I’m attending the PERE CFOs & CCOs Forum. These are my notes from the session.
On a scale of 1 to 5 the attendees created a classic bell curve on how confident we felt about our cybersecurity programs, with most choosing “3.”
The panel labeled social engineering as the upcoming threat. There were several stories of fake invoices coming from outside the firm, spoofed to look like it was coming from within the firm. The other example was malware injected into the it system by a junior person opening a malware file sent through email.
Cybersecurity should be part of the regular compliance training. Focus spoofing and phishing prevention training on those who can move funds or authorize funds to move.
Cybersecurity is now a common item on SEC exams. Be ready to answer questions.
Hackers tend to be opportunistic. They need to see a weakness or they are more likely to move on to another target. The scary problem is when our firm is specifically targeted.
The panelists seem to have some strict rules on the use of personal email. The challenge is that younger workers are used to collaborative tools and easier access to information.
For mobile devices, the standard is to be able wipe the phone remotely in case it is lost to keep information secure. Make sure everyone knows to quickly report a lost phone.
Cybersecurity is part of fundraising. It is a very common item on investors’ due diligence questionnaires. Although probing beyond the questions tends to be limited.
Cyberinsurance is becoming more common. The coverage is expanding. It covers losses. It does not necessarily cover all of the incident response.