By James Williams – Global law firms need to work closely with hedge funds to improve their cybersecurity risk management by identifying at-risk assets and coming up with a legal risk mitigation response.
Cybersecurity threats and data protection have become a top-line issue among managers. Whilst the latter is more of an internal threat, due to staff negligence or devious intent (i.e. taking sensitive fund investor information before leaving the firm), protecting a fund’s assets is vital.
One industry specialist I was speaking to last week informed me that one of their larger hedge fund clients had suffered 30,000 intrusion attempts in just one month.
Communication is key as legislation builds
US law is developing rapidly in response to the growing threat of cybersecurity.
On Wednesday, April 22, the House of Representatives passed a new cybersecurity bill – the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.
As such, there needs to be a closer line of communication between a hedge fund’s legal counsel and its IT staff. As Ed McNicholas, a partner at Sidney Austin LLP in Washington D.C. puts it, “The lawyers have, for a long time, considered it to be an IT issue but they need to get up to speed on this.” In his view, conducting a cybersecurity review is vital.
Lawyers face three big tasks in respect to this review and making sure it cuts the mustard. They include:
- Identify the most salient information assets of the fund and understand where and with whom the manager shares those assets. Does the third party have adequate data security protocols?
- Put proper governance policies and procedures in place for staff to adhere to. This also requires an executive oversight, making sure that senior partners understand the fund’s IT security and the risks that exist.
- Prepare a breach response so that everybody within the firm knows what steps need to be taken in the event of an attack taking place.
Further, the Singapore government has just set up the Cyber Security Agency. Its financial regulator, the Monetary Authority of Singapore (MAS), is strengthening the requirements that financial institutions have in place in relation to using service providers. “The regulator is well aware of the risks. The loss of customer data is top of its mind,” says Lena Ng, Counsel at Clifford Chance Pte. Ltd in Singapore. “The Personal Data Protection Act was introduced into Singapore last year, which imposes obligations on securing personal data. This is something that managers who have a number of individual investors should be aware of now.”
Employees are the weakest link
Staff training on IT security policies, data protection policies and other critical policies needs to become an integral focus for organisations since in 2014, 30 per cent of data breaches were caused by human error. Managers should therefore introduce password protections both vertically through the data set and horizontally, meaning that staff would only have access to data that pertains to their day-to-day job functions.
This might be frustrating to managers, but permissioning and defining workflows that allow employees to clearly understand what data they can and cannot access, and what the legal consequences will be if they acquire it for their own purposes, is a critical step in protecting a fund’s assets from both internal and external breaches. “We are educating compliance staff as to the legal responsibility of the manager to ensure that the proper internal controls are in place and, importantly, clearly communicated to everyone working within the hedge fund,” comments Renzo Marchini, Special Counsel at Dechert LLP, speaking from London.
Improved service level agreements
Fund managers outsource numerous functions and share data with multiple counterparties; this makes them a unique, and vulnerable target for hackers. Hedge funds can improve their cybersecurity profile by assessing a chosen service provider’s certifications, data security and de-construction policies and the number of successful penetration tests it has performed. In addition, service level agreements (‘SLAs’) can be strengthened to guard against one of their counterparties suffering a breach.
Indeed, another reason for managers to improve their cybersecurity risk management is because those very same counterparts could well impose tougher measures so that they themselves are not tarnished by a breach.
To stretch the point a little further, one could compare it to FATCA regulation where, if a manager or any financial institution does not have a Global Intermediary Identification Number (‘GIIN’) the bank simply won’t do business with them. A similar cybersecurity standard could be required – but this is thinking further down the road.
McNicholas sums things up by stating that cybersecurity is more than just policies and procedures. “It’s a legal risk management exercise,” he says. “There has to be some ongoing monitoring and oversight of information and the assets as they move within the hedge fund so that if there is a significant attack the manager has a paper trail of governance and awareness of the breach.”