Technology has opened up private markets to more people and made many day-to-day investment management-related tasks more efficient, cost-effective, and productive. But it’s also left some firms more vulnerable. Why? Because the rapid pace of technological advancements can create weak points that increasingly sophisticated bad actors can exploit to gain access to sensitive information.
Investment firms of all sizes face cybersecurity risks related to their employees and investors, the different types of technology they use, and the service providers they work with. While the media tends to focus on security breaches at large global companies, cyber attacks on small and medium-sized businesses are becoming more frequent, targeted, and complex because they often lack the security resources and expertise, which makes them an easier target for hackers. According to Accenture, more than 40% of small businesses have been the target of a cyber attack, and only 14% are prepared to protect themselves.
If your firm drops its guard, a breach can easily disrupt normal operations. A study by CISCO found that 40% of small businesses that faced a cyber attack experienced at least eight hours of downtime—and that downtime can be costly in terms of revenue, customers, and opportunities lost.
Regulators do not take these vulnerabilities lightly. They’ve flagged cybersecurity as an exam priority for a number of years so, during an audit, you may need to demonstrate that your firm takes security seriously. Beyond productivity losses, out-of-pocket costs, or an adverse audit report, a massive data breach could cause irreparable damage to your firm’s infrastructure and, more importantly, its reputation.
Given the persistent threat of fraud and data breaches and the increased focus from regulators, cybersecurity is a growing concern for many Juniper Square customers. The good news is that firms that are proactive about assessing the risks they face and understanding where they have vulnerabilities are in a much better position to do something about it. Let’s examine some of the potential risks your firm might face in these three areas to determine how you can address them:
1. Employee - and investor-related risks
According to Security Magazine, there are more than 2,200 cyber attacks each day globally, or approximately one cyberattack every 39 seconds. All it takes is one innocent click to give the hackers the access they need. According to Cybint, nearly 95% of all digital breaches come from human error.
One of the most common strategies used to gain access to investment management firms’ systems is through ‘phishing’ campaigns that trick employees or investors into performing an action that allows bad actors to install some form of ransomware. The email often looks harmless or similar to one they might receive from someone they know. While it sounds simple, it is a startlingly effective strategy. According to the FBI, phishing was the most common method used by hackers in 2020, and 74% of companies were victims of a successful phishing attack. This was due in large part to the shift in remote work during the pandemic—in fact, there were 11 times as many phishing attacks in 2020 as there were in 2016.
Your best defense is educating your people. As they learn to be more wary, your vulnerability will decrease. In addition to educating your team, it is important that you educate your investors on how you will contact them and the information you will request. The IRS doesn't do everything right but they do clearly state that they will never request personal information over the phone. You can follow the example of the IRS and let your investors know exactly how you will contact them to get information so you can protect them from people impersonating your firm. That could include exchanging sensitive information through secure platforms.
2. Technology stack risks
While the people-related risks can be somewhat mitigated through education, technology-related risks can often be reduced by leveraging all the security features offered by your current technology providers. For instance, in May 2019, the SEC released a risk alert highlighting that many investment management firms were not properly protecting their data. They also highlighted that technology and other third-party vendors are an increased point of risk as sensitive information is often stored on a third-party vendor's systems.
Here are a few specific areas often overlooked:
Misconfigured settings: Often result from a lack of effective oversight when a solution is initially implemented. To avoid this, make sure you work with firms that partner with you from the initial installation and ongoing monitoring and maintenance.
Security features: Many modern cloud-based storage solutions offer a plethora of security features. However, you need to ensure that these features are properly implemented. Be sure to utilize security features such as encryption and two-factor authentication to better protect sensitive data.
Appropriate data controls: To properly protect sensitive data stored electronically, you need to take a step back and properly identify the different types of data stored and maintain appropriate controls for each type of data. Ensure the systems and tools you use allow you to administer the appropriate control levels you need for different types of data.
In many cases, the solution is as simple as properly configuring the security settings or beefing up insufficient data classification policies and procedures. Take the time to review security settings with your software solution providers to ensure you’re leveraging the protection that is available.
3. Third-party service providers
With increased regulatory scrutiny on one side and increasingly sophisticated investors on the other, the back-office function faces growing pressure to administer funds with greater speed, transparency, accuracy, and thoroughness than ever before.
Having documented policies and procedures is essential to consistency, continuity, and risk reduction. Our experienced administration team has found that firms that develop, maintain, and adhere to a thoughtful security plan are more likely to avoid errors, meet compliance and audit obligations, and deliver timely service to its investors.
At a minimum, your security policies and procedures should cover the services provided by your firm, the workflow, permission levels and detailed tasks and procedures related to financial reporting, administration and compliance, capital management, books and records of the funds and subsidiary entities, along with the documentation of procedures to access reports. It should also contain the location of original source documents, cash transactions, journal entries, general ledgers, and other financial reports. Your policies should cover the storage and transmission of both paper and electronic data, including the investor portal. Documenting internal controls is another best practice that enables your firm to meet industry benchmarks for data reporting accuracy and service continuity. Internal controls include the processes, checks and balances that support quality control, risk mitigation, and business growth.
Be sure to work with partners that take security seriously and have the necessary controls in place. Ideally, your technology and administrative partners should be SOC-1 and SOC-2 compliant, meaning they have been reviewed and found to have the necessary safeguards and controls in place to satisfy specific security, availability, processing integrity, confidentiality, and privacy criteria to manage customer data relevant to audits and financial reporting.
Putting it all together: A GP’s security program
The consequences of putting investor information at risk can be devastating, so data security and protecting investor privacy should be at the top of your firm’s important issues list.
GPs are expected to adopt policies and procedures reasonably designed to protect both LP’s data as well as valuable proprietary information. They must ensure their program addresses data protection and include a governance framework that addresses access rights and controls, employee training, vendor management, and response planning and testing.
Austin Carlson, Managing Director, Head of Sales & Investor Relations at Parkview Financial sums up why investors care about security. “They want to feel that there is a reputable firm overseeing everything that a GP is doing. That has to do with not only the investments, but the movement of cash. To have those checks and balances in place are extremely important. You'd have to take a step back and put yourself in the shoes of an investor, which in some capacity, I think we all are in our personal lives. If you're a high-net-worth individual allocating hundreds of thousands or millions of dollars, you want to feel secure that your money is being looked after. Not only that the manager is acting as a fiduciary, which is exactly what they are, but their third-party lawyers, accountants, and most importantly, the fund administrator is actually watching over everything that's happening. Reputation is everything in this business, whether you're a fund manager or a fund administrator, and having that reputation is key.”
By documenting internal controls, defining the rules governing information access and control, and by establishing oversight responsibilities for specific types of data, your firm or administrator can minimize risks and make it far more likely your firm will avoid security problems.
Juniper Square takes security seriously.
Talk to us about how we can help you develop, organize, and strengthen firmwide controls to defend against cybersecurity risks.