Who Owns Cybersecurity at Hedge Funds?

Who Owns Cybersecurity at Hedge Funds?

Josh Barons

Director of Information Security at Abacus

Views 1013

Who Owns Cybersecurity at Hedge Funds?

26.10.2016 10:45 am

US based hedge funds are finding themselves under more scrutiny with regards to increasing regulatory demands on adherence to Cybersecurity requirements.  The SEC continues to release OCIE Risk Alerts that outline the multitude of requirements hedge funds need to be prepared to address, as well as disclose their specific solutions during audits.  With regulations approaching, the question being asked is how far will the regulators take this, and ultimately who is responsible? 

Many of the very large hedge funds have the capital to invest in enterprise grade security technologies as well as have an internal Chief Information Security Office (CISO) and/or Chief Technology Officer (CTO) on staff a mature information security program already in place, the vast majority do not.  Thus, who owns the risk for Cybersecurity?

Over the past ten years the role and responsibilities of hedge fund Chief Compliance Officers (CCO’s) have increased in scope and duty such that they now fill one of the most pertinent and visible roles at US hedge funds.  Typically considered a role that manages the direct relationship between new regulation and the increased demands placed on their already existent compliance programs, CCO’s are now trying to understand the expectations on them with respect to Cybersecurity.  Over the past two years, the SEC has stepped up their expectations on hedge funds to prove they have taken proper measures to initiate, manage and disclose their internal processes as well as their technology footprint to ensure they are well protected with respect to Cybersecurity risks. 

In 2014, the SEC surprised the hedge fund industry with the announcement of an examination sweep of 49 Registered Investment Advisors to better understand how these advisers were addressing the legal, regulatory, and compliance issues associated with Cybersecurity.  In 2015, they published the results of this sweep, and followed it up with the issuance of an OCIE Risk Alert letter, which outlined 28 separate items that Advisors should be prepared to address in their next audit or examination.  As the mandates are coming from a regulatory organization, this responsibility is falling to the CCO.  While, the CCO is steeped in skills and knowledge of laws, regulation and development of process to adhere and comply, they now are responsible for security related technologies such as dual-factor authentication, intrusion detection and prevention systems (IDS/IPS), log management and incident response plans.  As is typical in the hedge fund space, firms are looking to find solutions through outsourcing to third-party providers.  Many service providers are evolving their products and services to capitalize on this now fast growing market.  The challenge for the CCO is that while they can outsource the task, they are unable to outsource the risk.

While it does NOT make sense for CCO’s to seek out new education degrees in Information Technology and/or Cybersecurity, it does make sense for them to better understand the five functions driving the Cybersecurity measures.  The OCIE initiatives are based around a Framework Core outlined by the National Institute of Standard and Technology (NIST).  The Five Functions are “Identify, Protect, Detect, Respond and Recover”.  All references and requests will tie back into one of these five Functions.  While most CCO’s will continue to outsource key Cybersecurity tasks such as Network/Firewall Management, Data Encryption, Penetration Testing etc.., it will be important for them to understand the specific Function these services tie back into, and develop / document internal processes to show adherence to the Functions, as well as to the various subcategories that groups such as the OCIE have extended into the hedge fund industry.

Further, it will be important to lean on the learning’s of others, as well as those who have suffered ahead of them. The US Hedge Fund industry has always been a somewhat of a close community, where many industry groups have sprouted up to provide channels to share best practices and knowledge around operational and regulatory objectives.  Lastly, it is good to take note of those instances where regulators have already taken action, as it is often beneficial to learn from the mistakes of others.  Last year, the SEC settled charges related to Regulation S-P against St Louis Investment Adviser R.T. Jones Capital for failing to safeguard customer information.   The SEC’s press release quoted the Co-Chief of the SEC Enforcement Division’s Asset Management Unit, Marshall S. Sprung, saying, “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential Cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” The Order specifically notes that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt customer information stored on its server or maintain a response plan for Cybersecurity incidents.

In closing, the challenges for CCO’s will continue to grow as the amount of responsibility continues to increase at a pace faster than the resources they have available to address and manage them effectively.  With respect to Cybersecurity it will be important to leverage third-party technology and Cybersecurity experts.  However, it will be equally if not more important for them to understand how these services help them adhere to the Regulatory Functions being outlined by the OCIE. 

Latest blogs

Colin Neil Adyen UK

P2PE – Silver Bullet or Snake Oil?

Fraud is an ever-present problem for merchants, especially with the increasing number of payment providers, start-up challenger banks, and online shopping sites providing different levels of fraud protection. To ensure the best customer and business Read more »

Thomas Pintelon Capilever

Credit servicing - Much more than just a back-end process

While credit origination is considered as a very customer-centric process, the credit servicing part that comes afterwards is usually considered as a purely operational, back-end process. However, substantial added value and competitive advantage Read more »

Simon Cureton Funding Options

Due Diligence Vs Speed: Why It’s Not Either-or When It Comes to SME Lending

The coronavirus pandemic has put the SME lending market under the microscope with extensive debate on how to deliver the right financial support to SMEs at speed. Traditional retail banks usurped fintechs and were gifted the golden CBILs and BBLs Read more »

Keith McGill Equifax UK

Fraud Continues to Rise, but Faster Digitisation Will Bring Benefits

The results of the Cifas report show the changing face of fraud and identity theft across the UK. With a 13% rise in reports to the National Fraud Database from 2018, it’s clear that even before the pandemic struck there were a number of challenges Read more »

Darren Capehorn Icon Solutions

Unbanked and Unconnected: Supporting Financial Inclusion Beyond Digital

Many of us take it for granted, but accessing basic financial services is fundamental to our economic and social development. It is hard to ‘get on’ if you are forced to hide life savings under the mattress, or rely on predatory loan sharks for Read more »

Related Blogs

Daria Afanasyeva UTP Merchant Services Ltd

Cybersecurity – Online payments are getting more secure

Ever since we've been able to buy anything we need with just a click of a button on our laptops or phones, online sales have been consistently increasing each year. Just last year, the total value of UK retail sales was £394 billion, with an average Read more »

Tristan Morgan BT

Cyber security trends for 2020

This has been another busy year in cyber security, with hackers targeting business, governments and major cities across the globe. From a financial services perspective, 2019 witnessed a number of high-profile data breaches, some of the largest to Read more »

Amit Purohit LoginRadius

The Death of Passwords [Infographic]

In the beginning days of the Internet, Users had to remember only few passwords: An email, and a  bank password.But with the rapid development of e-commerce, self-service websites and social media, everyone now has to remember and manage dozens of Read more »

Andre Stoorvogel Rambus

Money20/20 Trends: AI, ‘Everyday Commerce’ and Security

The bright lights of Las Vegas have gone out on Money20/20 for another year. As always, the event brought together the biggest names in payments and provided unprecedented insight into the future of financial services. So, after four days of Read more »

Abdul Naushad PayCommerce

Cyber-security in Cross-Border Payments

As financial institutions make significant investments in cybersecurity technologies and systems, the hacking techniques of those determined to break into those systems and compromise information have become even more sophisticated. From the Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel