Hedge Fund Cybersecurity: What are the First Proactive Steps?
Cyber security has become one of the top priorities of hedge funds. Protecting large amounts of data that is available online is vital to a business’ success. Bart McDonough is the CEO and founder of Agio, a New-York based hybrid managed IT and cybersecurity provider that serves the financial-services, health-care and payments industries. He stresses the importance of cybersecurity, but also highlights that companies ought to set clear and realistic expectations as well as remain cognizant of the importance of automation when it comes to ensuring successful MSP.
In particular, McDonough stresses that technology alone is not powerful enough to be the sole solution to cybersecurity for financial services firms. While technology remains essential, he stresses that “when employees are the source of almost half of data breaches (43%), and over 80% of breaches leverage either stolen and/or weak passwords, governance trumps technology. Ultimately, financial services firms must employ a great process and not just great technology.”
In order to ensure full cyber-safety, McDonough recommends a few proactive steps that hedge funds ought to implement.
Establish Incident Response Plan
Hedge fund cybersecurity is not just about prevention. Each company ought to have a detection and response method in place. Therefore, a strong incident response plan is vital for proper protection of sensitive data and assets. After a plan has been established, it must be updated on a constant basis. This is important because it will take into account any changes across data assets, systems, personnel and legal mandates.
The effectiveness of a cybersecurity program is dependent on constant reviews. This includes consistent protocol meetings with key stakeholders. This also means ensuring that there are constant updates, reviews and meetings with senior members of the firm. Also, IT, operations, and cybersecurity teams ought to keep senior leaders and managers updated on risk assessments in progress and updates of cyber-risk software and processes.
Cyber-risk reviews would not be as effective without constant and persistent testing of cyber protocols. This ensures that they are functioning as planned. There are several tests that test for different aspects of data protection and that ensure hedge fund cybersecurity. These include the following:
- Penetration tests — simulated cyberattacks to evaluate security protocols.
- Phishing tests — review of phishing email recognition ability.
- Vulnerability tests — look for potential cyber weaknesses within company network.
- Tabletop exercises — mock IR exercises for key personnel to make sure they are prepared in the case of an actual attack.