Investing in Security
Clients rely on investment management firms to grow their assets. The last thing they expect is a loss due to negligent cybersecurity practices. Regardless of how well a firm anticipates financial markets, a cybersecurity attack could bring their portfolio crashing down. For this reason, the SEC and FINRA are focused on driving cybersecurity best practices in the financial industry.
If anyone feels the pressures of cybersecurity, it's Chief Information Officer, Jeff Liles of Harbert Management Corporation (HMC). HMC is an investment management firm founded in 1993, with approximately $6.4 billion in Regulatory Assets Under Management as of June 30, 2019. Cybersecurity is a compliance requirement for HMC, but they want it to be a differentiator for them as well.
Company: Harbert Management Corporation
Pratum Services: Information Security Risk Assessment, Penetration Testing, Managed SIEM
“Investors are very interested in learning what the firm is doing to combat cyber-attacks.” – Jeff Liles, CIO
HMC’s prospects must consider how the firm will protect their investments from cybersecurity attacks. With over 230 employees spanning five (5) countries and an IT team of four (4), HMC remains vigilant to ensure security and privacy for its clients. “We needed to enhance our cybersecurity portfolio and find a partner that would work side-by-side to protect HMC from cyber-criminals,” shared Liles.
Upon identifying the need for security assistance, HMC set out to find a trusted partner that would provide a layered approach to its security program. In 2017, HMC partnered with Pratum to develop a program that delivers insight into attacks and defends against breaches.
The partnership began with an Information Security Risk Assessment, which provided a deep understanding of HMC's security posture, including an evaluation of administrative, physical, and technical controls. Through policy review, facility walk-throughs, and in-depth interviews with stakeholders, Pratum provided HMC a summary of high and moderate risks along with recommendations for remediation.
To complement the risk assessment and improve HMC’s visibility into its technology environment, a penetration test was performed by Pratum. The objective of the penetration test was to identify and exploit weaknesses in HMC’s technology infrastructure. The information gained from the test provided HMC the knowledge needed to make improvements to its infrastructure to secure it for the future.
The third layer to HMC's security program was the deployment of security information and event management (SIEM) through Pratum’s Security Operations Center (SOC). “SIEM provides fantastic insight into activities on our network,” expressed Liles. Managed SIEM is designed to deliver continuous data analysis, threat intelligence, and security incident reporting, which enables HMC to understand what is happening on their network in real-time.
It is a partnership… Pratum meets our goals and expectations. The overall agility of Pratum, the personnel we work with has been fantastic. The SIEM relationship makes it even stronger. The reporting and feedback, in ways of issue resolution, has been great.Jeff Liles Chief Information Officer - Harbert Management Corporation
Risk Mitigating Result
Armed with the list of “Next Step” items identified in the risk assessment and penetration test, HMC was positioned to take corrective action and advance its security posture.
“We don’t want to be complacent. Bad guys are always looking for ways around [our] cybersecurity layers. We have seen new recommendations from Pratum, and we welcome those suggestions. It helps us improve our process.” - Jeff Liles, CIO
When a client or prospect performs due diligence on HMC's cybersecurity, Liles and his team are poised to respond. HMC provides prospects a Business Continuity and Disaster Recovery Plan as well as an executive report of their information security risk assessment.
HMC is compliant with SEC and FINRA regulations, and clients can rest assured their assets are being securely managed. HMC took a challenging security requirement, embraced it, and turned it into a competitive advantage.