Cybersecurity: A new frontier in fiduciary duty
An evolving threat requires an evolving response
Recently, the SEC released a slate of new cybersecurity guidance for financial services firms. They will be looking hard at how investor data is protected. If it isn't, firms could face significant fines and penalties. But increased regulatory scrutiny of cybersecurity practices isn't the investment industry's real problem. The real problem is the ever-evolving, increasing sophisticated attacks to which your systems, and your investors' data, are subject to every day.
Consider a few statistics: Only 2 percent of breaches are detected in the first 24 hours. However, between 60 and 68 percent of breaches result in data loss in that same period. Only between 35 and 46 percent of organizations realize they have been breached within one month of the event. Finding, containing and recovering from a single breach can cost as much as $5,407, 820. Cybersecurity insurance will only cover a fraction of that, with average payouts hovering between $954,253 and $3,500,000. Consider those statistics, then consider the extremely sensitive nature of the data your investors entrust you with—and the ramifications to your business if you were breached. Regulatory scrutiny is the least of your cybersecurity worries.
When most people think of cybersecurity, they think of the anti-virus software on their personal computer or entering a password to get to restricted content. But in reality, to create truly secure environments, financial firms will need to rely on more than just a password.
According to Damion Geopfert, national leader of security and privacy consulting for RSM US LLP, cybersecurity is as much about training and situational awareness as it is passwords. Hackers are becoming much more automated and sophisticated in how they approach their attacks. They are also selling their skills to others.
"With modern hacking, everything is in a kit form," says Geopfert. "Skilled hackers have figured out that they can make more money and escape the risk of getting caught by packaging their attacks and selling them on the open market. Less experienced hackers buy the kits and turn them loose on access points. What you have now are idiots with nuclear weapons."
Sophisticated hacking typically also involves a social engineering element that prompts a targeted individual to do the work of the hacker. Examples of this include a hacker sending an email that appears to be from the CEO or the COO, which prompts an employee to give over sensitive information. This information could be passwords allowing them access to a system or it could be money. Either way, it is a lot less work for the hacker if they are given what they need rather than having to hunt for it.
Other hacking trends include embedding malware in documents or taking over accounts. Ransomware is also new and widespread. As the name would suggest, ransomware takes over an account and forces the user to pay a ransom to get their data and the full use of their device back.
This burgeoning set of threats means that financial services firms have to increase their defenses to keep up.
Enabling two-factor authentication is a good early step. It's a quick way to protect logins. Also, embed security throughout your IT infrastructure so that one set of credentials will only get an intruder so far.
Some 41 percent of breaches involve the loss of personal identifying information, which can be especially sensitive within financial services firms and can include details of a person's wealth. One key way of protecting this information is finding out where all of it is and then encrypting it in such a way that it ends up worthless to someone who steals it.
"Security monitoring is also vital," says Geopfert. "When someone gets in for the first time, they won't know where to go right away. A good monitoring system will spot them mucking around in the system, which lets you isolate and block them. That can mean the difference between an intrusion and a breech."
Another key benefit of effective security monitoring is recognizing intrusions more quickly. "It often takes a very long time before breaches are detected – especially if there is no clear disruption in a business," Geopfert says. "The majority of breaches are detected by third parties, which is why it is crucial to have a monitoring plan in place as well as strong relationships with reliable security professionals."
The right insurance coverage is also important. "You can get cyber D&O in addition to traditional D&O insurance, and you'll want to work out with them clearly defined policies and breach response procedures to make sure that they will pay the claim in the event of a breach. If you fail to meet the conditions of the policy, you could be on the hook for the whole thing," Geopfert says. Insurance companies aren't the only ones who will be looking closely at your incident response plans. The SEC may step in with an enforcement action if it is determined that subpar security practices made a breach that much easier.
Don't buy trouble
Your own company's security isn't your only concern. If you make an acquisition, you're also buying the cybersecurity history of the target. This can be a particularly vital concern for private equity companies given the number of acquisitions they make.
"There have been a lot of instances of financial companies acquiring companies that have data breaches," Geopfert says. "If you don't know about the breach before you buy, remediation is done on your dime, which can significantly damage the value of a deal."
Cybersecurity should be part of your due diligence process. Companies have been known to defer critical upgrades and maintenance costs if they are trying to keep their costs low and attract a buyer. "We looked at a company as part of a diligence process, for example, and it became clear over the course of the examination that they were running computers nearly at the end of their life cycle," says Geopfert. "Those computers hadn't been maintained. So even though it looked good on paper any buyer was going to have to spend millions to bring the security and hardware up to current version. That's really significant."
Selling insecure companies can also be a huge risk for private equity firms. "If you're selling a company that you say is secure, and it isn't, that's a big headline and litigation risk. Depending on the circumstances it may also be criminal," Geopfert adds.
In order to work through these issues, Geopfert suggests doing a security risk assessment alongside the traditional due diligence process. "We can tell you within a range how secure or insecure a company is," he says. "At least it mitigates the possibility of surprise after a deal closes." Adding regular security assessments into your own organization can also be beneficial, especially for firms that are invested in a number of different portfolio companies.