Who Owns Cybersecurity at Hedge Funds?

Who Owns Cybersecurity at Hedge Funds?

Josh Barons

Director of Information Security at Abacus

Views 975

Who Owns Cybersecurity at Hedge Funds?

26.10.2016 10:45 am

US based hedge funds are finding themselves under more scrutiny with regards to increasing regulatory demands on adherence to Cybersecurity requirements.  The SEC continues to release OCIE Risk Alerts that outline the multitude of requirements hedge funds need to be prepared to address, as well as disclose their specific solutions during audits.  With regulations approaching, the question being asked is how far will the regulators take this, and ultimately who is responsible? 

Many of the very large hedge funds have the capital to invest in enterprise grade security technologies as well as have an internal Chief Information Security Office (CISO) and/or Chief Technology Officer (CTO) on staff a mature information security program already in place, the vast majority do not.  Thus, who owns the risk for Cybersecurity?

Over the past ten years the role and responsibilities of hedge fund Chief Compliance Officers (CCO’s) have increased in scope and duty such that they now fill one of the most pertinent and visible roles at US hedge funds.  Typically considered a role that manages the direct relationship between new regulation and the increased demands placed on their already existent compliance programs, CCO’s are now trying to understand the expectations on them with respect to Cybersecurity.  Over the past two years, the SEC has stepped up their expectations on hedge funds to prove they have taken proper measures to initiate, manage and disclose their internal processes as well as their technology footprint to ensure they are well protected with respect to Cybersecurity risks. 

In 2014, the SEC surprised the hedge fund industry with the announcement of an examination sweep of 49 Registered Investment Advisors to better understand how these advisers were addressing the legal, regulatory, and compliance issues associated with Cybersecurity.  In 2015, they published the results of this sweep, and followed it up with the issuance of an OCIE Risk Alert letter, which outlined 28 separate items that Advisors should be prepared to address in their next audit or examination.  As the mandates are coming from a regulatory organization, this responsibility is falling to the CCO.  While, the CCO is steeped in skills and knowledge of laws, regulation and development of process to adhere and comply, they now are responsible for security related technologies such as dual-factor authentication, intrusion detection and prevention systems (IDS/IPS), log management and incident response plans.  As is typical in the hedge fund space, firms are looking to find solutions through outsourcing to third-party providers.  Many service providers are evolving their products and services to capitalize on this now fast growing market.  The challenge for the CCO is that while they can outsource the task, they are unable to outsource the risk.

While it does NOT make sense for CCO’s to seek out new education degrees in Information Technology and/or Cybersecurity, it does make sense for them to better understand the five functions driving the Cybersecurity measures.  The OCIE initiatives are based around a Framework Core outlined by the National Institute of Standard and Technology (NIST).  The Five Functions are “Identify, Protect, Detect, Respond and Recover”.  All references and requests will tie back into one of these five Functions.  While most CCO’s will continue to outsource key Cybersecurity tasks such as Network/Firewall Management, Data Encryption, Penetration Testing etc.., it will be important for them to understand the specific Function these services tie back into, and develop / document internal processes to show adherence to the Functions, as well as to the various subcategories that groups such as the OCIE have extended into the hedge fund industry.

Further, it will be important to lean on the learning’s of others, as well as those who have suffered ahead of them. The US Hedge Fund industry has always been a somewhat of a close community, where many industry groups have sprouted up to provide channels to share best practices and knowledge around operational and regulatory objectives.  Lastly, it is good to take note of those instances where regulators have already taken action, as it is often beneficial to learn from the mistakes of others.  Last year, the SEC settled charges related to Regulation S-P against St Louis Investment Adviser R.T. Jones Capital for failing to safeguard customer information.   The SEC’s press release quoted the Co-Chief of the SEC Enforcement Division’s Asset Management Unit, Marshall S. Sprung, saying, “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential Cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” The Order specifically notes that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt customer information stored on its server or maintain a response plan for Cybersecurity incidents.

In closing, the challenges for CCO’s will continue to grow as the amount of responsibility continues to increase at a pace faster than the resources they have available to address and manage them effectively.  With respect to Cybersecurity it will be important to leverage third-party technology and Cybersecurity experts.  However, it will be equally if not more important for them to understand how these services help them adhere to the Regulatory Functions being outlined by the OCIE. 

Latest blogs

James Booth PPRO

Brave New World: A Futuristic Vision of Payments

Over the last ten years, the retail e-commerce ecosystem has undergone a wide-ranging transformation. As recently as 2010, the e-commerce and payments value chain were relatively straightforward: Any eCommerce merchant could integrate a payment Read more »

Nish Kotecha Finboot

How blockchain could potentially transform global healthcare in the wake of COVID-19

In the globalised world we live in, entities such as the World Health Organization (WHO) have been established to ensure cooperation between different governments on global health-related issues. In the face of pandemics such as the one we are Read more »

Lina Andolf-Orup Fingerprints

Dispelling biometric myths and misconceptions

Gangsters cutting off enemies’ fingers to access secret locations and spies lifting fingerprints from martini glasses - the imagination of the entertainment world has been running wild ever since biometrics entered the scene. Couple that with the Read more »

Shiran Weitzman Shield

Tackling Apparent Contradictions of Compliance versus Privacy

As technology evolves and becomes more complicated, so too do the moral and ethical dilemmas, along with the associated regulations. However, well-intentioned regulations designed to protect people and businesses alike can sometimes seemingly Read more »

Francis Leclerc Horizon Software

Just about managing: How cloud can help boost trading profits

It’s a tough environment for trading at the moment. Margins are being squeezed across the board to the extent that some major investment banks are completely withdrawing from certain asset classes upon discovering they are not making a profit. Read more »

Related Blogs

Tristan Morgan BT

Cyber security trends for 2020

This has been another busy year in cyber security, with hackers targeting business, governments and major cities across the globe. From a financial services perspective, 2019 witnessed a number of high-profile data breaches, some of the largest to Read more »

Amit Purohit LoginRadius

The Death of Passwords [Infographic]

In the beginning days of the Internet, Users had to remember only few passwords: An email, and a  bank password.But with the rapid development of e-commerce, self-service websites and social media, everyone now has to remember and manage dozens of Read more »

Andre Stoorvogel Rambus

Money20/20 Trends: AI, ‘Everyday Commerce’ and Security

The bright lights of Las Vegas have gone out on Money20/20 for another year. As always, the event brought together the biggest names in payments and provided unprecedented insight into the future of financial services. So, after four days of Read more »

Abdul Naushad PayCommerce

Cyber-security in Cross-Border Payments

As financial institutions make significant investments in cybersecurity technologies and systems, the hacking techniques of those determined to break into those systems and compromise information have become even more sophisticated. From the Read more »

Timo Ahomäki Tieto

WannaCry – What Was Old is New Again

Last Friday, the world saw an outbreak of one of the most extensive malware breaches in a while. This malware, called variously WannaCrypt0r, WannaCry or WCry, managed to infect tens of thousands of computers globally in the matter of hours. While Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel