• 24/7 Support
  • +44 203 857 1630
  • +1 315 257 4284


More questions around cyber security and the safety of the cloud arose this week when it was revealed that the personal information of almost 200 million citizens had been left exposed for anyone to access on the Internet. More than a terabyte worth of personal details such as home addresses, phone numbers, and even voter registration details, collected by the US-based conservative data firm Deep Root, were stored on the Amazon cloud server, and were publicly accessible via a URL.  According to the firm, the data was left exposed after an update to their security system. A simple mistake, easily preventable, and yet it’s evident that the necessary procedures in place to mitigate these breaches in security were lacking.


The news of the Deep Root leak made international headlines because of the scale of the leak and the magnitude of the political ramifications, however, they are certainly not the first and only firm to have a lackadaisical attitude towards storing and protecting its data.  Major leaks from big companies or organisations, from Yahoo, to Target, and even the NHS, have all been the centre of media scrutiny in the past, and it seems fresh news of data security breaches are hitting our newsstands almost weekly. According to a recent survey by Thread Stack, 73% of companies (out of the 200 surveyed) have at least one critical security misconfiguration that would leave their environment vulnerable and wide open to the Internet. If that weren’t cause enough for concern, firms are also paying the price, quite literally, for their passive approach to security and data-encryption. Some disgruntled clients who have had their sensitive information stolen or exposed are demanding compensation, and are filing class action lawsuits, with the pay-outs sometimes ranging in the millions, leaving smaller firms with no choice but to close down. A hefty price to pay for a mistake so easily avoidable with the right procedures set up by those with the appropriate skills and experience.


Even though sensitive information was left exposed on the web for anyone to access, human error and lack of procedures should not put people off using cloud-based systems and services.  Additionally, on-premise hardware is not any less likely to be subject to security errors and oversights.The reality is, thousands of firms are currently using cloud-based systems, and realistically the numbers are only going to increase. Cloud platforms allow for several benefits, like flexibility in the cost of backup solutions, and the ability to process large amounts of data more cost effectively than traditional physical hardware. They also have the further benefit of exercising more granular control and auditing of the security.


Nonetheless, using the cloud is only profitable if the necessary procedures are set up correctly and with security in mind. A bit like an Ikea flat pack, servers like AWS give you the tools to build an infrastructure, however, assembling it so it lasts long-term, is efficient, and doesn’t crumble under duress, is up to you. If the object you’re building is something small, like a side table, doing it yourself doesn’t seem like that big of a deal. Yet, if we think on a much larger scale, say a wardrobe, suddenly security, longevity and efficiency are at the top of your priorities. The consequences of inexperience are simply not worth the risk, which should be taken seriously. When using a cloud-based platform like AWS, numerous processes should be put in place to limit the chances of a safety breach. Simply relying on AWS or Microsoft to provide the level of security needed to avoid breaches and mistakes from occurring is simply not enough.  Even Ian Massingham, Amazon Web Services’ (AWS) chief evangelist for Europe, Middle East and Africa, has stated that AWS are “not the owners or custodians of the data – we just supply the resources” adding. “we don’t control how the data is protected, customers do”.  Essentially, AWS cannot be held accountable in the event of a leak if the client didn’t build the necessary infrastructure and processes to maintain and protect the data stored within its system. It boils down to who is responsible for the security within the cloud (the client) and who is responsible for the security of the cloud (AWS).


Keeping this in mind, Hentsū helps build secure infrastructure for its clients by storing it behind multiple layers within the AWS platform or any other cloud platform. Each layer securely locked and accessible only through specific security requirements, such as location access, trusted devices passwords, and two-factor authentication. Doing this minimises the chances of simple and avoidable mistakes leaving data vulnerable and exposed on the web. Cloud-based platforms can only run efficiently if the correct infrastructure is built within them. For those firms who do not possess the knowledge and experience to correctly set up secure procedures within a cloud platform, Hentsū can ensure the correct systems are in place to minimise the circumstances in which a breach in security could occur.


Questions around the protection of data and secure servers will always be relevant. By taking the necessary steps and ensuring secure procedures are in place as a safety net, there should be no reason to fear cloud-based platforms. Most importantly, you need to be confident that your systems were built to run by experts with the experience and knowledge in constructing secure servers and databases. Minimising human error by setting up and establishing proper security procedures goes a long way in ensuring systems run both efficiently and securely.

Contact Us

How secure is your infrastructure? Contact us for a security analysis and strategy: hello@hentsu.com


“Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC.”

SEC Chair Mary Jo White


Hentsū is pleased to have submitted our responses to the AITEC-AIMA due diligence questionnaire. This has been completed on the Markit KY3P platform and is now available to all other users of KY3P. Current users include the UK’s leading law firms,  asset managers and information technology providers.

Know Your Provider

For asset managers, transparency with vendors and providers is vital to remaining compliant. Due diligence and third party management continues to become more important and increasingly complex. Firms should be cognisant of the SYSC 8 requirements before, during and after the engagement and AITEC-AIMA DDQ helps with this clarity.

What Asset Managers Need to Know

  1. If a firm outsources critical operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system.
  2. Firms should review their IT outsourcing arrangements in light of SYSC 8 as a matter of good governance.
  3. Where a third party delivers services on behalf of a regulated firm, including a cloud provider, this is considered outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them.

Vendor management can be cumbersome and often lacks uniformity. KY3P is expected to bring some relief to asset management firms through the standardization; along with reducing time and risk associated with the vendor evaluation and risk assessment process.

Vendor Management Tips

  1. Conduct risk assessment of vulnerabilities; understanding the breadth and depth of vendor dependencies
  2. In-depth due diligence before engaging a vendor and ongoing regular due diligence during the relationship
  3. Employ contingency plans for terminating vendor contracts

The SEC has made cybersecurity a matter of priority for asset managers. Completing the AITEC-AIMA DDQ shows Hentsū’s commitment to helping clients with cybersecurity preparedness and to staying on top of industry regulation.

View the full OCIE 2015 Cyber Security Examination Initiative