Fund Investment Management, Cybersecurity and the Cloud – What You Need to Know and the Questions you Should be Asking

June 8, 2022

What implications does a move to the cloud have for cybersecurity?
How can organizations feel secure with a fully cloud-native approach for our highly regulated, data intensive industry?
Why are on-premises technology solutions ineffective at maintaining the necessary level of security against cybercriminals?
Should organizations take a middle-ground approach or a transition that’s more gradual?
How can fund managers and their boards evaluate whether their providers understand how to maximize security in the cloud?

With the cost of global cybercrime set to grow by 15 percent per year, reaching $10.5 trillion annually by 2025, according to Cybersecurity Ventures, cybersecurity is increasingly top of mind for all organizations. Cybercrime, including ransomware, denial of service attacks and data exfiltration, is one of the greatest threats to business today, financially, operationally, and from a brand reputational point of view.

Given the investment management industry stewards $24 trillion in assets owned by over 100 million shareholders in the US alone, organizations must think differently to keep investors, their data and their assets, including life savings and pensions, secure. Indeed, earlier this year the Securities and Exchange Commission proposed cybersecurity risk management rules and amendments for registered investment advisers and funds.

Cybercrime and the cybersecurity needed to mitigate the potential crimes are driven by technology advances and digitalization, including the move to the cloud. Thanks to this shift in how organizations operate, traditional business continuity processes (BCP) and approaches no longer apply.

So how can the industry use modern thinking and technology to get ahead of, and stay ahead of, technology-savvy and increasingly audacious cybercriminals?

FundGuard’s Alan Schneider sat down with Yaniv Zecharya, FundGuard’s CTO (and former R&D Head at SalesForce Israel), for his take on how investment managers and boards of directors can leverage the benefits and security of the cloud to apply a proactive, scalable and best practice approach to cybersecurity processes and policies.

AS: What implications does a move to the cloud have for cybersecurity?

YZ: Broadly defined, “moving to the cloud” means porting existing software to function in a new cloud data center such as Azure or AWS, or developing new applications using cloud-native technologies.

Both provide more protection than on-premise or private network applications because the clouds themselves provide redundancy and data replication, along with access controls recently designed to protect your assets. Cloud-native systems provide further protections and assurance due to the databases, operating systems, development tool-kits used, as well as the development and testing methods that are followed.

These cloud-native capabilities will provide your most secure and redundantly available operating environments.

AS: How can organizations feel secure with a fully cloud-native approach for our highly regulated, data intensive industry?

YZ: Security is only as strong as the weakest link. When it comes to cloud-native software-as-a-service (SaaS) and cloud security, there are two main components to think about:

The security of the underlying cloud infrastructure, and;
The security of the application.

From investment in cybersecurity R&D, to the people employed and methods deployed, Microsoft, Amazon and Google are known for their efforts to keep customers safe on the cloud and it’s part of their core business. At an infrastructure level, trying to replicate, in-house, the spend, effort and expertise the public cloud operators dedicate to keeping their services secure would be a herculean task.

As for application security, cloud-native SaaS-based applications have proven to be more secure than legacy technology on the cloud:

Many are designed, developed and deployed with cybersecurity and disaster recovery in mind, and;
They are quickly, easily and automatically patched and updated to stay ahead of threats.

That said, even with the support of the cloud providers, vendors that provide legacy technology on the cloud, rather than those with cloud-native development and release cycle management, cannot be as nimble to stay ahead of or recover from cybersecurity concerns.

With today’s subscription models, your SaaS vendor can make or break security at an application level. It’s vital therefore to include a comprehensive evaluation of any vendor’s cybersecurity abilities alongside the capability of their service (scroll below for ten questions fund managers and their boards can ask to evaluate whether their providers understand how to maximize security in the cloud).

While this might seem more complex, a benefit is that with the public cloud you have two lines of defense – at the infrastructure level and within the application. Furthermore, it is now fairly cost-effective to employ a multi-cloud strategy, for instance, running two distinct instances of your NAV on totally separate public clouds. This approach doubles your security and, in the case of a security event, reduces your operational downtime to zero.

AS: What would you say to those organizations that are reluctant to give up control and still consider it better and safe to stay with an on-premises technology approach?

YZ: There is a misconception that organizations will better retain control and therefore remain safer if they employ an on-premises technology approach. However, doubling down on legacy technology that you or your providers fully own, host and manage can put you at risk in two main ways:

First, the nature of legacy technology means that it is difficult, costly and time-intensive to upgrade, patch and maintain to a level that keeps it ahead of cybercriminals. In some cases, due to code and technology architecture being more than three decades old, it might even be impossible. This leaves you, and your clients, at risk of savvy, opportunistic cybercriminals looking for an easy target. The only realistic way to manage this very real risk is by tapping into the capabilities of the cloud.
Second, beyond staying safe, your organization can miss out on ever-evolving benefits and protection provided by the cloud, such as the aforementioned ability to now cost-effectively operate a fully contingent NAV or production facility.

AS: Should organizations consider a middle-ground approach or a transition that’s more gradual?

YZ: It is possible to start your journey to the cloud by using it to augment your existing offering by adding redundancy, scalability and resiliency with cloud-based services. Certainly, this can be appealing because replacing legacy technology and operations can’t happen overnight. However, with a smart cloud migration plan, you can start seeing the benefits of the cloud from the get-go.

However, if you opt for supposedly cloud-enabled services that merely overlay cloud-based managed services onto legacy infrastructure and software, you remain vulnerable to the same security risks that you did with your legacy technology. Further, from a competitive advantage point of view, being too tentative about your cloud migration can mean the gap between you and your competitors widens to such an extent that you never catch up.

AS: What questions should fund managers and their boards ask to evaluate whether their providers (and their own in-house teams) understand how to maximize security in the cloud?

YZ: A comprehensive evaluation of any provider’s cybersecurity abilities and service capabilities should include, but is certainly not limited to the following questions:

Are trust and security in our providers’ mission statement?
Is the service built in the cloud, for the cloud from the ground up, or have cloud-like services been wrapped around traditional technology approaches?
What is the cloud-regional or multi-cloud configuration design for redundancy and availability?
How are cloud-regions or cloud versioning used to address recovery?
Is the data itself encrypted, or only the transport or network layer?
(Tip: if your data is encrypted, even if it is exfiltrated it can’t be used by criminals)
How often is code scanned for malware, backdoors and security gaps?
(Tip: The answer should be 24×7)
Who is responsible for your provider’s security? What is their background and experience and that of their team and how do they insert themselves and their team into SaaS design, development, production delivery and maintenance?
What documentation of processes and procedures can your provider – and in-house teams – share with you to provide proof of best practices?
How often is code updated, how much downtime occurs during the update and does the update involve a full refresh of code?
(Tip: A full refresh removes any dormant malware and more effectively closes security gaps that might have developed)
Have there been previous instances of security events and/or unexpected down time, and if so, how long did it take to recover?
(Tip: The answer should be zero to both)

FundGuard is committed to helping our clients thrive and compete by providing a modern framework to enable more informed decisions, reduce operations risk, comply with changing regulations, and radically raise productivity.

Contact us to learn how our cloud native NAV Contingency, ABOR and IBOR solutions mitigate the costs and risks of separate applications while boosting security, compliance and the ability to innovate and digitalize.