How fund operators can monitor cybersecurity issues effectively
Eric Vermulm, Chief Operating Officer and Chief Investment Officer at Allied Investment Advisors, discusses cybersecurity for the investment and fund management space from a smaller business’s perspective.
Andrew Putwain POSTED ON 1/9/2023 8:38:46 AM
Andrew Putwain: Can you give a brief rundown of your role, background, and current organisation?
Eric Vermulm: I came to the operations side of the business through a background in portfolio management and investment research. Besides taking on the Chief Operating Officer role, I also have the Chief Investment Officer position. There is a benefit to marrying these two roles since. Understanding the relationships between return on investment and the operational background clarifies things on both sides, which is ideal since clarifying the whole picture is something we focus on.
"Pain points include cost, which is a major line item on our annual budget. Even more significant than cost though, is time."
Andrew: For smaller-scale businesses, what are the key cybersecurity concerns and pain points?
Eric: Whether big or small, the biggest concern is safeguarding client and firm data. As a smaller firm, we have one advantage: we can rely on our custodian to help with some cybersecurity-related tasks like Know Your Customer (KYC) and anti-money laundering. While this is a huge benefit for us, it can also open a divide – removing us from the day-to-day of cybersecurity and giving us a false backstop, which is something we never want to happen. Other pain points include cost, which is a major line item on our annual budget. Even more significant than cost though, is time: finding the time to research, train, and make sure we have the right tools for our entire team.
Andrew: Cybersecurity can often be an extremely costly undertaking for fund/asset managers. What are some of the most important considerations in this area to keep costs lower?
Eric: While costs like insurance and having the proper software stack and safeguards are a big part of our budget, we also know these are just table stakes. The true cost is in a data breach or a cyberattack. For small and mid-size firms, these can threaten the life of the firm. So, prevention is where we spend the most time.
"While there are some great third-party vendors out there, we didn’t want there to be any disconnect between our technology and our security system."
To help with costs we have turned to our third-party technology vendor to provide a lot of the behind-the-scenes options like network security and penetration testing. This wasn’t just an afterthought when we chose them – it was at the top of the list. We wanted to know that a cybersecurity presence was integrated into everything we do. While there are some great third-party vendors out there, we didn’t want there to be any disconnect between our technology and our security system. It also helped to keep costs lower by bundling with one firm.
Andrew: What do efforts around implementing prevention measures rather than correction procedures look like, and what are the drawbacks and positives this approach presents?
Eric: While correction procedures and policies are necessary, the vast bulk of our efforts are around prevention. We have tested and reviewed correction procedures, but if we never use them, we’ll be happy. It’s sort of like the toothpaste analogy: once it’s out of the tube, you’ll never get it back in. That’s why, even beyond the vulnerability assessments we have our technology consultants run, we focus on staff awareness and training. Statistics show that most breaches come from within – whether through phishing attempts, malware, or even low-tech phone scams – they usually start with an employee clicking or saying the wrong thing. While we have training on how to avoid these, the best way we’ve found is a culture of service. Larger firms may have the resources to put more safeguards and restrictions on their tech stack, but we can embrace being small, energising employees for each client.
Recently, we had an employee not recognise a client’s voice, so they politely asked for further client verification (along with double-checking the inbound phone number). Other members of the staff congratulated them on taking this security precaution, and so did the client, knowing we were looking out for their interests.
Andrew: In terms of insurance, this can be a minefield with cybersecurity – what challenges/opportunities have you seen that you’d recommend to those in the industry?
Eric: We’ve tried to embrace our cybersecurity insurance and its requirements. We feel we have good representation from our broker, and many of the requests the insurer has made - such as dual-factor authentication on phones - benefitted us. Unlike some other forms of insurance, we feel our incentives are aligned with our insurer – avoiding a breach at all costs. Having another set of eyes looking over our shoulders and giving us feedback is a good thing.
"We use all the resources we can get – from third parties like our technology vendors or our custodian – but we know we’re ultimately responsible."
Andrew: In terms of outsourcing cybersecurity procedures and responsibilities, what is your experience and what would you recommend or warn against?
Eric: “Outsourcing” is a word we try to avoid when it comes to cybersecurity. We use all the resources we can get – from third parties like our technology vendors or our custodian – but we know we’re ultimately responsible.
We have found that many of the third parties do try to scare you into action or make cybersecurity sound so complex that we can’t do without their expertise. While we agree that it’s a complex subject with many intricacies, at its core it’s still just security – protecting client data. With our investment clients, we work to align incentives – making sure we’re correctly incentivised for managing their accounts. The same is true for our vendors: if you find ones that have the same security incentives that you do, the relationship will prosper.
Andrew: Going forward, what are the main areas of cybersecurity you’d like to see progress or focus on in 2023?
Eric: I would like to see more focus on bringing the client – the end user – into focus. The client base in the financial services industry stretches from very sophisticated corporations to individuals ranging from young people with solid technological knowledge to retirees who distrust almost all technology, and everything in between. While there are lots of options, from encrypted emails to client portals, that itself is the problem. “Another portal that I have to create and memorise another password?” is something we often hear. Finding ways to streamline while still protecting clients is the holy grail in my opinion.
When it comes to cybersecurity the question is always “what have we missed?” There’s always something new coming at us. It’s a constant challenge, but that’s not a bad thing, because it makes it interesting, and has a worthy goal: protecting client data.
Get the recent popular stories straight into your inbox