Elward: What steps is the investment industry taking to protect investors?
Marootian: We are fortunate to be in an industry that is actively focused on cyber security issues, with a number of regulatory agencies that provide oversight on both preventive and detective services against cyber security crimes. These regulators rely on the information technology (IT) standards that bodies such as the Information Systems Audit and Control Association (ISACA), the National Institute of Standards and Technology (NIST), and the International Organization for Standardization (ISO) use to coordinate and develop processes aimed at preventing cyber security-related crimes. Due to the potential economic effects of vulnerabilities in the financial services sector, this ecosystem of regulators and standards maintains a strict focus on prevention and defense.
Elward: In your role as Chief Information Officer with Natixis, how do you work to secure the data of investors and financial advisors?
Marootian: We have a robust information security program that applies a strong combination of technology, process and people to mitigate the risk of cyber security attacks against the firm. The ultimate goal of IT in the area of cyber security is to provide our customers with a safe and secure technology environment to conduct business. This is executed by our IT teams, who maintain a balanced program of preventive and detective controls to help minimize the impact of cyber-related crimes. The standards we follow are not prescriptive down to specific technologies, but they do help IT security teams identify areas of potential weakness and vulnerability – and remediate those with a combination of technology and process.
Our implementation is multi-layered. Our Chief Information Security Officer (CISO) maintains a deep knowledge base, with a view toward the latest technologies available to prevent and deter cyber crimes. Additionally, we have a security operations team that maintains daily oversight of our layered security model. Finally, we have processes in place to encrypt our data – whether it is in rest or in flight between systems – to maintain a high level of security for our customers’ data at all times.
In partnership with independent third parties, we conduct a range of audits and assessments throughout the year to assess the quality of our information security programs. This allows our teams to have full visibility into “best practices” that exist in the market, and aids us in our goal of continuous improvement.
Elward: Has Natixis Investment Managers ever had a data breach of investor or financial advisor information on your watch?
Elward: How do you staff your team with respect to data security and cyber security?
Marootian: We start by onboarding experienced and execution-oriented staff. Our goal is not to create functional areas with conceptual leads, but to create a team of strategic practitioners that have the ability to grow our information security program and practically implement and manage all the technologies that support it. We have a strong partnership with our human resources department, and the dynamic nature of our work attracts technical talent from many industries, which is a great advantage for hiring in an extremely challenging market.
Information security is a high priority focus area for the firm. Senior leadership receives quarterly updates from the group, highlighting trends in the market, as well as technologies and processes that we are looking to implement. IT security will continue to be a focus area for staff development for the firm as we expand the scope of their functions, such as having security teams involved in secure coding practices for our software engineering teams. Our technology infrastructure and information security programs are robust, which also draws talent in the marketplace. We have been fortunate to attract and retain highly talented individuals on the Natixis information security team. Our average tenure is over five years, whereas the industry trend is three years.
Elward: What questions should investors and financial advisors be asking their financial services providers about these topics?
Marootian: Investors and financial advisors should be aware of what controls, processes and procedures are in place to secure their data. They should know how regularly an organization’s cybersecurity program is inspected and assessed by independent third parties. This work should include penetration tests. In addition to information about a firm’s broader data security architecture, having some knowledge about how the firm conducts threat prioritization is also important. Cyber security is an amorphic thing – it’s constantly changing – and approaches to remediating systemic criminal threats require the IT team to maintain a fresh perspective.
Natixis Distribution, L.P. is a limited purpose broker-dealer and the distributor of various registered investment companies for which advisory services are provided by affiliates of Natixis Investment Managers.