By Lisa McLaughlin
Heartbleed, trickle attacks, spear-phishing, Poodle and Bash and, most recently, Ghost – oh my! Since 2014, it’s been a colorful time for security professionals and regulators alike.
As new online attacks and corporate data breaches continue to make news headlines, more sophisticated malware development, financial fraud, keystroke logging, file stealing and illicit data mining are being carried out daily by today’s new breed of cyber-adversaries.
Banking, insurance and other financial records have long been treated with high levels of confidentiality. The priority in the financial specific sector is to now ensure security, since cyber fraud can target sensitive information on an individual’s accounts, transactions, SSN-level activity, driver’s license or credit history. Once breached, this data becomes vulnerable and can easily be packaged, sold then resold on the dark web. Of course, adversaries are known to brag about their accomplishments – which means your private information may then be made public.
SS&C is a publicly traded $5.1 billion market capitalization financial software and services company with a presence several markets, including financial and fund companies. As an organization that may handle, store, process, transmit or deliver confidential information about our customers, employees and own business, and because of the important role such information plays in our operations, as well as our legal and business obligations to our clients and others, we aim to provide robust and comprehensive security for all such information in our possession.
To keep up with an ever-changing threat landscape, we recommend that you start by knowing the business you’re protecting and knowing the risks associated with it. Work with your user community regularly, get to know their behavior, their processes, their know-how and, most importantly, where your data flows. Knowing where your data is at all times: this is key to understanding your risks.
At SS&C Technologies we know the investment management industry is very dynamic, with millions of customers, products and services – and the lifeblood of this large, fragmented and competitive industry is data. The capture, processing, rendering and delivery of such data have inherent risk elements that require a very thoughtful, pragmatic and effective security system. Furthermore, organizations need to constantly reinvest in processes, technology and strategic approaches.
We work closely with our client base around the globe on best practices for a large number of organizations in the financial sector, among them fund administrators, institutional investors, capital markets (DB, advisors, PE and FI), with an emphasis on security laws, regulations and understanding of legal requirements where the responsible transfer of data is concerned. Here are some notes on best practices we employ when correctly and securely processing sensitive information:
We gather intelligence through our own monitoring mechanisms and through third-party materials such as white papers, vendor advisories and technical standards. We believe that up-to-date knowledge of trending threats is vital for establishing a security strategy and understanding the significance of threats.
While there is a broad range of free information available on the Internet to help you understand the threat landscape, there is also a dizzying array of tools out there to assist in addressing these threats. Pay attention to high profile attacks; learn from the companies that were breached. What were their mistakes and weaknesses, and what did they learn?
In terms of advisories, white papers, security updates and patches – for every asset type you have such as laptops, firewalls, routers or switches, it’s in your best interest to sign up for communications from their vendors. Security patches and updates are free, so PATCH, PATCH and PATCH away.
In the course of running your business, there may be a case to use third parties for services such as shredding, destruction or backup and recovery services. In order to reduce the likelihood of unforeseen disclosure, take a risk-based approach when using third-party suppliers. Focus on protecting assets and data privacy and always take into account the location of at-risk data, which may include information that belongs to your clients or employees.
To bolster the best practices described above, continue to maintain and in best efforts to seek the highest level of security, implement what it considers to be industry standard or better security measures to assure the confidentiality (C), integrity (I) and availability (A) of information while it is being stored, processed or transmitted by SS&C. Additionally, these security measures are commensurate with the information’s sensitivity and value.
- Confidentiality: Retain customers’, employees’, and investors’ information and keep their data secure
- Integrity: Restrict access to sensitive data to authorized users
- Availability: Sensitive data should only be accessible as needed by authorized users; consider this when using third parties or engaging in any business relationship between your organization and another entity
To accomplish this through arrangements made involving third-party access to your organization’s facilities and information assets, you need to define the terms and conditions of access through a formal written agreement. These written agreements should include contractual obligations binding the third party (vendor, supplier) to ensure compliance with your organization’s policies and procedures. Legal counsel and your security team should be able to identify these requirements for any specific controls that should be placed within the agreement.
At a minimum, you should also incorporate the following reasonable security and privacy language:
- Data/information handling, protection and privacy requirements
- Confidentiality provisions
- Physical and logical control
- Arrangements/provisions for reporting and investigation of security incidents
- Escalation procedures
- The right to audit contractual responsibilities
- Breach notifications
In addition to the notes above, for assessing and managing risk associated with third-party relations, following guidance to national banks – one of the most stringent sectors in the U.S. – the OCC has set forth guidelines in its 2013-29 bulletin: http://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.
Remember that, when dealing with any term third-party engagement, it’s vital that you review relationships frequently. Review your vendors, third parties and suppliers by running risk assessments past your information security professionals at least annually. If your contracts have auto renewed, then start by conducting your due diligence immediately. Even consider creating your own custom questionnaire.
Never forget that if those third parties with which you have a written agreement have access to your data should have an unfortunate breach of data, your data, your clients’ data or your employees’ data may also have been breached. Yikes! Take-away here – protect yourself!
The National Institute of Standards and Technology (NIST), which is aimed at helping federal agencies and other organizations in and out of government incorporate proper security and privacy controls, is currently revising their guide on security controls. It’s expected that the new guide will assist organizations in their development of deeper controls by creating an efficient assessment plan that reinforces the principle of continuous monitoring.
At SS&C, we employ multiple approaches to cover the spectrum of risk areas. We rely on adjustments, predictions, modifications, periodic evaluations and reevaluations to ensure and maintain the right security for your business. To that end, we constantly reinvest in your processes and technology to enhance your security.
As the risks continually evolve, remember that reinvesting in security will enable you to maintain the necessary controls and procedures that are critical to your confidential information remaining safe and secure.
The views expressed herein are those of the author and do not necessarily reflect those of SS&C.