Q&A: Beating back the hackers

pfm talks with StepStone compliance chief Jason Ment to gain a feel for how GPs should be thinking about a planned SEC cybersecurity sweep.

PFM: What steps have you taken after learning about the SEC’s planned cybersecurity sweep?

Ment: We review our compliance policies and procedures on an annual basis and internally test aspects of our compliance program on a quarterly basis. As part of our annual update this year we will be enacting a standalone cybersecurity policy in consultation with our COO, systems administrators and external consultants.

With many CCOs having a background in law or some related field, how do you stay up to speed on all the IT jargon around cybersecurity?

We have an ongoing dialogue with our COO, our systems administrators and our external information technology consultants concerning our ongoing and new technology issues and opportunities. Ensuring that you have skilled IT professionals as a part of your operations team is paramount. The key to being successful is understanding that the necessary skill set does not stop at being able to implement, maintain and enhance the firm’s systems, but it also includes being able to explain everything to a non-technical person.

How do you deal with risks that come with things like remote access to the firm’s systems, cloud computing and other new technology?

With respect to remote access to email, in addition to passcode secured mobile devices, we also utilize web-based secure email that synchronizes with each employee’s desktop email. Use of personal email for any work purpose is strictly prohibited and we have ensured that it is not necessary (by virtue of having a number of permissible alternatives) in order to allow people to work remotely. With respect to secure access to information, we use a VPN [virtual private network] connection to our shared network drives. We are currently testing a secure cloud based storage provider that has a mobile app for remote access to low-risk documents (e.g., agenda materials for weekly internal meetings in order to reduce printing; marketing materials for those interested in presenting on tablets while traveling). Finally, passcode secured laptops are issued to individuals who routinely work remotely or travel.

How often are your cybersecurity policies and procedures tested?

Information technology infrastructure is monitored and tested on an ongoing basis. Varying features of our compliance policies and procedures are selected for testing on a quarterly basis. Further, emails are subject to constant surveillance on a key word basis, which has the potential for identifying irregular activity. Staff training occurs upon commencement of employment and annually thereafter. Further, there are ad hoc items that are brought to everyone’s attention from time to time as needed by both our legal and compliance team as well as our systems administrators.

What happens in the event you do detect a cybersecurity attack?

Cybersecurity attacks can originate from multiple vectors including email, denial of service, dictionary attacks and internal data theft, among others. When reports of the cryptolocker malware began circulating late last year our systems administrators modified our dedicated email filter to block any affected messages and notified staff of the potential threat with training on how to react to suspicious email. We are in the process of moving some of our publicly facing services to hosting with cloud providers to leverage the higher availability and threat prevention offered by these services.