and store more data than ever before. This data
is used for transparency purposes and for safeguarding checks, in the wake
of the most recent financial crisis. EMIR for example, mandates that all
parties involved in trades must submit timely notifications of How the
approaching, exceeding, and no longer exceeding the clearing threshold as
defined by EMIR. In addition, Foreign Account Tax Compliance Act (FATCA)
has been adopted by the UK and requires all UK financial institutions and
other financial intermediaries to report and disclose information about
assets deposited by UK residents in accounts held in Crown Dependencies.
Firms must ensure they have software and procedures in place to identify
and report on their relevant clients when required.

MiFID II and MiFIR pose yet more challenges and the transaction reporting
requirements will impact greatly on buy-side firms, as they will no longer
be able to rely on their brokers to report on transactions. All firms will
be expected to unbundle research costs from their commissions and we have
already mentioned the requirement to record all communications pertaining
to trades. These huge quantities of extra data must be stored for up to
five years and in a secure format, which can be easily retrieved if
requested by a regulator.

Coping with such a large and growing volume of data poses serious
challenges in terms of cost control, risk management and operational
efficiency. Data management has become not only a serious problem of
cyber-security but a compliance issue in its own right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170728/a0e6e3de/attachment.html>


More information about the BreachExchange mailing list