Focus on Funds

Funds Balance Cybersecurity and Employee Needs

As the asset management industry adopts employee monitoring programs to bolster cybersecurity, it’s also moving to protect employee privacy—and build trust. The January 26, 2018, edition of Focus on Funds examines how firms are striking a balance.

Transcript

Stephanie Ortbals-Tibbs, media relations director, ICI: Employee monitoring is on the rise in the fund industry, as part of its larger cybersecurity effort. So how should that look for companies and their employees? What do you need to know about how that might work best? How can employees build trust in the system that is being created? At ICI’s Cybersecurity Forum, I got some advice on all of that.

Janet Oren, chief information security officer, Legg Mason: It’s important that people have trust in the people who are doing the monitoring, so we want to make sure that the people actually seeing the information understand that that data is confidential—that they’re not walking around the business gossiping about something they read about someone because they were doing a monitoring activity. That just erodes the trust in the people who are actually looking at the data. It really is those employees who are doing the monitoring—because they are literally reading people’s email, which can be very private—so they have to understand that.

Ortbals-Tibbs: And it sounds like the way you build that trust is through training the people who will be monitoring them—and you put a big emphasis on that.

Oren: Yes, absolutely. There is a big emphasis on training them. Because the compliance department is doing a part of the business, it has to be taken very seriously, so they need to have that trust.

Ortbals-Tibbs: You deal with many challenges as part of this. Of course, first, you’re dealing with this fundamental issue of making sure that monitoring staff is comfortable. Then you really have to work on introducing a lot of new concepts and new rules to people, and that takes a lot of time and education, it sounds like.

Oren: You really have to have a good communications plan. You start six months ahead of time, and let people know what’s coming and how it’s going to impact them. Give people an opportunity to ask questions—have maybe one-on-one sessions to really get personal about how they think it might impact them.

Because people do care, particularly with BYOD [bring your own device] and the personal devices. People care about what you’re monitoring on there, and they want to know exactly what you’re doing. So, having those conversations, having a really solid communications plan, is really essential.

Ortbals-Tibbs: You do bring up phones, and phones are a big challenge. This is a new area.

Oren: Phones are a challenge, just because they’re a different technology. There are ways to monitor some of the things you do on phones. But text messaging, for instance—there isn’t a good way to archive or get copies of text messages. So they are a challenge.

In all of our organizations, we have to look at technologies constantly, because you have to figure out, can that technology be secured? Can that technology be monitored appropriately, from a regulatory compliance standpoint? And have a review process to look at anything new that you’re bringing into the environment.

So it is a challenge. All of our businesses on the panel recognize that, and we have different ways of dealing with it. But it’s something that we have to look at every single day.

Ortbals-Tibbs: It sounds like this is another one of these areas where cybersecurity is really getting integrated into the business, far more than it used to be.

Oren: Absolutely—it has to. My number-one goal at Legg Mason is to make sure people understand, cybersecurity is everybody’s job, and that we all take it seriously and understand what we’re responsible for.

Focus on Funds

Funds Balance Cybersecurity and Employee Needs

Transcript

Additional Resources