Buy-side institutions are ramping up their information security to guard against cyber-attacks, boosting physical and network security, and crafting incident response plans. Given the risks and what’s at stake, these strategies are getting the attention and backing of senior management.
“Awareness is as at high of a level as it's ever been, and the awareness level is growing within organizations, top-level management as well,” Bob Ganim, chief information security officer at Neuberger Berman, told Markets Media. “I don't think you could ever feel comfortable, because then you may let your guard down. It just takes one breach to harm a firm or any firm connected to that firm.”
Neuberger Berman, which has $257 billion in assets under management, has 2,000 employees and operates in 17 countries. Ganim’s job is to ensure that every one of those employees is cognizant of information security risks, from hacking to phishing e-mails.
“It’s a firm-wide approach,” he said. “I want all 2,000 employees to be, essentially, on the front line. When you look at your employees, they're our greatest asset, but when it comes to security, in some cases, they could be the weakest link, just because they're all connected to the internet and have access to our network. I want to make sure people are aware of the risk and that they understand their responsibilities.”
Cybersecurity – comprising the people, processes, and systems required to ensure proper access to information by and only by authorized employees, clients, and third parties – is seeing a renewed emphasis in the financial services industry in 2014, and for firms with an out-of-date or informal cybersecurity plan, now is the time to act, according to Gravitas, a provider of portfolio management and risk analytics, operations and IT services to the alternative investment industry.
“The evolving cyber-threat landscape and increased regulatory scrutiny have created tremendous pressure for alternative investment firms as they shore up their IT security,” said Patrick Mullevey, executive director of systems Integration at Gravitas.
There are six types of layers of security firm need to address, according to Gravitas: physical security (to protect hardware, networks and data from a material breach, including fire, power, disgruntled employees and terrorism); network security (to protect against risks associated with web browsing and email); malware (to protect against an attack spreading across the firm infrastructure); access control and password management; and an incident response plan (a set of processes and procedures to detect and contain an attack).
Not only must each individual firm be ready with a robust incident response program, but the asset management industry as a whole must be prepared. “Many firms within the financial service industry are connected to other firms; it’s just the way the business functions,” Ganim said. “So a problem or an attack on one firm could impact others.”
When Neuberger Berman emerged as an employee-owned entity from the 2008 bankruptcy of its former owner, Lehman Brothers, it went about rebuilding its IT infrastructure, including controls. Ganim, who had joined Neuberger in 2000 to create the IT audit function, was asked to create the CISO (Chief Information Security Officer) function.
“I started working with others in the firm--security engineers, IT personnel, legal, compliance, human resources, operations--all businesses across the firm to put together a security program that is global, robust, and covers all areas of the firm,” he said.
As new products are created, and new locations and people are added, “we want to make sure that everybody is aware of security, and that anything we're doing that's new--new apps, new software, new links with vendors--gets rolled into our security program as well,” he said. “So the evolution has been just building the program, expanding the program, and making sure everybody in the firm is aware of the program, as well as keeping abreast of, and in compliance with, regulatory requirements.”
Featured image via Petr Ciz/Dollar Photo Club