Cyber Security Questions Hedge Funds and Private Equity Firms Should Ask Their Service Providers

new york, New York, July 16, 2015 (Newswire.com) - Hedge funds and private equity firms need to know the right cyber security questions to ask their managed service providers (MSP) to protect their critical data and avoid a catastrophic cyber security breach.

It is necessary for private equity firms and hedge funds to understand the workings of managed service providers in order to keep their data safe from hackers. Contrary to what most hedge fund portfolio managers believe, managed service providers do not provide cyber security. They only provide outsourced IT needs such as data storage, help desk etc.

"These are questions every hedge fund and private equity firm should ask their managed service provider to ensure they are protected from cyber security breaches."

Trevor Goering, Gotham Security

Trevor Goering works with the Department of Defense and Pentagon on issues related to cyber security. His cyber security firm, Gotham Security, works with hedge funds, private equity and wealth management firms in all IT security matters.

Goering has seen first-hand how a poorly run managed service provider can give hackers more opportunities to exploit and steal their client’s critical information. Goering urges private equity firms and hedge funds to ask these important questions before they commit to a managed service provider, and ensure they hear similar answers as the ones provided below.

Question: What extra security controls can you provide me to protect my most critical data?

Answer: An MSP should describe the different levels of security they take to protect your data depending on the classification or type of data. This may include multifactor authentication, file-level integrity checking, or specific monitoring alerts build around the data.

Question: Who is in charge of your MSP cyber security practice?

Answer: The SEC mandates that one person must be held responsible for a fund’s cyber security. While almost all MSP’s have a CTO in place, you want to hear that there is a dedicated Chief Information Security Officer (CISO). There’s a big difference between the two. You want to hear the resume or description of the person in charge of their cyber security practice to ensure that they have a qualified individual and not a technologist or network architect.

Question: What information can you provide in a DDQ that will increase my chances for landing investors.

Answer: I would want to see detailed answers here that map out how they are addressing SEC guidance and I’d want to review artifacts showing continuous monitoring and improvement of their program. This is crucial because cyber security is more than just checking a box.

Question: What type of security monitoring is being done to protect hackers?

Answer: If your MSP is being honest with you, your MSP will tell you they aren’t qualified to do this work. Therefore most don’t.  If an MSP tries to tell you they do this, alarm bells should be going off. You want separation of duty within your organization as network and security roles do not have same goals. The honest answer you want to hear is “that is not what we do.”

Question: How do you manage threat and vulnerability information?

Answer: You want to hear that the MSP is subscribed to intelligence feeds from various sources. For example, the US government has a cyber security feed that can be subscribed to by various MSPs. There are also additional paid threat intelligence feeds that can be valuable when it comes to being aware of the latest threats.

Question: What is your MSP doing to ensure your data is encrypted while in transit and at rest?

Answer: You should always hear that encryption is taking place on a file level using something like Bit Locker or in transit it is protected by TLS. However, communication between third party vendors is the most vulnerable spot that hackers try to penetrate. Force Encryption between your vendors to strengthen the weak links.

Question: What level of support do you provide in the event of a security breach?

Answer: This question varies based on your current service level agreement and needs. No one answer fits every fund, but generally speaking, your needs have changed.  Most MSPs should provide guidance or support during a crisis or provide additional support for an extra fee.

Question: What controls are in place to monitor the physical environment of your MSP?

Answer: Building access to any MSP should be tight, but unfortunately, I’ve seen some extremely accessible providers that could easily be breached – from a physical perspective. This is important because an unsecured server could provide an easy way for a hacker to download critical data, it can be as simple as plugging in a USB. You want to hear details of their physical security controls.

Question: What type of security awareness training do MSP employees go through? 

Answer: Frankly, any security awareness training would be great but you want to hear that their training program is tailored to their environment. Subjects like anti-phishing and strong password protection education are the norm but I’d like to see subjects like mobile security or working from home addressed if that is part of the company’s practices.