There are a number of priorities that firms in the alternative investment sector must attend to, but in today’s increasingly cyber environment, the biggest must be cybersecurity. Following closely behind, is compliance with mandatory regulations. The two priorities are often intrinsically linked, and should be approached as one.
But where to begin? The increasing adoption of cloud services has brought huge benefits to the alternative investment sector, allowing firms to scale quickly, utilise cutting edge technology without high levels of investment upfront and meet the needs of a hyper mobile workforce. Cloud services also provide the power and space for firms to deliver client-facing services over the internet, and to take advantage of CPU hungry applications like big data analysis tools. All of this can contribute to a much needed competitive edge, but against a backdrop of increasingly sophisticated cyber security threats, and complex regulatory compliance obligations, it is difficult for firms to know how to best proceed. Businesses need to manage enterprise security across an array of applications and infrastructure, while remaining 'open' and 'hyper-connected' at the same time.
Mobile devices are easily lost and in order to protect data held on them, firms must demonstrate that devices can be protected even in the event of loss or theft. Remote wipe technology is ideal. MiFID II’s communication recording element means that firms should only allow employees to use corporately approved devices, or devices where they have the facility to record calls, text messages and instant messages, if they relate to a deal or possible deal. Wireless data encryption, or mobile VPN access can protect data in transition too.
Cloud services add complexity
Most firms are using cloud services of one type or another, many have a multi-cloud environment, which brings great flexibility and efficiency, but can cause compliance headaches. When researching a cloud service provider it is key to look for one with a standards-based cloud environment and a security offering that meets the same regulatory policies and procedures you have to comply with. Be sure to check the contract and service level agreement carefully to determine how the provider meets specific compliance requirements. The provider should be able to provide assurance that they meet compliance requirements, and can prove it if required by a regulator.
Prepare to be hacked
With perimeters becoming blurred by mobile workforces and multi-cloud environments, firms can expect to experience hacking attacks on systems holding client data, or attacks in which trading systems are manipulated for financial gain or simply to cause disruption. These are probably the most obvious types of attacks that an investment firm should expect to see and can be guarded with a multi-layered cybersecurity strategy which secures end points, correctly deployed next generation firewalls, and regularly updated AV software. Technology which uses machine learning is also becoming more prevalent as a method of detecting new threats and coping with the sheer volume of emerging threats. Artificial Intelligence allows the technology to learn from the threats that are known and identify shared characteristics which could indicate a new threat.
Ensure employees are well trained
Fake calls and phishing emails sent to employees containing malware are more difficult to mitigate against, and will require traditional cyber security defences combined with robust employee training and spot testing. Multi factor authentication, preferably containing some biometric authentication, are essential for fraudulent attempts to breach security, but for employees who are authenticated, there needs to be regular and robust training which triggers a warning and helps employees to identify fraudulent activity. Predictive analytics can monitor and aggregate employee behaviour and trigger alerts if one or more anomalous behaviours occur. Anomalous behaviours can include higher numbers of downloads, encrypting data, accessing the network from machines not previously recognised. Sophisticated systems can also pull in data from the HR department which may indicate problems, such as increased sick leave or poor performance reviews.
Compliance relies on cybersecurity
Many of this year’s biggest regulatory challenges have an intrinsic cybersecurity element, with data protection being a huge concern especially with the looming General Data Protection Regulation (GDPR). Firms must be able to prove that they have taken all necessary steps to protect their clients’ data and to ensure that they have not allowed a security breach to take place. The primary objectives of GDPR are to give individuals back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Whilst the GDPR is a European regulation, any firm that provides goods or services to a customer in the EU must comply. Compliance with the GDPR means that firms must inform the individual that their data will be collected and what it will be used for, plus the risks, rules and rights in relation to the processing of that data. They must only keep personal data for a limited time, erasing or reviewing the data at the end of the allocated time period. There must be a process in place for individuals to request access to their data, make changes or withdraw consent to use the data at any time. In the event of a data breach where that data is unencrypted, firms must notify individuals within 72 hours. This is where a cyber incident response plan will be essential. Larger firms, with over 250 employees, or over 5000 customers in a 12 month period must also appoint a data protection officer.
For finance and investment firms, who have a requirement to collect personal data to adhere to money laundering regulations and guidance on investor suitability for the different financial instruments on offer, GDPR will prove onerous. In addition, it allows huge fines to be levied for non-compliance, so it has a real bite.
More data needs more protection
Many current regulations increase the reporting burden on firms, requiring them to generate, collect and store more data than ever before. This data is used for transparency purposes and for safeguarding checks, in the wake of the most recent financial crisis. EMIR for example, mandates that all parties involved in trades must submit timely notifications of How the approaching, exceeding, and no longer exceeding the clearing threshold as defined by EMIR. In addition, Foreign Account Tax Compliance Act (FATCA) has been adopted by the UK and requires all UK financial institutions and other financial intermediaries to report and disclose information about assets deposited by UK residents in accounts held in Crown Dependencies. Firms must ensure they have software and procedures in place to identify and report on their relevant clients when required.
MiFID II and MiFIR pose yet more challenges and the transaction reporting requirements will impact greatly on buy-side firms, as they will no longer be able to rely on their brokers to report on transactions. All firms will be expected to unbundle research costs from their commissions and we have already mentioned the requirement to record all communications pertaining to trades. These huge quantities of extra data must be stored for up to five years and in a secure format, which can be easily retrieved if requested by a regulator.
Coping with such a large and growing volume of data poses serious challenges in terms of cost control, risk management and operational efficiency. Data management has become not only a serious problem of cyber-security but a compliance issue in its own right.