Cybersecurity has become a focus of the hedge fund industry lately and regulators are taking an increasing interest in assessing the resilience of firms to cyber attacks. The problem that hedge fund managers face, when starting to do such an assessment, is trying to find the right level of response; no easy task given the plethora of reports, commentaries on this subject.
To help cut through the noise, the Hedge Fund Standards Board has put together a 10-page cybersecurity memorandum, due to be published later this month. Thomas Deinet (pictured) is the CEO of the HFSB. He says: “You can find a lot of high-level frameworks for all types of firms in the marketplace to address cybersecurity concerns but there isn’t really a lot of hands-on guidance in terms of what hedge fund managers need to do.
“At the HFSB, our cybersecurity memorandum will attempt to bridge this suitability gap into a single document. It will, as such, detail a number of quick fix cybersecurity action items that managers can undertake, and outline some of the main cybersecurity projects to enhance firms’ resilience to cyber attacks.”
The HFSB’s approach is to add the cybersecurity memo to its existing toolbox. It has, for example, in the past provided guidance on the following:
- Standardised Board Agenda
- Administrator Transparency Reporting
“We feel that this latest memorandum should provide the right level of content to improve outcomes in the area of cybersecurity,” adds Deinet. “Cybersecurity is a never-ending learning curve for all industry participants; investors and regulators, as well as managers and service providers. It is a subject that requires everyone to stay on top of.”
One of the first, and most important steps, when thinking about enhancing the resilience of one’s cybersecurity program is to determine what the firm’s crown jewels are. What are the key assets that need to be protected? The HFSB outlines various considerations in respect of this, with Deinet noting that once the crown jewels (in other words what are the most sensitive assets – trading algos, research and strategy notes etc.) have been identified, the next step is to move into “the practical area of determining what some of the quick fixes are that managers can undertake”.
These are the cybersecurity projects that Deinet refers to above. They should include such things as emergency contingency plans, staff training and certification, and should be kept up-to-date as part of an ongoing exercise.
“One part of that is to develop a cybersecurity emergency contingency plan that can help managers to firstly think through the cybersecurity threats and then secondly to know what to do – and what steps to take – if and when a breach takes place.
“It is important that managers do not view this simply as an IT project. This spans other areas of the organisation and one important element of such a plan is communication and notification to stakeholders; communicating with employees and third parties including the fund’s investors, which might involve drawing upon legal advisers, the management company’s board of directors, even a PR firm. There might even be a need to communicate with law enforcement agencies and regulators so there are a number of considerations when drawing up such a contingency plan,” explains Deinet.
The memorandum will detail a range of technical action items such as application white listing to ensure only trusted software is being executed on the operating system, and will also include a useful resource on what global regulators have been saying on the subject of cybersecurity resilience. This is particularly useful for managers as they try to make sense of how the wind is blowing in terms of regulators’ expectations.
“There are, of course, no specific regulations that pertain to cybersecurity,” says Deinet. “It is an area where the threats are evolving so fast that the techniques needed to counteract them are also necessarily evolving fast. As such, imposing detailed rules and regulations is probably not the best approach to improve outcomes in this area.
“Nevertheless, we have pulled together a series of links on all the main regulatory developments in respect of cybersecurity in one place to give managers a quick go-to resource on what the current climate is from a regulatory perspective. Obviously this is constantly evolving so we will update this resource from time to time. We will present our findings and recommendations at the IOSCO mid-year conference in October.”
One of the biggest challenges when discussing cybersecurity is that it is such a pervasive problem. It affects all companies, in all industries. Trying to apply best practices within a hedge fund context is not easy. Indeed, even within the hedge fund industry the sheer size and variety of hedge funds is enormous.
As such, the cybersecurity approach of a hedge fund manager might look very different to an investment bank with large online platforms with completely different threats to their infrastructure and reputation. There is not a one-size-fits-all approach.
“That is part of the learning curve for everyone, including regulators, in terms of understanding how different businesses have different needs to tackle these cybersecurity threats. Hedge funds are a different caliber of firm to investment banks, exchanges, clearing houses etc., that have their own unique requirements and resources. It is, therefore, important that managers take an efficient and targeted approach to addressing cybersecurity risks,” comments Deinet.
Hence why the HFSB is putting this memorandum together to help give managers a reference guide.
Deinet says that the HFSB expects to present it at an institutional investor roundtable event in Washington DC on 17 September and also its Annual North American Assembly & Institutional Investor Roundtable, New York on 24 September.
“When putting the memorandum together we received a lot of input from cybersecurity practitioners and experts from the industry and we also talked to investors to understand how they view cybersecurity issues. We’ve had excellent input from around the globe.
“It’s important that we tackle cybersecurity collectively so that the hedge fund industry remains a sound and secure place that is resilient to these growing threats,” concludes Deinet.