With the cost of global cybercrime set to grow by 15 percent per year, reaching $10.5 trillion annually by 2025, according to Cybersecurity Ventures, cybersecurity is increasingly top of mind for all organizations. Cybercrime, including ransomware, denial of service attacks and data exfiltration, is one of the greatest threats to business today, financially, operationally, and from a brand reputational point of view.
Given the investment management industry stewards $24 trillion in assets owned by over 100 million shareholders in the US alone, organizations must think differently to keep investors, their data and their assets, including life savings and pensions, secure. Indeed, earlier this year the Securities and Exchange Commission proposed cybersecurity risk management rules and amendments for registered investment advisers and funds.
Cybercrime and the cybersecurity needed to mitigate the potential crimes are driven by technology advances and digitalization, including the move to the cloud. Thanks to this shift in how organizations operate, traditional business continuity processes (BCP) and approaches no longer apply.
So how can the industry use modern thinking and technology to get ahead of, and stay ahead of, technology-savvy and increasingly audacious cybercriminals?
FundGuard’s Alan Schneider sat down with Yaniv Zecharya, FundGuard’s CTO (and former R&D Head at SalesForce Israel), for his take on how investment managers and boards of directors can leverage the benefits and security of the cloud to apply a proactive, scalable and best practice approach to cybersecurity processes and policies.
AS: What implications does a move to the cloud have for cybersecurity?
YZ: Broadly defined, “moving to the cloud” means porting existing software to function in a new cloud data center such as Azure or AWS, or developing new applications using cloud-native technologies.
Both provide more protection than on-premise or private network applications because the clouds themselves provide redundancy and data replication, along with access controls recently designed to protect your assets. Cloud-native systems provide further protections and assurance due to the databases, operating systems, development tool-kits used, as well as the development and testing methods that are followed.
These cloud-native capabilities will provide your most secure and redundantly available operating environments.
AS: How can organizations feel secure with a fully cloud-native approach for our highly regulated, data intensive industry?
YZ: Security is only as strong as the weakest link. When it comes to cloud-native software-as-a-service (SaaS) and cloud security, there are two main components to think about:
From investment in cybersecurity R&D, to the people employed and methods deployed, Microsoft, Amazon and Google are known for their efforts to keep customers safe on the cloud and it’s part of their core business. At an infrastructure level, trying to replicate, in-house, the spend, effort and expertise the public cloud operators dedicate to keeping their services secure would be a herculean task.
As for application security, cloud-native SaaS-based applications have proven to be more secure than legacy technology on the cloud:
That said, even with the support of the cloud providers, vendors that provide legacy technology on the cloud, rather than those with cloud-native development and release cycle management, cannot be as nimble to stay ahead of or recover from cybersecurity concerns.
With today’s subscription models, your SaaS vendor can make or break security at an application level. It’s vital therefore to include a comprehensive evaluation of any vendor’s cybersecurity abilities alongside the capability of their service (scroll below for ten questions fund managers and their boards can ask to evaluate whether their providers understand how to maximize security in the cloud).
While this might seem more complex, a benefit is that with the public cloud you have two lines of defense – at the infrastructure level and within the application. Furthermore, it is now fairly cost-effective to employ a multi-cloud strategy, for instance, running two distinct instances of your NAV on totally separate public clouds. This approach doubles your security and, in the case of a security event, reduces your operational downtime to zero.
AS: What would you say to those organizations that are reluctant to give up control and still consider it better and safe to stay with an on-premises technology approach?
YZ: There is a misconception that organizations will better retain control and therefore remain safer if they employ an on-premises technology approach. However, doubling down on legacy technology that you or your providers fully own, host and manage can put you at risk in two main ways:
AS: Should organizations consider a middle-ground approach or a transition that’s more gradual?
YZ: It is possible to start your journey to the cloud by using it to augment your existing offering by adding redundancy, scalability and resiliency with cloud-based services. Certainly, this can be appealing because replacing legacy technology and operations can’t happen overnight. However, with a smart cloud migration plan, you can start seeing the benefits of the cloud from the get-go.
However, if you opt for supposedly cloud-enabled services that merely overlay cloud-based managed services onto legacy infrastructure and software, you remain vulnerable to the same security risks that you did with your legacy technology. Further, from a competitive advantage point of view, being too tentative about your cloud migration can mean the gap between you and your competitors widens to such an extent that you never catch up.
AS: What questions should fund managers and their boards ask to evaluate whether their providers (and their own in-house teams) understand how to maximize security in the cloud?
YZ: A comprehensive evaluation of any provider’s cybersecurity abilities and service capabilities should include, but is certainly not limited to the following questions:
FundGuard is committed to helping our clients thrive and compete by providing a modern framework to enable more informed decisions, reduce operations risk, comply with changing regulations, and radically raise productivity.
Contact us to learn how our cloud native NAV Contingency, ABOR and IBOR solutions mitigate the costs and risks of separate applications while boosting security, compliance and the ability to innovate and digitalize.
FundGuard’s Comments to the SEC on Proposed Enhancements and Standardization of Climate-Related Disclosures for Investors
Ultimus Partners with FundGuard to Provide a Technology-Driven NAV Contingency Solution
The Unburdened System: Throwing off the Old to Make Way for the New