be_ixf;ym_201911 d_13; ct_200

WannaCry? WannaRun, WannaHide!
Managing Cybersecurity Risk

June 7, 2017  | by David Young, Brian Rondeau

Industry Knowledge | Risk Management

Over the last year there has been no shortage of things to keep investors, asset managers, and risk managers concerned. Despite these exogenous shocks most equity markets have continued to shake off these events with measures of volatility remaining muted. There are always additional risks lurking and the WannaCry ransomware attack highlighted one of the largest.

The WannaCry cryptoworm, launched in May 2017, exploited a vulnerability within Windows to remotely lock computers and demanded Bitcoin payment to unlock them.  The vulnerability was first found by the U.S. National Security Agency who chose to exploit the weakness for its own use instead of reporting it to Microsoft.  Hackers released the vulnerability data in a breach of the NSA’s own servers, allowing Microsoft to issue a critical patch.  An estimated 230,000 computers in 150 countries had already been infected.

Cybersecurity is an increasingly important risk. In the past, due diligence trips to managers and vendors would focus on investment and operational process, depth of team, compliance, risk management, and would touch on a firm’s infrastructure and business continuity plan. Today, an increasing amount of time is spent understanding a firm’s data and systems as well as the policies and procedures in place to protect them. Similar attention is being paid to cybersecurity readiness by the financial market regulators.

An organization can best defend itself from threats like the WannaCry virus by implementing four elements of an information and cyber security plan.

CH1-CyberSecurity

Identify

It is imperative that organizations of all sizes seek to identify their most critical and sensitive information in order to construct stronger defenses around those “crown jewels.”  While a unified, standard approach to security for all data and systems may sound appropriate, organizations may be misallocating resources by over-securing lower priority elements and under-protecting the most vital information.  Classification and prioritization of key data is essential to implementing controls that are commensurate with the risk severity and level of potential impact to the business.  Outside resources can be utilized to augment the efforts of internal management and information technology personnel to audit and monitor this process and its results. 

Plan

A proper information security policy should be developed collaboratively to focus on the following areas: people and policy security, operational security, insecure Software Development Life Cycle (SDLC), physical security, third-party relationships, network security, platform security, and application security.  Implementation and enforcement of these policies and procedures requires defined processes for effective dissemination, ensuring that they are understood and available at all times, while enforcing compliance through audits and potential disciplinary actions.

Protect

Once an organization has identified their crown jewels and put a plan in place for securing them, the next step is executing the plan.  The focus is on people, process, and technology. Insufficiently trained personnel are often the weakest link in an organization’s security perimeter and are the target of sophisticated social engineering attacks.  It is crucial to provide adequate security awareness training to all new hires, as well as ongoing training to current employees. Process encompasses the day to day operational and technological steps that an organization takes, forming the intersection point of planning and testing.  Some of the practices involved include: third party risk management, compliance and audit, asset management, monitoring and operations, and vulnerability and patch management.  The technological environment within an organization itself needs to be built securely.  Secure network design, secure builds, authorization, and malicious code prevention help to create the proper backbone for security.

Test

Even with the strongest protections in place, the continuous stream of real world attacks means that eliminating every threat is virtually impossible. Third-party specialists are used to leverage their expertise in stressing and identifying weaknesses.  Vulnerability assessments broaden and deepen awareness of threats, attacks, vulnerabilities, and the effectiveness of existing controls.  Penetration testing is the practice of probing a computer system, network or web application to find security weaknesses that an attacker could exploit.  These assessments and tests should be conducted on a recurring basis with the frequency dependent on the risk tolerances of the system being addressed.  Organizations should conduct table-top exercises and regularly test their incident response, disaster recovery, and business continuity programs internally.  Regular and routine phishing tests aimed at employees strengthen awareness and mitigate social engineering risks.

Cybersecurity risk is real.  Organizations that can properly leverage internal and external resources to identify their crown jewels, put a comprehensive security plan in place, protect their data and systems through sound execution, and continually test and improve their defenses are most likely to remain unharmed.  Institutions should seek the same rigorous security approach from each entity with which they conduct business.  The threat landscape is always evolving and organizations that fail to evolve with it will eventually be exposed.  Despite best efforts and intentions, people remain the biggest risk.  Educating employees is paramount.  As an information security officer from a global asset manager stated in a recent diligence meeting, “you can’t patch stupid or careless.”

Authors

X
Brian Rondeau is a member of the Risk Management team and is responsible for the due diligence process of external managers, vendor risk and counterparty credit risk. Prior to joining Commonfund, he was Vice President – Risk at Harvard Management Company where he led a team responsible for counterparty credit risk as well as investment risk on Harvard’s illiquid asset class portfolios. In addition, Brian was involved in liquidity risk management, managing HMC’s banking relationships and analysis related to sustainable investing at Harvard. Prior to Harvard, he spent four years with RBS Greenwich Capital in risk roles analyzing financial institutions and the asset-backed finance business. Brian is a Chartered Financial Analyst and member of the CFA Society Stamford. He earned a B.A. from Columbia University.
Brian Rondeau
Managing Director, CFA

Subscribe & Manage Your Frequency to Insights Blog

Stay up-to-date with the latest information with our Insights Blog. Topics covered included:

  • Asset allocation

  • Governance and policy

  • Industry knowledge

  • Market commentary

  • Outsourced investing

  • Risk management

  • Responsible investing

Sign up now to stay informed.

Already signed up? Change your subscription frequency here.



Fill in your details below


Notification Frequency


Disclaimer

Information, opinions, or commentary concerning the financial markets, economic conditions, or other topical subject matter are prepared, written, or created prior to printing and do not reflect current, up-to-date, market or economic conditions. Commonfund disclaims any responsibility to update such information, opinions, or commentary. To the extent views presented forecast market activity, they may be based on many factors in addition to those explicitly stated in this material. Forecasts of experts inevitably differ. Views attributed to third parties are presented to demonstrate the existence of points of view, not as a basis for recommendations or as investment advice. Managers who may or may not subscribe to the views expressed in this material make investment decisions for funds maintained by Commonfund or its affiliates. The views presented in this material may not be relied upon as an indication of trading intent on behalf of any Commonfund fund, or of any Commonfund manager. Market and investment views of third parties presented in this material do not necessarily reflect the views of Commonfund and Commonfund disclaims any responsibility to present its views on the subjects covered in statements by third parties. Statements concerning Commonfund’s views of possible future outcomes in any investment asset class or market, or of possible future economic developments, are not intended, and should not be construed, as forecasts or predictions of the future investment performance of any Commonfund fund. Such statements are also not intended as recommendations by any Commonfund entity or employee to the recipient of the presentation. It is Commonfund’s policy that investment recommendations to its clients must be based on the investment objectives and risk tolerances of each individual client. All market outlook and similar statements are based upon information reasonably available as of the date of this presentation (unless an earlier date is stated with regard to particular information), and reasonably believed to be accurate by Commonfund. Commonfund disclaims any responsibility to provide the recipient of this presentation with updated or corrected information. Past performance is not indicative of future results. For more information please refer to Important Disclosures.

Disclaimer

Information, opinions, or commentary concerning the financial markets, economic conditions, or other topical subject matter are prepared, written, or created prior to printing and do not reflect current, up-to-date, market or economic conditions. Commonfund disclaims any responsibility to update such information, opinions, or commentary. To the extent views presented forecast market activity, they may be based on many factors in addition to those explicitly stated in this material. Forecasts of experts inevitably differ. Views attributed to third parties are presented to demonstrate the existence of points of view, not as a basis for recommendations or as investment advice. Managers who may or may not subscribe to the views expressed in this material make investment decisions for funds maintained by Commonfund or its affiliates. The views presented in this material may not be relied upon as an indication of trading intent on behalf of any Commonfund fund, or of any Commonfund manager. Market and investment views of third parties presented in this material do not necessarily reflect the views of Commonfund and Commonfund disclaims any responsibility to present its views on the subjects covered in statements by third parties. Statements concerning Commonfund’s views of possible future outcomes in any investment asset class or market, or of possible future economic developments, are not intended, and should not be construed, as forecasts or predictions of the future investment performance of any Commonfund fund. Such statements are also not intended as recommendations by any Commonfund entity or employee to the recipient of the presentation. It is Commonfund’s policy that investment recommendations to its clients must be based on the investment objectives and risk tolerances of each individual client. All market outlook and similar statements are based upon information reasonably available as of the date of this presentation (unless an earlier date is stated with regard to particular information), and reasonably believed to be accurate by Commonfund. Commonfund disclaims any responsibility to provide the recipient of this presentation with updated or corrected information. Past performance is not indicative of future results. For more information please refer to Important Disclosures.