Cybersecurity is one of the most critical issues confronting investment firms.
Indeed, according to the Investment Firm of the Future, published by CFA Institute earlier this year, 24% of CFA Institute members rated cybersecurity as their firm’s top technology priority. And that figure is only expected to grow in the years ahead as technology takes on an ever-greater role in the investment management process.
With that in mind, what can firms do to protect themselves and their clients from potential data breaches?
For guidance on this topic, we spoke with cybersecurity expert E.J. Yerzak of Ascendant Compliance Management — a CSS company. Yerzak’s recommendations on how to both prevent attacks from occurring and best respond to them when they do take place can be summed up in two words: Be prepared.
What follows is a lightly edited transcript of our conversation.
CFA Institute: Cyber barbarians are at the metaphorical gates of many investment firms. What’s the best way to prepare?
E.J. Yerzak: Hackers are certainly at the gate. In many cases, they’re already inside the gate. That’s what firms should take to heart.
The moment a cyber incident is detected is not the time to be preparing your response plan. Time is of the essence when state and international breach reporting deadlines are triggered. I think the European Union’s General Data Protection Regulation (GDPR) imposes a 72‑hour deadline for reporting.
That’s an incredibly short time, given the time it typically takes to identify exactly what happened during a cyber incident, what may have been compromised, what files or folders may have been accessed, what the time frame was.
Did it start a week ago? Three months ago? Are the hackers still in the system? These types of investigations take a lot of time to sort through, so to have a very short breach reporting deadline really heightens the need for an incident response plan and adequate preparation in advance, and not at the moment of a breach or a cyber incident.
Developing and testing an incident response plan in advance can provide reasonable assurances and peace of mind that the plan will work.
Interestingly enough, firms say all the time, “I’m not at risk.” It’s either, “I’m a small firm. I’m not a target, so I don’t need to prepare as much,” or, “I’m a large firm. I have good technical controls in place, and the hackers are more likely to go after the small guys with no security.”
I think both sides are perhaps calculating their risk exposure erroneously. They have got it wrong. The truth probably lies somewhere in the middle, and the truth is that we’re all at risk.
Regardless of firm size, say you do invest the time and energy in preparing the crisis plan. How well do these protocols work when the actual cyber incident occurs?
You’re absolutely right to imply that the moment a crisis hits, protocols seemingly go out the window. Stress is high. Getting a hold of people, finding the right parties, even organizing a conference call, may be a challenge.
These are important considerations to plan for in advance. It’s virtually impossible to predict every possible scenario or type of cyber-security incident out there. So prepare for the most likley situations and provide for some flexibility for those that perhaps you haven’t anticipated. The action plan should at least take a firm most of the way there without much deviation.
Another reason it is a great question: As I mentioned, stress is high. People want answers right away, and people want decisions made yesterday. Time is of the essence.
You don’t want to make the decision incorrectly. You also don’t want multiple parties in your organization to be making the same decision separately or making different decisions because they’ve made those decisions separately.
When it comes to communicating about the breach, you don’t want someone in a client relationship role explaining what happened to a client when the marketing department may be crafting a specific breach response message to all clients.
There’s a good reason why an incident response plan works in an actual cyber incident, when the tension is high and there are many competing priorities. For example, the CTO may want to shut systems down to prevent hackers from jumping to other systems. And at the same time, the CEO may want to keep systems up and running to avoid downtime for clients. Response time is critical when multiple stakeholders are asking for decisions to be made, plus a firm is dealing with business and regulatory implications.
In the middle of that crisis, you don’t want to waste critical moments searching for the phone number of your legal counsel, for example, or the contact name at your IT vendor. A documented plan takes some of that stress off the table.
At a minimum, it provides a series of steps to follow in each case. Provide some flexibility in your response to account for unique circumstances. Again, you can’t prepare for every scenario. So plan for the most likely and document all relevant information, such as contact information, in one place for ease of reference.
Who should compose a firm’s crisis response team?
Many firms struggle with questions like this. Should it be one or two people? Should it be a large committee structure?
The answer differs from firm to firm based on their size, infrastructure, arrangements, and vendor relationships. If an investment firm has a dedicated IT staff in house, that changes the situation compared to one that outsources most of its IT.
At a minimum, the folks that you’ll want on the incident response team, or the crisis response team, are going to be key decision makers. They should have access to the necessary information to make those decisions and be authorized to make them. Having someone on the incident response team who has no authority would be a waste of time and resources.
It’s okay to loop in those parties, as necessary later on in the process, for a particular expertise or in response to a particular question. However, the core of the incident response team should be the decision makers. At a minimum, you would want the CEO, most likely the CCO [chief compliance officer], someone in operations, such as the COO [chief operating officer], and someone in a technology role, whether it’s the chief technology officer (CTO) or chief systems officer (CSO). You would also want C‑suite executives on the team to get the process started. Someone needs to be authorized to invoke the incident response process and enable those on the team to go further down the food chain and bring other stakeholders in as necessary.
A smaller-scale incident — for example a cyberattack on the firm’s website — may be primarily handled by the CTO, who will get in touch with the IT vendor or the hosting provider, and get that website back up and running.
Ransomware is different, and you’ll want all those parties to be making decisions that may impact the entire firm.
The key to a successful incident response team is that it be malleable. One of the reasons firms struggle with the composition is the desire to anticipate every incident type. It becomes very difficult to determine in advance who in every possible situation may need to make a decision.
Instead, it is perfectly fine to design your incident response plan to account for the possibility of looping in additional resources as necessary. Maybe the incident response plan defines who those parties are that may be brought in as necessary, whether it’s by designating specific individuals by name, role, function, title, or even by group or reference to other committees.
One example that I see a lot in an incident response plan is you have the core incident response team, and then references to looping in the firm’s general counsel or outside legal counsel as necessary, and the firm’s system administrator or particular IT vendors who would be assisting in the process of the breach investigation. It may be clear at the outset what the cause and response is from an incident. There may be cases where you’ll need to loop in those experts to provide guidance on next steps.
What external parties besides the firm’s usual vendors should be included?
Have a specialist legal counsel on retainer, with particular expertise in privacy breaches and breach response. Your attorney might be the first call you make to protect any further communication and discussions under appropriate privilege.
Also, I recommend having a forensic investigation firm on hand, on retainer, to assist with examining the files on your network and piecing together what happened and which files were accessed.
A lot of times, these types of vendors prefer you retain them in advance so they have time to get familiar with your systems and your network — instead of reaching out to them when you’re in the hair‑on‑fire moment in the middle of a breach. They’re certainly going to charge a premium to drop everything, fly out to your firm, and look at your systems. Having those discussions in advance can save money.
You may want to have a public relations firm on hand, or at least in mind, to help craft any public‑facing messages, whether it’s to clients, to regulators, or shareholders. Again, depending on the nature of the incident and the firm’s business model, these public communications are critical to get right and could make the difference between the investment firm staying in business or losing a lot of clients.
Have your local and federal law enforcement personnel and departments and regions’ contact information handy, so that if it’s a major incident or something involving a wide‑scale hacking attempt, for example, that you can loop in the appropriate law enforcement.
Chances are if you’re seeing a hacking attempt at your firm, other firms have already seen a similar attempt. The FBI is likely already aware and may have some recommendations and solutions.
How do you prioritize decisions in the fog-of-war moment?
Most stress in the middle of a cyber-security incident comes from competing priorities both within the organization and with the firm’s general stakeholders. As I mentioned earlier, you may have the CEO who wants to keep systems running and a CTO who says, “No, we have to shut everything down to prevent further spread of this malware, or this ransomware, in order to prevent further data from being compromised.”
When it comes to prioritizing, I recommend the firm take all business and regulatory risk into consideration. Are there financial penalties in play if the response goes beyond a certain time frame?
This general compliance risk has to be on everyone’s radar. Are there legal requirements in play, in addition to the SEC, for example? Would the FBI want you to take certain steps? Would your legal counsel? If your firm has cyber insurance, would the carrier require you to take certain steps or else void your coverage? These are some of the examples of competing priorities and decisions that need to be made.
If I were to prioritize one or two actions, your first phone call should be to legal counsel. Your second to your cyber insurance carrier. At least give them the lay of the land, the information that you know at that point.
Try to discern as much information as possible as quickly as possible, understanding that you haven’t necessarily looped in a forensic investigation firm yet to dig into the incident. At least be able to tell your counsel and carrier about how the breach was detected, what information you think may have been compromised, how it came to your attention. It is important to start the conversation, even if you don’t have all the facts.
Can you war-game these cyberattack responses?
It’s one thing to have a documented plan on paper. Until you put it to the test with war games or tabletop exercises, you may not realize that there are some unforeseen situations that may arise.
War-gaming your incident response plan can do wonders for assessing how reasonable it is. Again, you can’t anticipate everything under the sun, but have you anticipated all likely scenarios?
When you start putting the incident response plan to the test . . . someone at the table may say, “Hey, what about this system over here? Our series of five steps here didn’t anticipate that we need to pull backups from system A, and that system A can’t talk to system B unless we’ve done steps one, two, and three over here.” Things like that are important to try to work through in advance.
One easy way to put an incident response plan to the test is to conduct a staff phishing test. These tests can strengthen your defenses and the security awareness of your staff and prevent these issues from occurring in the first place. Phishing tests can also help walk you through a likely situation of ransomware getting onto your network. One of the first steps to consider: Do you pull the plug on your systems? Do you loop in the IT department to investigate what’s happening in real time? At what point do you start communicating to clients?
You need to throw a wrench into the equation every now and then. Say, for example, a client calls up and questions why they can’t access their online account while you’re in the middle of working through your response plan. Now, you have a client on the phone asking for an answer. Marketing hasn’t yet prepared the public response. What do you do in that situation? These questions are important to brainstorm in advance.
A great way to war-game the incident response plan is to loop in different parties, departments, and personnel within the firm, so that everyone can have a taste.
I tell firms all the time that incident response is everyone’s responsibility. It’s not just an IT or a senior management situation. Every single employee is in a position to potentially detect and help stop a breach.
Did you see teachable moments in the recent spate of high-profile cyberattacks?
A number of recent cyberattacks have highlighted the need for better vendor due diligence. We saw with cyberattacks at Target and others that the interactions among businesses and their third‑party suppliers and vendors can have unanticipated implications.
If someone compromises the vendor’s systems, does that have an impact for other counterparties down the line? Would an investment firm’s third‑party vendors pose a risk if they’re compromised, hacked, or used as a springboard for attacks on other parties?
Again, this gets back to the earlier point that small firms sometimes feel they’re not targets. Perhaps they don’t have as much money as the big fish. They think the hackers are going to go after the big guys.
Sometimes, the small firms will be hacked to use their systems for attacks against other firms, to mask where the traffic is coming from, or to try to go undetected. Public breaches have shown that vendors pose a risk.
They also show that it’s incredibly important to get the public relations plan right. Getting the message out in the wrong way can have serious consequences for the continued viability of the business. Some firms have gotten it incredibly right, and some firms have failed.
What is the best practice for communicating after the incident?
Get everyone on the same page. Coordinate all messages internally before making any public statement.
Be very careful in describing the incident. Don’t use the word breach unless there has, in fact, been a breach. Various state regulations define what constitutes a reportable breach. Determining that something is a breach is a legal decision. Firms should not take it lightly. Be very careful in any messaging and communications in how you frame the nature of what occurred.
A lot of times, firms will describe things as an incident, an event, or some activity that has been detected. Once you use the word breach, there are reporting implications.
Is there such a thing as a good cyber crisis?
No crisis is good from a firm standpoint. However, long stretches without any cyberattacks whatsoever may lead to complacency. It is dangerous to let your guard down, when, in fact, the threats are increasing and hackers are getting more sophisticated.
It’s only a matter of time before your investment firm is the target.
Any parting words of wisdom?
Do not put off the development of your incident response plan. Chances are the hackers are already on your network. The longer you wait, the more likely it is that you’re not going to be prepared.
If you liked this post, don’t forget to subscribe to the Enterprising Investor.
All posts are the opinion of the author. As such, they should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute or the author’s employer.
Image credit: ©Getty Images/ ZU_09