Ativo Capital

Rigorous Thinking

Financial and economic commentary reflecting Ativo’s world view:

Seven Principles for Managing Cybersecurity

Friday, February 13, 2015


Emerging Manager Monthly published our article on Cybersecurity in their February 2015 issue:

Cybersecurity has become one of the hottest topics in the asset management industry. Not a week goes by without dire notices of new security vulnerabilities. The SEC announced a major cybersecurity initiative this past April, with subsequent bulletins and news releases drawing ever-increasing attention to the topic. Our inboxes are filled with cybersecurity articles and webinar announcements, produced by hordes of consultants peddling expensive solutions.

Yes, cybersecurity presents enormous risks and clearly warrants attention as a critical priority. But it also has the potential to become yet another bottomless pit, draining ever-increasing amounts of staff productivity, management attention, and cash. So what’s a rational, responsible, practical approach for an emerging manager with finite resources?

First, it’s important to understand that cybersecurity means different things to different people. A technology manager may think in terms of service disruptions and network breaches, while a CCO considers regulatory checklists and industry guidelines. A CEO would probably prefer to focus elsewhere but needs to be concerned about anything that threatens the health, well-being, and viability of the business. An effective approach needs to incorporate all of these perspectives, at the same time recognizing and mitigating the unanticipated consequences of our policies.

Like most other emerging managers, Ativo Capital has struggled with these issues for years. We don’t claim to have the perfect answer. In fact the “right answer” keeps changing, since the solutions that were appropriate for a firm with $150 million in assets under management in 2009 are distinctly inadequate for a firm approaching $1 billion in assets facing 2015-level threats. Even so, there are a number of key principles that we believe apply across a broad spectrum of emerging managers. Here’s our list:

1) Cover the basics. With the prevalence of current threats, there’s no excuse for lacking basic defenses, such as robust password policies, current antivirus software, and a properly configured firewall. In addition, current updates/patches are essential for virtually every system.

2) Protect mobile platforms. Mobile computing—which, in our definition, encompasses laptops, smartphones, telecommuting, and the security of offsite backup media—brings multiple threats. Although it may be tempting to retreat to a highly fortified onsite network, today’s business requirements make this either difficult or impossible. A detailed discussion of mobile security is beyond the scope of this article, but it is helpful to think in terms of three functions:

3) Understand your business environment and requirements. Not every asset manager has the same issues. A “quant shop” that monitors several thousand securities can’t tolerate even minimal system disruptions. On the other hand, a stock picker that follows a couple of dozen names can possibly continue operations for a short interval while technicians restore a broken system. Of course, any retail manager has access to confidential information (such as social security numbers) that requires special protection, and custody of client assets brings another set of security vulnerabilities. Furthermore, meeting regulatory requirements, including all relevant documentation, is clearly essential. In a world of multiple threats and scarce resources, you need to know what protections are most critical and structure your defenses accordingly.

4) Ensure your backups are adequate. Having a system backup is essential. But that’s only the first step; there are other important questions to address. For example, how frequently are backups created, and what’s the exposure to losing data between backups? Is there a demonstrated ability to restore the system from backup? How long does it take, and is the delay acceptable? What’s the plan if the firm’s physical facility is unavailable, both in terms of accessing backup media and activating backup systems?

  • Protecting against data loss, whether physical (lost phones, stolen laptops, or the discarded hard drive from someone’s old home-office computer) or virtual (data stolen by malware or siphoned from the public wi-fi network in a coffee shop, hotel, or airport);
  • Protecting both mobile and internal devices from malware or other unauthorized access, because a compromised mobile device becomes a potential access vector to the entire enterprise network;
  • Maintaining access to essential mobile services, keeping remote systems operational for those who need them.

5) Implement layered defenses. Breakneck expansion in the number and diversity of threats makes it a virtual certainty that any single defense will eventually let something through. Hackers have become increasingly quick to exploit newly discovered vulnerabilities, sometimes before the antivirus and firewall vendors are able to respond. Multiple layers of defense increase your odds of preventing or surviving attacks.

For example, consider the hurdles an emailed threat needs to surmount in order to penetrate a well-designed, layered system:

  • A spam filter on the mail server screens suspect messages,
  • The firewall blocks traffic blocks malware-related traffic,
  • Well-trained staff follow policies to avoid opening suspect emails,
  • Up-to-date system patches and antivirus prevent malware from activating,
  • Intrusion detection and traffic monitors identify unusual activity and alert staff to respond,
  • And finally, current, reliable backups allow prompt restoration to pre-infection system status.

Yes, threats can—and sometimes do—make it past multiple layers of defense. But the more layers you have, the better your chances of stopping them.

6) Always extend your vision. If you’ve signed up with a cloud backup service, investigate the provider’s backup policies and consider backups for the broadband capability you’ll need to restore from the cloud. You may be doing background checks on new employees, but think about conducting background checks on vendors, too. The multiplicity of virtual threats leads you to maintain multiple layers of virtual security protecting your network. However, don’t let this blind you to other dimensions, such as controlling access to the physical network—i.e., keeping the doors locked! No matter what measures you take, keep looking further and deeper, and keep asking yourself what you may have missed.

7) Focus on people. Every action you take gets implemented by someone. It’s not enough to just “have a policy.” Make sure that the members of your staff understand and follow it. For that to happen, the policy should be carefully designed, clearly stated, practical to implement, and consistently enforced throughout the organization.

Today’s cybersecurity involves evaluating and balancing the benefits and risks of multiple capabilities and technologies. Mastering cybersecurity may be complex, but it has become a critical competency for emerging managers.

– Dennis N. Aust, Deputy CIO and Directory of Research, Ativo Capital Management LLC