Focus on Funds
Funds Expand Their Cybersecurity Fight
Funds are constantly tailoring their cybersecurity in response to the latest threats. In the January 25, 2019, edition of Focus on Funds, Ellen Rinaldi, who just concluded a four-year term as chair of ICI’s Chief Information Security Officer Advisory Committee, outlines emerging risks and how funds are defending against them.
Stephanie Ortbals-Tibbs, ICI director of media relations: What are the most important cross-cutting issues in cybersecurity for asset managers? At ICI’s recent Cybersecurity Forum, we tackled them all, as the committee chairman, Ellen Rinaldi, shared with me afterwards.
Ellen Rinaldi, former ICI Chief Information Security Officer Advisory Committee chair: Over the last five to six years, there has been an increasing use of third-party services and vendors to help us with critical functions. We have always been very concerned about the quality of what we do and how we do it. And now, the industry is looking for partners that provide that same quality and, frankly, security.
And the way that we need to supervise them—make sure that our information and our clients’ information is protected—is very, very important. Our regulators are looking to see how we do it, and I think all of us are concerned with making sure that we’ve not only chosen the right vendors, but they are managing what we want them to manage in the way we want them to manage it.
Ortbals-Tibbs: The area that you work in is one where we have this gathering every year. And the issues are always different because there is so much going on, and because it does evolve, even fairly quickly.
Rinaldi: The attack vectors change because the cybercriminals out there and the nation-states change, and we need to adjust the way we approach, based upon how we’re receiving those attacks. As a result, third-party now is a very important issue for us because the attack vectors have now moved from our industry to our suppliers as a gateway into us.
Ortbals-Tibbs: Ellen, did you hear any best practices in that conversation?
Rinaldi: We are moving from an era of once in point-in-time examinations of third parties—say, once a year, or once every six months—to looking for a continual way to have a supervision of our third parties.
Ortbals-Tibbs: When we talk about all of these issues, of course, they can sound rather technical. But in the end, in our industry, it all relates back to the investor.
Rinaldi: We can never forget the fact that we are protecting billions of dollars of other people’s money. And in that environment, our stewardship has to be correct, it has to be accurate, and it has to be the very best we can bring to them.
- What to Ask When Assessing Information Security Programs
- Information Security Threat Mitigation and Program Development
- ICI Viewpoints on Cybersecurity Issues