Creating a culture of security as private funds face cyber-threats

With cyber-threats evolving rapidly, managers need to build proper systems and make sure security is at the heart of business transformation, technology and innovation, says Rich Itri, chief innovation officer at ECI.

This article is sponsored by ECI Cybersecurity

What does the cyber-threat landscape look like for private funds right now, and what are the latest challenges for managers?

The threat landscape is intensifying at an exponential rate. When you think about the war in Ukraine and the growing cybersecurity threat from both nation states and criminal gangs, the risk facing private funds has never been greater. The threat actors are very sophisticated now and they know that private fund managers have access to large pools of cash, are dealing with significant cash flows moving around on a regular basis, and that they hold investor data.

When I hear investment managers saying they think that their risk is lower because they are smaller, that is just not the case. For these criminals, it is a full-time job to figure out the best ways to disrupt businesses or commit fraud to steal money. The methods being used also continue to grow as technology gets better and threat actors get smarter, with business email compromise increasing, phishing becoming almost a new normal, and ransomware and wire fraud also more prevalent.

For managers, the fundamental challenge is that they need to invest in a proper, well-developed cybersecurity program, and that starts with governance, with good IT hygiene, with understanding the risks in your organization, and then with training your employees and creating a culture of security. All of those elements are critical. Everyone is always looking for a silver bullet for security and one doesn’t exist – it really is a layered, thoughtful program that delivers security. And contrary to what most people think, that doesn’t always cost a really large sum of money.

Good IT hygiene is foundational to cybersecurity, so if you are not following best practice and have not implemented technology in the right way, you are creating a bunch of risk for the organization.

The next piece is vulnerability management. Vulnerabilities pop up all the time, and so if you are not managing them, you are opening yourself up to a lot of risk.

Then comes identity and access management, which is becoming increasingly important now because the pandemic has driven people to leverage new technologies and really expand the walls of their networks. Managers need to think about where the edge of their network exists and build a framework that gives users the right permissions for what they need to do – nothing more or less – and creates the necessary protections around that.

Next is detection and response. It used to be the case that having a platform to monitor the infrastructure was a nice-to-have, but now it has become absolute table stakes. Regulators expect you to have a platform in place to monitor for threats and to have somebody monitoring that 24 hours a day, 365 days a year.

“You have to create a culture of security before you start your digital transformation journey”

Last comes governance and oversight, because creating a culture of security really starts from the top of the firm. When business leaders want to implement governance and insight across an organization, that tone from the top is critical and drives the culture of security. Those leaders need to show they take it seriously, which helps align the business around it and drive forward the discussions about identifying, mitigating and addressing risks. IT should not be operating in a silo; a transparent and collaborative approach is the only way to make it truly effective.

How are regulatory changes creating the need for more processes and technologies?

Across the board, whether in Europe, the US or Asia, the regulators have been making recommendations about cybersecurity for a long time but are now becoming a lot more prescriptive and proactive about implementing legislation. There is a growing view that firms now know what they need to be doing and so they should be doing it.

That shift is going to drive a lot of change throughout many organizations. The smaller private funds have always been very measured around their investment in security and that is something we understand – people don’t have bottomless pockets – but they may be discounting the investment that is needed in security. Regulation is going to drive those organizations to implement best practice and create stronger platforms, which can only be good news for the asset class and for investors.

Why is it so important to embed cybersecurity considerations at the heart of all technology and IT transformation projects?

There is a lot of focus now around digitizing processes and using data to really transform organizations and make them more efficient, reduce costs and drive innovation. IT professionals love those things, but they bring new risks. You have to create a culture of security before you start your digital transformation journey, because you want security to be pervasive throughout the process and you need to make sure every action being taken occurs in that context.

You want to drive all that positive progress, but you don’t want to open the kimono up to the world, so it’s extremely important to make sure you have the right security posture in place. Generally, the public cloud is a better domain from a security perspective – and you get to up your security posture by moving to the cloud – but there are complexities and nuances associated with that which you really need to look out for.

What is the latest best practice on how these issues should be properly overseen and led within an organization?

Issues become incidents, so the way you manage issues is critical. Having good processes, communication and governance is really important. Having a well-defined and well-rehearsed incident response plan is also key, because as issues become incidents you have to rehearse how you are going to handle them and make sure the whole process for that is well scripted and that clear lines of communication exist.

“The risk facing private funds has never been greater”

Reviewing previous issues is also very important to understand the root causes in order to drive continuous improvement. Oftentimes firms look to close out an issue quickly, they mitigate the risk, and then they move onto the next thing. That is great, but it is still important to go back and look at what could have been done better to avoid that issue in the first place and to improve IT hygiene overall. Management should be involved in that process too. You don’t want to overwhelm leaders, but the more they understand the issues being dealt with on a daily basis, the better they can assist in the decision-making on mitigating risks going forward.

Finally, what are going to be the developments we can expect to see coming down the track for private funds over the next few years?

The threat landscape is ever-evolving, and no one can ever know what the next big threat or issue will be, so it is incredibly important to build the right program that will allow you to mitigate risk, whatever the next challenge might be. That means really focusing on building out a framework based on the five pillars, because if you focus in and around those areas you will be able to really reduce the overall risk profile significantly.

The reality is that these threat actors will invest time and effort, but they are going to move on to the next organization if they aren’t making progress with yours. If you make sure your door is closed, they will move on to the neighbor that has left theirs open. By having the right program in place, you make it harder for attackers to succeed.

Over the coming years, firms are going to continue to evolve into more digital organizations, and their cybersecurity risk profiles will change as they embrace more data. That creates a need to make sure they are continuing to evolve in line with that risk.

Finally, innovation in the cloud is only going to continue to further help private equity firms, and there is something new every month as even the smaller organizations invest in data science programs and try to leverage data to create better returns, better deal sourcing and increased operational efficiencies. It is vital to build those programs properly upfront and think about security throughout, creating resilience and following best practice in everything. As more private funds seek to bring these data science functions in-house, they really need to partner with the right people to build the secure frameworks necessary for those data scientists to operate in, while at the same time making sure all that data stays safe within the firm.

When I think about the big issues that are coming, those are the things that people need to focus on.

Where should CFOs be focusing their investments in cybersecurity right now?

That is a tough question because everyone’s cybersecurity maturity is different. Every program should have those five pillars in place that I outlined: IT hygiene, vulnerability management, identity and access, detection and response, and governance and oversight. CFOs should be looking at what they are doing within those and focusing their dollars on strengthening where they need to.

Really, if a firm is failing on any one of those pillars, then they are not quite where they need to be. They should start with an assessment of where their firm stands and work with a third party to remediate and close out any gaps.

Rich Itri is chief innovation officer at ECI.