Information security is becoming a major topic in the private equity industry. Andreas Englisch, AssetMetrix’ CISO, shares his opinions on the major challenges, developments and must haves for companies in the future.
How have you seen information security in private capital evolve in the last few years?
Although I have not seen a big revolution in private capital’s information security domain in the last few years, one point has become evident, the “security-first approach”: Our philosophy should always be “What makes it valuable could also make it vulnerable”. In our case this means being aware of which information we put into the public space and assessing the risk and whether it is worth taking it.
What do you see as the biggest challenges in information security in Private Capital currently?
The more global and regulated our business grows, the higher the risk for a breach of any regulation. Thus our risk for penalties might also increase if we don’t undertake every effort to keep it below our Risk Appetite threshold.
What are the most important topics you believe asset owners, managers and servicers should focus on from information security standpoint in 2023?
Servicers increasingly need to establish a strong concept of roles and must proof any identity they want to do business with and business for as flawless as possible. Reputation is king. It is substantially harder to get back reputation you have lost through any cyber security incident than to sustain it. We can also see clients seeking to get satisfactory assertion about their service provider’s Risk Management Program and Cyber Security Strategy.
What are your key predictions for developments in information security for Private Capital in the next 2-3 years?
If your business moves into any private or public cloud, so should your cyber security strategy. This means adapting the new “Zero-Trust Cloud Mantra” that is to say: “allow no access to any system in your cloud before you haven’t checked it again and again … and again”. We may see the emergence of “Just-in-Time Access”, where users – and even more administrators – will obtain access privileges only for a predetermined and limited amount of time when they really need them: From “least privilege” to “least time”.
Why should Information Security be one of the focus topics in the industry?
Everybody and everything is connected through a cloud which effectively is just “somebody else’s computer”. You basically need to accept that it will be hacked one nice and sunny day.
Social Media will feed artificial intelligence bots like ChatGPT with the information about your people and business they might still be lacking today to create tomorrow’s even more leading-edge phishing attacks.
3 main sources of attacks the industry faces the most
Phishing is still the number one attack vector and will keep this position for the time being, but there is “competition” ahead like online identity theft, attacks via software supply chain, or sophisticated “evil twins” who might try to trick users to connect to them instead of intended public WLAN hotspots in order to eavesdrop on interesting network traffic while being a “man-in-the-middle”.
Essential requirements to fulfill to be considered safe – what are the minimum requirements to “survive”?
There are of course no “silver bullets” out there in the security space, but from our past experience and our industry’s best practice, it is evident that you need to fulfill the following requirements if you want to sustain all future challenges in the long-term:
- You need to have a “Cyber Security Incident Response Plan” in place.
- Your SIEM (Security Information and Event Monitoring) needs to be surveilled 24 hours by 7 days a week.
- IT Security is also a “social business technology”, so you need to execute Tabletop Exercises and Awareness Trainings on a “near-regular” basis.
- Multi-Factor Authentication is and will always be one of the key controls in your Security Control Framework.
- If there is one rule then this: “Every preventive control will fail one day”, so you need to be prepared and have a sound “Security Testing Strategy” as well as enough detective controls in your pocket to tackle all false negatives.
Information security trends in other industries that PE should follow/care about
- “User Behavior Analytics” (sometimes also called “Network Behavior Anomaly Detection” and an evolution of “Extended Detection and Response”) is still expensive to execute and complex to maintain, but seems to find its place as the only antidote against the most sophisticated “Advanced Persistent Threats”.
- Content is key for PE, so “Content Disarm and Reconstruction” functionality which helps to escape from ransomware might become a predominant requirement sooner than we would believe.