- Why Abacus?
This article was written by Tom Cole, Managing Director - UK & Europe at Abacus Group, and originally appeared in AlphaWeek.
Alternative investment firms tend to be lean in headcount – yet they shoulder heavy workloads and great expectations. With investors and regulators increasingly looking towards these firms to deliver at the same level as organisations many times their size, their operational and security requirements closely reflect those of large-scale enterprises.
In this high-pressure environment, investment firms are becoming more reliant on expansive networks of third-party providers. These relationships offer undeniable commercial advantages, helping firms to efficiently handle their day-to-day operations and continue delivering strong returns to investors. However, they also expose companies to heightened cyber risks.
Now, as the industry prepares for sweeping new cybersecurity rules proposed by the Securities and Exchange Commission (SEC), it is more important than ever for organisations to understand and manage their security risks. The proposal requires firms to establish, maintain, and enforce comprehensive written policies and procedures concerning cyber risk – including third-party risks – in addition to disclosing all security incidents within a tight 48-hour timeframe.
Under this rising tide of regulatory scrutiny, firms must strengthen their vendor management programmes and take proactive steps to mitigate evolving third-party risks. At the same time, they should embrace the significant business benefits of these partnerships to maintain that all-important competitive edge. To achieve this, firms must find new ways to create value from risk.
For smaller investment firms needing to focus their headcount on front-office tasks, third-party networks offer a wealth of commercial and operational advantages. Outsourcing back and middle office operations empowers these companies to channel their time, energy, and resources towards core business activities that drive profitable growth.
However, having a broader network of third parties naturally expands the attack surface, creating more potential entry points for malicious actors. And the more partners, vendors, and suppliers that come on board, the harder it is for individual businesses to manage the risks. The dangers are particularly acute for investment firms, as the sheer volume of sensitive financial and personal data they hold - including information about investors, portfolio companies, trade positions and potential acquisitions – makes them highly lucrative targets for cyber-attacks.
According to last year’s PwC Global Digital Trust Insights Survey, less than half (40%) of organisations thoroughly understand their third-party cyber and privacy risks. The complexities of these interconnected relationships and networks can hide vulnerabilities in vendors’ security postures, making it difficult to identify and mitigate against specific weak points. Investment firms may also lack the internal headcount to enforce rigorous cybersecurity oversight on third parties, resulting in limited visibility and control over their security practices.
Firms cannot secure what they cannot see. But visibility is less of a challenge for sophisticated cyber criminals, who are becoming increasingly skilled at filling in the gaps and exploiting the blind spots within the broader financial services ecosystem. Aware that many alternative investment firms are maturing their own cybersecurity postures, attackers are now singling out third-party vendors as the weak link in the chain – and subjecting them to supply chain attacks. Therefore, despite all security measures implemented by the firm, malicious actors can still target them by infiltrating their vendors’ weak points, patiently waiting for the opportune moment to launch a destructive attack.
Any cyber incident that occurs via a supplier, vendor, or partner organisation has the potential to impact multiple others, compromising sensitive data and creating a domino effect of negative consequences. Businesses need only look at headlines around high-profile hacks – from the Capita data breach to the attack on financial software supplier Ion Group – to appreciate the disruption such attacks can cause. Organisations across the supply chain were left fearing the potential compromise of sensitive data, or the introduction of undisclosed backdoors within their own software.
A single supply chain compromise can also trigger subsequent supply chain crises. For example, software provider 3CX was recently hit by a double supply chain attack, where the initial point of breach was malicious software nesting within an earlier supply chain incident – in this case, the compromise of a popular day trading app. Firms can no longer simply look out for number one – they must be hyperaware of the spectrum of ‘nth-party’ risks posed by their suppliers’ suppliers and so on.
All the while, tightening regulatory and compliance requirements are raising the pressure on firms. But when it comes to managing third-party risks, regulations should be looked at as friends, not foes.
The proposed SEC rules will necessitate firms to adopt a comprehensive programme to manage and oversee their third-party providers, encompassing robust assessments of vendor and third-party risks. This requirement will help to shine a light on potential vulnerabilities and weaknesses within these complex networks. By surpassing the limitations of traditional due diligence questionnaires – which rarely give a true insight into a vendor’s security posture – investment firms will be empowered with greater overall visibility and control over third-party environments.
Firms no longer have to develop their own interpretations of cybersecurity best practices - specific regulatory requirements can now guide them. These precise rules support organisations as they reduce their third-party risk exposure, ultimately helping them make more informed decisions about who they do business with.
Supported by regulations, investment firms can take proactive measures to strategically manage third-party risks - without sacrificing their competitive edge. Firstly, they must undertake a comprehensive due diligence process before establishing partnerships with potential vendors, carefully examining their policies, practices, and cybersecurity controls. This scrutiny should be a continuous practice as the relationship evolves and expands, allowing firms to stay vigilant and promptly address any changes in the vendor’s cyber risk profile.
Additionally, businesses should invest in the services of a vCISO (a virtual chief information security officer, whether internally or through a specialised provider. Having a designated expert with a deep understanding of the latest threats, trends, and technologies will help firms to identify and assess potential third-party risks, feeding into a more cohesive and holistic risk management strategy.
Security specialists should also continuously educate the C-suite on cyber and business risks, enabling firms to budget out costs for systems and processes that effectively manage third-party risk. These processes must then be seamlessly integrated into the organisation’s broader business operations and continuity plans.
Regular third-party risk assessments are another vital component of any robust vendor management programme. By conducting vulnerability scanning, penetration testing, and real-time monitoring of network traffic, firms can gain the end-to-end visibility they need to swiftly detect and respond to cyber threats. To strengthen their defences further, companies should establish a clear process for risk remediation process, holding third-party providers accountable for taking corrective measures to mitigate identified risks.
As the financial, reputational, and compliance implications of a cyber-attack mount, every alternative investment firm should be conducting due diligence and implementing a strong vendor management programme. However, some may need help in assessing and effectively managing the full spectrum of third-party risks due to limited in-house capabilities.
This is when it becomes crucial to collaborate with a trusted provider with deep industry expertise and experience in the technological and regulatory complexities of the alternative investment landscape. The best partnerships will empower firms to establish mature and robust third-party risk management processes, incorporating regular due diligence and security best practice into their broader business operations. This enables firms to optimise their vendor relationships and confidently grow their connected networks without weakening their overall security posture.
Alternative investment firms now have the opportunity to take back control and shrink the security blind spots across the third-party ecosystem. By taking a multi-layered, holistic approach, organisations can not only mitigate third-party risks but also capitalise on these relationships to enhance operational and commercial performance.