Money Market Funds
Operations and Technology
Adapting to the Rapidly Evolving Cybersecurity Environment
By Todd Bernhardt
June 6, 2014
Because external hackers typically try to “look like an insider” when attempting to penetrate IT systems, “every cyberattack is likely an ‘internal’ attack,” according to Mark Clancy, managing director of technology risk management at the Depository Trust & Clearing Corporation (DTCC). He gave this advice, and more, as part of a panel at ICI’s Operations and Technology Conference, which ran concurrently with the Institute’s General Membership Meeting in May.
Joining Clancy on “The Evolving Cybersecurity Environment: An Operations and Technology Perspective” were Jason M. Weinstein, partner at Steptoe & Johnson, who moderated the panel; Carl W. Herberger, vice president for security solutions at Radware; and Brandon Hines, manager of information risk and security at Dimensional Fund Advisors.
Something to CHEW On
Clancy led the discussion by introducing the acronym CHEW, which indicates the four basic types of threats that cybersecurity experts must face: criminals, “hacktivists,” espionage, and war.
Though criminals exist in every country and are focused on making money, hacktivists have other motivations, including the opportunity to publicly protest—or take revenge against—the organizations they target. There are large numbers of both these groups, with hacking skills that range from basic to advanced.
Espionage includes private organizations or governments spying for their economic benefit, while war includes countries—or even non-state actors, such as terrorist groups—seeking to disable infrastructure or capabilities. The number of countries with these capabilities is relatively small, but growing, as is a larger array of “supported” or “tolerated” groups that act with implicit state sponsorship.
Decreased Costs, Increased Vulnerabilities
Herberger looked at trends in cybersecurity, including how the move to open-source software and the “cloudification” of technology—which have reduced costs for organizations—have increased vulnerabilities.
In addition, he said, “Attacks are no longer ‘single-threaded’—they’re multi-vector, availability-based attacks that can overwhelm systems” because multi-vector attacks force an organization’s security software to spend time evaluating all threats when only one is real.
Hackers rely on the fact that the majority of attacks take minutes to compromise a system, but can take hours, days, or months to discover and defeat. “Bad guys know that the tools you use have gotten pretty good—but they take time,” he explained. “During that time, they can do what they need to do.”
Getting Out in Front of Threats
In his introductory remarks, Hines acknowledged the threats while focusing on the positive, saying “there are practical strategies...things we know better than the people outside. We’ll never be smarter than all of them, but we know company assets and processes better than they do, so we can get out in front of them and build reasonable security measures to protect against them.”
He also emphasized that though it’s important for company employees to know how to avoid or respond to threats, it’s also critical that organizations “examine processes that are prone to failure or easily exposed to bad actors.” Clancy agreed, adding that “a lot of business processes evolved from the paper age—you’ve got to examine and update them so they’re appropriate for the interconnected digital age.”
Mapping Out Risks
Weinstein quizzed the panel about the risks of “interconnectedness,” which he said potentially means “you have to be worried about vendors, partners—even clients. Their platforms could be used as a launching pad for an attack on yours. How can you protect against this?”
Herberger led off, explaining that cybersecurity professionals have to be concerned about risks that could accompany three macro-level trends:
- cloudification, which increases risks by placing you next to other unknown “tenants” on shared servers;
- the rapidly expanding mobile environment, which includes not just cell phones, but the burgeoning “Internet of things” (the connection of everyday objects to the Internet); and
- software-defined networking, “which changes everything about how we inspect our network and the people who come to it.”
Hines agreed, saying that organizations should identify which critical resources are outsourced, and map out the risks. He and Herberger recommended reviewing contracts with service providers to ensure that security requirements are spelled out, and that there are processes for communicating about and addressing risks and attacks.
“You have to know who’s attached to you and why,” explained Clancy. Citing the security breach at the retailer Target, where hackers gained access to the company’s IT system through a vendor account, he asserted that “you need to rethink your environment and act proactively, before you get attacked and have to retool everything.”
Plan, Test, Train—and Adapt
The panelists agreed that having incident-response plans and testing those plans are essential cybersecurity measures. Hines pointed out that it’s key to engage all parties involved (internal and external, on both the IT and business sides) in planning and testing, while Weinstein added that it’s essential to include your legal counsel in planning and to work with law enforcement if any security breaches do occur.
Herberger warned that organizations can’t take a “set it and forget it” approach to planning—instead, they should “constantly monitor and update plans, to be able to keep up to date with evolving technology and macro-level trends.”
“Look at it like war,” Clancy concluded. “When things don’t go according to plan, you fall back on your training. If [that training] is good and extensive, then you’ll be able to flexibly and capably respond to an ongoing attack.”
Todd Bernhardt is senior director of public communications at ICI.
SEC Chair White Stresses Need for FSOC to Consult Sources for Necessary Expertise
By Rachel McTague
May 22, 2014
Securities and Exchange Commission (SEC) Chair Mary Jo White today called for the U.S. Financial Stability Oversight Council (FSOC) to use outside expertise to the degree necessary in its process of designating systemically important financial institutions (SIFIs). She asserted that it is “enormously important for FSOC, before it makes any decision of any kind, to make sure it has the necessary expertise on any of those issues.”
Updated FICCA Framework Makes Auditing Omnibus Accounts Easier, More Efficient
By Kathy Joaquin
January 27, 2014
Many financial intermediaries—such as broker-dealers, financial advisers, and retirement plan recordkeepers—provide services to fund shareholders and maintain customer account information on their own recordkeeping systems. Fund sponsors, in turn, want to ensure that intermediaries are meeting their obligations in servicing fund shareholders, and so, have been seeking oversight tools that allow them to do this efficiently and effectively. ICI recently took steps to improve one of the critical oversight tools available to the industry, through a major update of the Financial Intermediary Controls and Compliance Assessment (FICCA) engagement framework.
FASB Proposal to Change Accounting for Investments in Funds
By Gregory Smith
May 17, 2013
The Financial Accounting Standards Board (FASB) recently released a proposal that will change how corporate investors in funds report changes in the fair value of their investments in earnings.
TOPICS: Operations and Technology
An Operations Issue to Watch: Shortening the Settlement Cycle
By Martin A. Burns
November 15, 2012
Should the time between the execution of securities trades and settling payment be reduced in U.S. markets? The Depository Trust & Clearing Corporation (DTCC)—the financial industry utility that processes securities transactions, including those for the fund industry—has recently delved into this question, aided by a study from the Boston Consulting Group (BCG). The study examines the costs of moving to a shortened settlement cycle and the time it would take to pay off those costs given the potential savings from operational and efficiency gains.
TOPICS: Operations and Technology
Paper Concludes Amortized Cost Is Appropriate for Money Market Funds
By Gregory Smith
November 2, 2012
A recently released paper examines the use of amortized cost by money market funds and concludes that its use is appropriate given the short-term, high-quality nature of these funds’ investments. The paper also discusses how use of amortized cost is well supported by more than 30 years of regulatory and accounting standard-setting consideration. Author Dennis R. Beresford is the Ernst & Young executive professor of accounting at the J. M. Tull School of Accounting, Terry College of Business at the University of Georgia. Beresford served as chairman of the Financial Accounting Standards Board (FASB) for more than ten years.
Avoiding Disclosure Overload in Fund Financial Statements
By Gregory Smith
September 28, 2012
Shareholders of SEC-registered investment companies regularly receive detailed financial statements, a key part of the disclosure regime that produces transparency for fund investors.
TOPICS: Operations and Technology
Money Market Fund Redemption Restrictions Would Drive Investors and Intermediaries Away from Money Market Funds
By Kathleen Joaquin
June 21, 2012
If you’re like most investors, money market funds mean stability, liquidity, and convenience.
Yet, some of these hallmark features could become a thing of the past if the Securities and Exchange Commission (SEC) imposes redemption restrictions on money market funds.
How would these redemption restrictions work?
The SEC’s contemplated redemption restrictions would essentially deny investors full use of their cash by escrowing a portion of a shareholder’s money market fund account on an ongoing basis. In the unlikely event that the fund breaks the dollar, the restricted shares would then be used to absorb first losses.
Rulemaking Must Reflect Realities of Funds’ Access to Shareholder Information
By Kathleen Joaquin and Tamara K. Salmon
April 30, 2012
We are seeing a troubling development in Washington. In high-profile areas such as money market funds and anti–money laundering measures, regulators continue to pursue rules premised on the notion that mutual funds know or can obtain detailed information on each of their underlying shareholders.
PCAOB Must Demonstrate Need for Mandatory Audit Firm Rotation
By Amy Lancellotta and Gregory Smith
December 22, 2011
The Independent Directors Council (IDC) and the Investment Company Institute (ICI) oppose requiring a mandatory rotation of audit firms as detailed in a concept release from the Public Company Accounting Oversight Board (PCAOB).
Switching to International Accounting Standards Wouldn’t Likely Benefit U.S. Fund Investors, ICI Tells SEC
By Gregory M. Smith
June 14, 2011
A key issue for ICI’s Operations team is regulator interest in harmonizing worldwide accounting standards. As Donald Boteler, ICI’s Vice President for Operations and Continuing Education, said in ICI’s latest annual report, “It’s a noble purpose, but it’s a big, big challenge.”