This excerpt was taken from a roundtable discussion looking at how to successfully accomplish outsourcing or in-sourcing in an organisation.

You can read the full article in the research report Fund Technology, Data and Operations, APAC 2018 here.

Fund Operator: What priority does cybersecurity have as a risk to be managed for fund managers/asset owners?

Puneet Kukreja: Because of the risks that the digital channels inherently present and given that most of the channels of engagement are digital and online, cybersecurity needs to be one of the highest priorities when doing business.

What is coming to light is that the areas of investment have been quite low from a fund manager perspective because it they have not been something that was considered as part of their normal business operations.

"Cybersecurity needs to be one of the highest priorities when doing business"

However, it should be of the highest priority now given the risk profile of digital use of assets, portals and how money and finances are now being transacted and transferred.

Fund Operator: Why has there been a lack of investment in cybersecurity? Is it lack of awareness or are there other considerations that are factors?

Puneet: There are multiple factors that need to be considered when investing in cybersecurity. It was until now considered a technology enabled risk, where the investment in cyber was managed by the technology functions.

The investment contribution does depend on the maturity of the organization. The banks for instance, do not believe that this area requires less investment.

But when it comes to other areas like fund managers, investment managers and insurance companies that look at cybersecurity with a risk lens, they can take the view that if nothing has happened to them up until now, it most likely won’t.

"With the high-level attacks that have happened recently, there is knowledge and a greater awareness and understanding"

Understanding the risks that cyber presents is now gaining momentum, and with the high-level attacks that have happened recently, there is knowledge and a greater awareness and understanding.

Investment into cybersecurity has been low so far because organisations have felt protected. And that is because they don’t know if they had been compromised. Given most organisations that have not invested in cyber security will not have the required vigilance controls in place, they would not have known that they had been compromised without a data breach being published.

Fund Operator: How should fund managers/asset owners consider cybersecurity risks from an operational perspective?

Puneet: An organization’s operations perspective will depend on their understanding of cybersecurity risk and how they manage it. There are various approaches from insourcing to outsourcing, or a hybrid of both.

If the function is insourced, the questions to consider include whether the investment has been on vigilance technologies compared to securing their infrastructure?

Has all the investment gone into the classic controls of securing the networks and infrastructure, patching and quality compliance, versus outsourcing? If so, the funds would be more likely spent on keeping the infrastructure up, as opposed to keeping the service secure.

"An organization’s operations perspective will depend on their understanding of cybersecurity risk"

The operational decisions will depend on the model of IT management as well as how old the contracts are in an outsourced environment. It could also depend on how mature the infrastructure security component is in an insourced environment.

Other considerations include whether management takes a classic view of the world of infrastructure, with Application Program Interfaces (APIs), through which the data gets transferred, or whether the organisation has the new look of digital (Internet of Things) IOT and a data lens.

If the organization views operations from a data lens or a digital lens, their approach to cyber security will be different compared to compliance to policy, patch management, reports on vulnerabilities and leaving security at a very 101 infrastructure-only level.

Fund Operator: What are some of the factors to consider when deciding between insourcing versus outsourcing or a hybrid model?

Puneet: There are five areas that we have been working with a number of clients as to how best to change your outlook from an infrastructureonly view of security to a data lens and digital lens.

1. If you decided to use a data lens, you would need to understand the life cycle of your data and have a keen eye on the creation and usage of that data. This is where third parties would come in, along with your extended enterprise. The third party risks then become your risks, and so you have to ensure that those third parties are secure and in line with your policies.
2. If you are using the data lens model you also need to ensure that appropriate controls are in place from a data leakage prevention perspective, and then you add the data lens onto it. This is about cloud enablement.
3. If you are then using a data and a digital lens and the data is going into the cloud outside the third parties, then you need to address how you secure your cloud infrastructure and software applications that are in the cloud.
4. If you are going into Office 365 for instance, you would have additional controls that would provide security for the data that is being transferred and transmitted into the cloud. But if you are also starting to use Microsoft Azure as your hosting platform, you need to ensure that there is cloud security implemented for infrastructure in the cloud.
5. For third parties there is data lens, the need to secure the cloud infrastructure and know what reporting you are doing in a hybrid model where you are not completely storing your data in the cloud and still have some elements in house which are accessible by third parties.

In a scenario like this, you need to be ready to respond to an incident should one happen. This means being sure you have actually articulated the roles and responsibilities for a cyber incident and mapped it and linked it back to your normal Business Continuity Plan and Disaster Recovery processes.

Fund Operator: What role does the human facing side play in this?

Puneet: The human element is important but the accountability and responsibility for cyber security still rests with the organisation i.e. the fund managers and asset managers. They need to take responsibility and account for how they are protecting their customers’ data, as well as determining who owns the data.

From a user perspective, there is a lot of discussion around awareness of what rules and controls are in place. The reality is you can have a trusted insider with the right level of access who still goes in and undertakes a breach. This concept of ‘trusted insider’ then needs to be considered.

"What would you do if you had a third party goes and perpetrates an attack because you gave them the rights to do it?"

Unfortunately not too many organizations feel that the ‘trusted insider’ threat is real. But as we go into industry 4.0 where everything is digital and information is everywhere and accessible all the time, the insider threat does become real.

Of course you can tell employees not to click on certain phishing email links which does help to control risk, but what would you do if you had a third party, with all the contractual elements in place and access to your data assets, that goes and perpetrates an attack because you gave them the rights to do it? The person who needs to monitor this is the ‘trusted insider’.

Fund Operator: Are clients planning for their response in the event of a significant cybersecurity breach and what does this look like?

Puneet: Organizations tend to feel that a cybersecurity response is uniquely different to a normal incident. It does have unique features, because a cyber incident is all about containment and stopping a breach from occurring. It however requires being on the front foot of what you understand the breach to be and having a strong communication plan.

A normal incident is about service restoration. In a cyber incident, restoring the service is key, but it is also about determining how deep the cyber-attack goes. This is where your vigilance on how much you know about your organization comes in, and figuring out whether the attack is just to disrupt your service, or destroy your data.

"In a cyber incident, restoring the service is key, but it is also about determining how deep the cyber-attack goes"

A cyber incidence response as an activity needs to be an extension of your Disaster Recovery activity and your Business Continuity Plan activity and it should not be looked at in isolation.

In the event of a cyber incident everyone should know their places, whom to communicate with, and have both practiced the protocols that are well established to know when to call in a cyber incident. The Board and the Executives have to also be across these protocols.

This excerpt was taken from a roundtable discussion looking at how to successfully accomplish outsourcing or in-sourcing in an organisation.

You can read the full article in the research report Fund Technology, Data and Operations, APAC 2018 here.

 

Please Sign In or Register to leave a Comment.