In the current Cybersecurity landscape, investment managers face three major challenges: (i) increased cybersecurity regulatory requirements; (ii) heightened investor/ODD expectations that demand transparency over their cyber controls; and (iii) ever evolving threat vectors that are being exploited by more sophisticated and capable threat actors.
Investment Managers are responding with increased cybersecurity efforts and a renewed ownership and understanding of their Cybersecurity Posture. The strength of an investment managers cybersecurity policies, controls and how effectively they mitigate risk, is referred to as its cybersecurity posture.
A comprehensive approach to mitigating risk can help firms gain a better understanding of how to improve their cybersecurity posture, by quantifying risks, examining holes in security controls and comparing one’s cybersecurity posture against industry, and in some cases global, standards.
Furthermore, gaining a thorough sense of your firm’s cybersecurity posture can help you to understand how your risk mitigation strategy will directly protect valuable digital assets.
A Multidisciplinary Approach
Cybersecurity risk is a multifactorial and dynamic challenge and these risks exist within a firm’s underlying IT infrastructure, within its governance structure, compliance program, employees and its culture. And thus Cybersecurity Risk Management requires a multidisciplinary approach that encompasses an understanding and assessment of the following:
- Technological controls
- Operational (i.e. non-tech) controls
- Regulatory/compliance controls
- Governance controls
Moreover in today’s largely decentralized workplace, vulnerabilities are lurking across various operating systems, network devices, hypervisors, databases, phones, web servers, cloud applications and critical infrastructure that are largely dislocated (albeit, in most cases, connected by secure connections), it is clear that intermittent penetration testing and vulnerability assessments won't be enough to strengthen your cybersecurity posture.
To gain an accurate picture of your IT activity, you must continuously monitor the entirety of your digital environment. Reporting of vulnerabilities should also be continuously monitored by security professionals who will help you analyze existing threats.
For example, Align Cybersecurity, Align's Cybersecurity Advisory Practice, offers Managed Threat Protection to our clients which provides 24x7x365 monitoring, customized reporting and complete incident response planning to enable customers to focus on their business and operations.
Identifying Risk
To manage Cybersecurity Risk, you must first understand and identify your Cybersecurity posture, which involves your firm’s unique threat vectors, vulnerabilities and potential exploits. Primarily, there are two tools used to accomplish this:
Quantifiable Risk Assessment:
To get a sense of how your cybersecurity posture will hold up against threats, we recommend utilizing a solution that gathers risk data and provides risk scoring within your company’s landscape. Reviewing your company’s assets, your network footprint, intellectual property and proprietary data will help you identify and prioritize sensitive data pools. The use of risk scoring not only provides visibility into your current risk score but also provides insight into how it compares to global, industry-wide risk scores.
Qualitative Risk Assessment:
Conversely, Qualitative Risk Assessments will assist you in determining where risk originates, identify any control gaps and will inform you how urgently certain risks need to be resolved to reduce overall risk exposure. Investment managers must conduct these assessments periodically, not less than annually. Align provides this service to hundreds of investment advisers and regularly provides its clients with the requisite factual findings, observations, and recommendations, necessary for them to understand all the gaps, not just technologically, operationally, but also with regard to governance and compliance controls.
Industry Benchmarks
Comprehensive risk platforms will display your company’s risk against industry benchmarks and global standards in real time. Risks algorithms can grab input from client sensors and global risk feeds across numerous sources to illustrate how your risk posture measures up. Company risk and global risk can be gathered on a monthly basis to provide you with on-going visibility.
Common Risks
Common risks include the presence of unused or discarded services, operating systems that have reached end of life or the ultimate offender across systems: the use of default credentials.
Risks can also include factors such as the phish-ability of employees. How likely are they to open emails from unknown senders or even send proprietary business information externally? This information will help you determine how you can better educate your users to mitigate that potential risk.
Next Steps
Once risks have been identified and their severity determined, action lists can be implemented by your cybersecurity advisor or Managed Service Provider (MSP) to help guide vulnerability and threat management remediation.
Action lists should be presented during compliance or risk management meetings, or even annual assessments to provide organizational transparency and keep shareholders well informed on cybersecurity strategies. With an accurate picture of your cybersecurity posture, you can make a more informed decision about how to defend your environment.
Align Cybersecurity's comprehensive risk management solution offers regulatory compliant solutions that are continuously monitored, tested and evaluated.
To speak with an Align Cybersecurity expert, click here or on the button below to schedule a free consultation.
