Both the National Futures Association (NFA) and the Securities Exchange Commission (SEC) are becoming increasingly active in assessing the ‘cyber preparedness’ of registered investment advisers, using specialist IT teams to conduct audits.
The SEC’s Office of Compliance Inspections and Examinations examined 49 registered investment advisers and 57 registered broker dealers in 2014 and in January 2015 reported that 74 per cent of the registrants interviewed experienced a cyber-related incident.
On 1 March 2016 the National Futures Association formerly introduced the Cybersecurity Interpretive Notice. Cybersecurity risk assessments with regular reviews, written information security policies, staff training, vendor due diligence, deployment of appropriate protective measures and record-keeping around program implementation are now all regulatory requirements for NFA member firms.
To help NFA- and SEC-regulated hedge funds prepare for a potential visit from the regulators, ACA Aponix, which provides financial services firms with a 360-degree, independent approach to technology risk and governance, is currently engaged in performing mock audits.
“We are helping our clients to best prepare for such an eventuality. Using knowledge gained from working with clients undergoing examinations, we simulate the examination process including a review of policy, standards, procedures, and evidence of adopted practices. We also undertake onsite interviews and physical inspections to help clients to confirm that their cybersecurity programs are in line with regulators’ expectations,” says James Tedman (pictured), Managing Director, ACA Aponix (Europe).
This is particularly important when one considers that the sophistication of cyber attacks has increased significantly over the past 12 months:
Challenges go well beyond implementing the most common technical tools of firewalls, intrusion detection, spam filters etc., and require a broader effort from more than just the IT team. Getting buy-in from the entire business is critical, and staff training is valuable in ensuring staff know their roles and responsibilities, as well as understand the risks that funds are exposed to.
Without doubt, having a robust cybersecurity program is now a regulatory requirement for any SEC- or NFA-regulated fund and Tedman expects other regulators, including the UK’s FCA, to follow suit during 2016.
“The cornerstone of the regulators’ requirements is a cybersecurity risk assessment but this is a tricky and time consuming exercise for the average hedge fund to undertake internally, and outsourced IT providers and even internal IT departments are conflicted – you can’t mark your own homework! Our independence from products or vendors means that we can offer impartial advice based on our knowledge of funds, cybersecurity and technology best practices,” says Tedman.
Much of what goes in to a mock audit centres on ensuring that the correct documentation is in place. Prior to a visit from the SEC, for example, a client receives a document request list. Most of these documents are policy documents as the SEC looks for evidence of good practice.
The list of required documents is lengthy; some to be provided in advance, others to be made available whilst the examination team are onsite. Examples include: copies of board minutes, data maps, vendor management policy, access management policy, incident response plans and risk assessment findings; firms need to make sure that they have a robust Written Information Security Program (WISP).
“The WISP is both defensive and pre-emptive to help the investment manager guard against attacks and increase the security posture of the firm, but, importantly, on the flip side it will ensure that if a breach were to occur, the necessary processes are in place,” says Tedman.
Indeed, having a well-defined and considered plan to execute in the event of a breach can significantly reduce the damage caused – both direct and secondary damage. An incident response plan will make a breach scenario a lot less stressful and is likely to result in a faster resolution of the issue. In fact some firms are now honing their breach response procedures using ‘table top exercises’.
Simulating breach scenarios is a useful way of testing your incident response procedures as well as making sure that participants understand their roles and responsibilities, says Tedman. Often, representatives from IT, investor relations, compliance, legal, the investment team and key vendors will be involved, all of whom have a role defined within the incident response plan but may not understand it properly before the table top exercise.
Tedman says that whilst the firm is doing a lot of mock audit work with US clients, including managers based in Europe who are SEC- or NFA-registered, there will likely be a similar focus coming from the FCA in London, meaning European hedge funds need to take cybersecurity equally as importantly as their Atlantic neighbours.
“I expect we will see something from the FCA by Q3 this year. They’ve already undertaken a thematic review, which took place last year. In my view, the US regulators, and indeed the CBI in Ireland, have taken a pretty sensible approach to tackling cybersecurity. All three regulators have used the NIST (National Institute of Standards and Technology) framework to define their process, which fundamentally is a best practice framework. All the regulators are asking of investment managers is to apply best practice,” comments Tedman.
The real issue here is not the fact that regulators are paying more attention to cybersecurity and conducting audits. Rather, it is that a large number of hedge funds are still way behind the curve in terms of the sophistication of the hacking community.
“Hedge funds still don’t view cybersecurity as a key business risk the way that they do other operational risks in their environment,” says Tedman. “Perhaps there haven’t been enough high profile breaches to really ram home the message. There have been some breaches of course, like the fund administrator last year and also the phishing attack on a London based fund a couple of years ago. That breach was USD1.2mn, which is significant, but it is the reputational impact that really hurts and I’m not sure that awareness of this is recognised by the fund management community.”
This is no easy task for hedge funds. At the end of the day, they are money managers not security experts. Granted, having a proper WISP in place does help, but what makes cybersecurity such a complex issue for hedge fund managers is that they have to think about their external network, not just the four walls of their office.
Unlike most other industries, hedge funds rely on a network of vendors and service providers to operate properly. This invariably involves sharing huge volumes of fund data. Problem is, a lot of service providers are niche and don’t have the resources of a blue-chip organisation when it comes to cybersecurity.
As a result, the measures and practices they employ internally are not up to scratch and this creates a significant risk to hedge funds as they try to bolster their cybersecurity defenses.
“We see this a lot with the vendor due diligence and vendor management programs we run with our clients. Many people take comfort from what is written in contracts but ultimately that’s not going to protect them if the vendor is breached.
“The average hedge fund’s dependence on vendors and the amount of sensitive data held by the vendor community is really significant. That’s why it is so important to map data residence and flow inside and outside the organization and classify the sensitivity of each data set relative to operational, reputational, fiduciary or regulatory risk. The next step is to ensure that the vendor has adopted the appropriate measures to ensure that data is secured,” stresses Tedman.
The SEC has highlighted vendor management as one of their six focus areas for their current examinations. Make no mistake, this is very much a hot topic within cybersecurity at the moment and one that hedge funds should take account of when reviewing their service providers.
