Redefining Your Cybersecurity Program to Meet Current Demands

The topic of cybersecurity has never been more urgent amid the Russia-Ukraine conflict, the SEC’s proposed rules requiring fund advisors to report cyber risks and incidents, the fact that a reputable bank stated 62% of companies experienced fraud via compromised business email in 2021, among many other reasons.

At the Foundation Research Associates (“FRA’s”) 7th Annual Master Client Services and RFPs for Institutional Investors Conference, which took place March 28 and 29 in New York City, a trio of panelists shared the importance of financial services firms having robust cybersecurity measures in place. The panelists included:

• Rahul Mahna, Managing Director, Managed Technology Services, EisnerAmper
• John Polis, Chief Operating Officer/Chief Technology Officer, Star Mountain Capital
• Michael Von Bevern, CEO, Socium Fund Services
• Elana Margulies Snyderman, Senior Manager, EisnerAmper (moderator)

Several timely and relevant topics were discussed:

Firms Need to Develop an Effective Strategy to Communicate Their Cybersecurity Capabilities

For firms to develop an effective cybersecurity strategy, it’s critical to set the tone at the top so leadership can emphasize its importance to employees, ultimately treating it with the same urgency as compliance issues. Therefore, it’s critical firms constantly train and educate employees and perform tests so they can identify cyber risks (such as phishing attacks and hackers), protect their personal identifiable information and more.

The panel agreed that password management via multi-factor authentication is critical. This is where users are required to input multiple factors to gain access to a system.

The panelists concurred that, typically, senior-level employees have been more diligent about exhibiting robust cyber hygiene than mid-level and junior-level employees and through training, education and testing, the hope is that the entire firm will understand its importance.  

Understanding the New Rules for Firms to Redefine Their Cyber Policies and Program

In February, the SEC proposed rules that would require investment advisers and funds to exhibit greater transparency by reporting cyber incidents to the Commission to determine their preparedness and reduce cybersecurity-related risks to clients and investors, improve their disclosures and enhance the Commission’s ability to assess systemic risks.

The panelists indicated that the proposed rules requiring increased transparency seem like a positive to ensure investor confidence, but that it’s still too early to tell if they will be the ultimate solution for firms to have better cyber hygiene. In addition, with the proposed rules, funds’ boards of directors would also need to be trained on the proposed cybersecurity policies.

The Future of Data Privacy

Cybersecurity is here to stay, and the number of attacks will only increase. Having robust cybersecurity measures in place is the most important way to protect client and firmwide data.

The onus is on firms to continue to train and educate their employees, conduct testing, and spend money on hiring a dedicated C-level executive internally focused on cybersecurity or partnering with an outside provider to assist with this function. These are just a handful of ways funds can prepare. In addition, it’s critical firms have an incident response plan in place that an internal person can access should an attack happen. And, finally, firms should make sure their insurance policies adequately cover cyberattacks.