According to folk wisdom, the Chinese word for “crisis” is composed of two characters: one represents danger, the other opportunity. Although the inferred insight is undermined by the inaccuracy of the translation, recognizing that a crisis often gives rise to an opportunity is worthy of merit.
The SolarWinds cyberattack is one such crisis. Undetected for months, it has been one of the most devastating of recent times. Its enormous scale revealed the interconnectedness of IT systems between organizations and the advanced skills of those who seek to infiltrate them. SolarWinds was a powerful lesson about the need for organizations to work in partnership to frustrate hackers.
Public companies and brokers have always handled highly valuable and sensitive data, but today’s investment industry is also highly interconnected. As operations have digitized and services moved online, cyberthreats have expanded from tech-savvy fraudsters to nation states intent on destabilizing our economy. Fortunately, many industry participants recognize that security is strengthened through partnerships. Issuers, brokers and their vendors are joining forces and taking proactive steps to mitigate risks and stay a step ahead of hackers.
Bridges and Moats
Information security involves defenses and controls. Imagine a medieval castle, protected by its walls and moat, but with a drawbridge that can be lowered to manage safe connections with the outside world. Investment companies need impermeable barriers against hackers, but need to open bridges to trusted third parties.
Shareholders expect public companies to offer digital access. Brokers compete in a market that increasingly operates online. These companies and the organizations that support them have to facilitate demands for online convenience at the same time as fending off attacks that are increasing in number and sophistication.
A robust information security program therefore depends on developing systems of trust. Industry players are doing this through partnerships that connect their IT teams and information security specialists with external technology vendors and all industry participants that interact with their systems.
Collaboration provides the foundation for building trust. Associations have been formed to share cybersecurity intelligence, with several focused on the specific needs of financial services firms. Many technology vendors are proactive in offering cyberthreat assistance, ensuring that appropriate security controls are in place to protect data, and helping issuers and brokers to identify and respond to attacks as they happen.
Proxy Season and the Pandemic
The Covid-19 pandemic is not over, but already the investment industry has seized opportunities to make progress through partnerships. One notable example is the creation of the Digital Legal Proxy (DLP).
The 2020 proxy season took place at the onset of the pandemic; shareholder meetings suddenly needed to be hosted virtually and the scramble led to some problems with meeting access and voting. A working group was formed to address these issues and Mediant proposed the solution of a DLP, which was accepted by the majority of members.
Mediant went on to develop a secure application programming interface (API) to enable the DLP, working in partnership with group members to achieve a universal solution. The API was designed to be secure with controls in place to ensure seamless protection as data is transferred between industry participants. The DLP was adopted by most VSM providers in time for the 2021 proxy season, including Mediant, Computershare and Equiniti.
It’s a great example of how both shareholder experience and security can improve through collaborative endeavors open to the possibilities within problems. The DLP exists because our industry acted collectively for the good of shareholders, with issuers, brokers and vendors all involved.
Surpassing Industry Standards
Mediant applies extensive security controls to its own systems. We are SOC 2 Type II compliant, which is an important way for us to demonstrate that we are securely managing systems and data to protect our company and clients. We also follow guidance from the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) to drive continuous improvement.
Our ongoing, automated penetration testing tools operate both internally and externally. We work proactively with clients and prospects to answer any questions they have about our controls and we do the same with our vendors to ensure the full supply chain is protected.
In addition, we provide guidance to both clients and vendors on security controls, especially in relation to data transfers. These measures include data encryption and “whitelists” of trusted partners and sources. By involving our clients, we can protect their data through the entire life cycle of a transfer. Working with vendors, we ensure they match the robustness of our controls. The chain of security is only as strong as its weakest link, so we check every single one.
Safeguarding Remote Working
Minimizing social contact due to the pandemic has led to a huge increase in remote working. The experience has convinced many companies that remote access can be secure, opening opportunities to make working life more flexible.
Home and remote environments introduce additional data and cybersecurity risks. Often, they lack the latest networking and software patches. Homes will likely have other family members present, who aren’t employees so cannot be vetted or trained.
Issuers and brokers need to adopt a “zero trust” approach, handling remote work environments in similar ways to salespeople working out of hotels and airports. In such locations, where networks and security measures cannot be trusted, security needs added controls. These include multifactor identity verification, security software on mobile devices, and data encryption to protect lost or compromised devices.
While no crisis is welcome, turning inwards can compound problems. In our hyper-connected world, partnerships and collaboration identify and enable opportunities for better ways of working, mitigating security risks and defending the integrity of our valuable industry.
For more information, contact us.