A significant roadblock in cybersecurity adoption can often the be perceived cost versus budget. Cybersecurity can be seen as having little tangible ROI for funds, whose focus and resource is taken by consistently trying to develop strategies to outperform their competitors and win hard found mandates. Cybersecurity is perhaps best seen as a budget allocation where the expectation is that ‘X’ percent of revenue is spent on protecting the firm. This would ensure it’s not only part of overall strategic planning, but also that investments are made in a planned way. Funds are already spending on IT, but falter looking for ‘additional’ budget to invest in security. An increased in budget is not always required.

Regulatory obligations

Regulators require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cyber risks through controls. These policies should include periodic risk assessments; user security and access management, (including measures for remote working security); information security and data protection frameworks (including third party oversight and vendor management); threat and vulnerability management; incident response and recovery (including incident response plan testing as well as business continuity planning and testing) plus more.

Regulators also require boards of registered funds to actively take part in supervising their fund’s cybersecurity policies and procedures through a documented process. There are also expected new rules that would mandate a businesses to have a process for responding to cyber threats, with a requirement to report “significant” cybersecurity incidents to the regulator within 48 hours of having a “reasonable basis” to believe that such an incident has occurred or is occurring. These expected additional requirements would need to include strategies for mitigating the risk of a cyber incident as well as procedures for notifying the regulator and other relevant authorities in the event of an incident.

These responsibilities require investment in both knowledge and time. Working with an outsourced partner who has the ability to support funds to develop these security measures makes sense for most. It is unlikely requirements such as these can be monitored real time in house.

Education

Creating a business case can be difficult for cybersecurity when measured against ROI. It can often be the case that education is the most effective starting point when approaching building and maintaining a successful security posture, as tools already in use within a firm already have unused capability. Microsoft’s 365 suite includes comprehensive security features within it. While the solutions are available and already budgeted for in licensing costs, being aware of tools and using them effectively can be the answer. Solutions to mitigate risk, be confident in regulatory requirements and keep costs to a minimum, without paying for additional products or licences. Microsoft 365 E5 detects, mitigate and remediate threats and includes:

• Microsoft Defender for Office 365 to protect your organisation against sophisticated attacks such as phishing and zero-day malware.
• Information protection and governance helps identify risks by locating data and understanding how it’s used. Also assisting in safeguarding data where it lives by configuring protection and retention labels.
• Microsoft Defender for Endpoint is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response.
• Microsoft Defender for Identity is a cloud-based solution that helps protect your organisation’s identities from multiple types of advanced targeted cyberattacks.
• Microsoft Defender for Cloud Apps provides visibility to view apps used in your organisation, identify and combat cyberthreats, and monitor and control data travel in real time.

Partnership

Regulated entities are wholly responsible for their cyber strategy, but partnering with a vendor who has experience in working in the regulated sector can offer the expertise, guidance, and assurance to a fund that every care is being taken to mitigate against cyberattack in a cost effective and efficient manner. Cybersecurity solutions are a moving target and change constantly. Working with the right provider can reduce cost and risk.