Cyber risk management should run throughout an organization to include the active involvement of the CEO and board, similar to the way senior management and employees think about an organization’s code of ethics, according to a panel that met to discuss cybersecurity at the recent Alternative Investment Symposium held by Deloitte.
With the level of threats rising along with the proliferation of new technologies, more companies are looking to elevate their approach to cyber issues well beyond the IT department, a challenge that requires the active participation of senior leadership.
“The general increase in information-sharing, particularly through mobile technology, often increases corporate risk,” said conference host Cary Stier, vice chairman and Global Investment Management leader for Deloitte LLP.
“As hedge funds and private equity funds expand their network of third-party providers, cyber risk should be a key component of supplier risk reviews,” added Stier. For example, some investment managers are reviewing that each vendor has adequate security controls in place and maintains an internal incident response team for cyber breaches.
“Given the consumerization of IT, every employee is now a potential conduit for cyber criminals.”
The panel, entitled “Braving the New World: A Focus on Cybersecurity and How Fund Managers Assess Threats,” discussed strategies that are applicable to sectors well beyond financial services. Business leaders and boards should understand that the hacker community is smart, big, nimble and usually a step ahead of risk prevention efforts.
“That makes monitoring the flow of information in and out of an organization and blocking threats challenging, particularly for organizations with offices around the world, which are not always secure,” said Adnan Amjad, a partner with Deloitte & Touche LLP’s Security & Privacy practice, who moderated the panel.
Educating leadership on cyber threats
A central issue discussed by the panel was how to educate an organization’s leadership about the threats they face. “That education can start with simple questions, such as who would want your information, and why do they want it,” said Mary Galligan, a director with Deloitte & Touche LLP’s Security & Privacy practice and a former FBI special agent in charge of Cyber and Special Operations.
When making such evaluations, it’s important for organizations to start with a clear understanding of their vulnerabilities to make risk management and mitigation more informed.
“Do the culprits want to embarrass the organization?” asked Galligan.
“Do they want to sell an organization’s information? Does an ‘inside’ threat exist in which intellectual property, algorithms or client information is the target?”
Companies may want to identify critical assets, “their treasures,” as part of their cyber risk management plan, then prioritize threats to those assets and consider the assets and threats with business leaders.
As one panelist suggested, fund managers should treat cyber risk as they would counterparty risk or a rogue trader.
The panel emphasized that risks do not need to be malicious to be considered serious threats, especially given the potential for systems to be infected by malware when employees bring personal technology into the workplace or engage in seemingly innocuous behavior such as clicking “silly” links. Such inadvertent acts can be curtailed if companies develop education programs for employees and clients about cybersecurity risks and circumstances.
Several types of cyber threats were seen as especially worrisome by the panel, including:
- Loss of control over Internet protocol (IP) addresses, which are the binary sets of numbers that identify devices, such as servers, on a network.
- Loss of critical data or data leakage whether related to an unintentional or deliberate act.
- Social engineering, in which users are manipulated into disclosing confidential information.
- Spear phishing, an email fraud scheme similar to phishing, but usually targeting specific organizations and coming from what seems to be a trusted source.
- A man-in-the-middle attack, in which a system is compromised and encrypted information is rerouted to a hacker’s server and stolen before being sent back to legitimate users.
A framework to span an organization
“The CEO and board cannot expect the technology team to stop every threat and attack,” said Galligan. However, “the team should be free to brief the CEO and board about risk, and be comfortable doing so. In addition, the leadership should provide support to the technology team with respect to implementing the organization’s resiliency plan.”
Such a plan outlines the timeline and steps required for an organization to recover from an attack and begin normal business operations. It also describes how the organization will interact with law enforcement agencies.
Making cybersecurity an organization-wide undertaking requires engagement of senior executives and the board.
“Employees need to know how they fit into the organization’s bigger cyber risk strategy and to know that what they are doing is important,” Galligan added. A basic framework that includes several important cybersecurity steps that have been considered effective can include:
- Implementing a basic cyber risk policy that is evaluated on a regular basis and updated to address emerging technology issues.
- Developing a plan for sharing sensitive information about security breaches that addresses legal considerations and includes a communication strategy, as well as the most appropriate way for the organization to handle an exchange of information.
- Creating an education program for clients and employees focused on cyber risks and prevention tactics that includes encouraging users to immediately report to the organization activity that they suspect may be related to a threat or an attack.
- Designating an employee to be the primary law enforcement contact for cybercrime issues so there is an open communication channel between companies and law enforcement entities.
Another important issue the panel emphasized is a lack of experience among IT professionals in the area of cyber risk, a trend that can lead many companies to work with managed services vendors. The challenge, however, is that using managed services can introduce another security risk.
Whether organizations use internal or outsourced resources, panel members suggested using two types of IT professionals: technical experts to implement controls and security systems and threat intelligence analysts to help chief technology officers (CTOs), chief risk officers and other senior executives focus on risk mitigation and management.
“Cybersecurity is no longer a part-time job,” said one panelist.
Information-sharing outside the organization
Discussing sensitive information related to cyber attacks or threats with law enforcement agencies may seem unorthodox and challenging to companies. This is particularly true for closely held investment management firms and other private companies which are not under the same obligation to disclose information as publicly traded companies.
However, information-sharing can be an effective way to prevent future attacks and identify causes of existing security breaches. In fact, Galligan estimated that in about 40 percent of cyber attack cases, companies are informed about a security breach by a law enforcement entity.
The CTOs on the panel were in agreement that companies rarely have as much data about breaches as a government agency, and said they would like to see more sector-based and industry-based information-sharing. The more adversaries know about an organization, the more easily they can social engineer and spear phish, noted one panelist.
The panel also pointed out that the Jumpstart Our Business Startups (JOBS) Act has an industry-level information-sharing component that could be a starting point for companies looking to exchange information about cyber risks.
In addition, an Obama Administration executive order (Presidential Policy Directive 21) released in February 2013 called on the public and private sectors to collaborate in developing voluntary, risk-based standards and information-sharing programs.1