Many Asset Management companies are relatively small firms but yet have a large risk profile that makes them a prime target for cybersecurity threats. These companies, like all others, need to have basic blocking and tackling security measures in place to have a solid foundation to try and thwart and detect these threats:
- Periodic penetration testing of your resources and applications: both those exposed to the Internet and internal
- Security awareness training, in particular on phishing (email links) and vishing (phone call solicitation)
- Software and hardware version management: i.e., keeping things up to date
- Antivirus technology that is always used and constantly updated
- Password management and multi-factor authentication
- Backup strategies that are frequent, automated, on-going, and regularly tested
- On-going event monitoring (e.g. SIEM type functionality) and regular network environment vulnerability scans
Most Asset Management companies have a small and exceptionally competent IT and security staff, which often have to outsource to satisfy on-going IT and security demands such as external and internal penetration tests, web application testing, and regular compliance or compliance-like audits.
Some of the more common issues we have seen across Asset Management companies include:
- Having generic policies and procedures that have not been tailored to their specific environment, including specific demands of their third-party providers
- Critical hosts running out of date software and patches
- The inability to enforce or audit policies and procedures because of limited staff
- Untimely remediation of threats identified from network and web application penetration tests or scans
One of the growing needs, which in some cases is now becoming a legal requirement, is to have a strong Cybersecurity program. This includes management of third-party service providers that have access to, process, or store personal or regulated data. In the past, a fair amount of the management and identification of sensitive data for third-party providers has flown under the auditing radar, but that is very quickly becoming a thing of the past due to initiatives like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). In addition, the New York Department of Financial Services Cybersecurity Regulation requires financial services companies to establish and maintain a risk-based cybersecurity program and supporting capabilities.
In today’s ever changing environment and regulatory statutes, Asset Management companies need to worry about cybersecurity threats just like very large banks and financial institutions.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.