Cyber security has quickly become a headline risk for hedge fund managers. On 15 April 2014, the SEC issued its Cyber-Security Risk Alert, a detailed 26-point questionnaire that aims to address various elements of a hedge fund’s technical and operational infrastructure to determine how vulnerable it is to cyber attacks and data theft.
This initiative is being driven by the SEC’s Office of Compliance Inspections and Examinations. It will assess 50 individual firms and based on its findings will draft a set of final guidelines for hedge funds to adhere to. This is essentially a way to address ‘technology risk’ and implement best practices through documentation in the form of a Written Information Security Policy (WISP).
According to Assured SKCG Inc, an insurance advisory firm, 37 per cent of security breaches between 2012 and 2013 affected financial organisations. Hedge funds are a high profile target. Establishing a WISP and becoming as data secure as possible is critical.
At Eze Castle Integration, the phones haven’t stopped ringing as clients look to address any gaps in their IT infrastructure and operational policies.
“It wasn’t at the forefront of managers’ minds previously. It is now though,” says Lisa Smith (pictured), BCP/Data Privacy Manager at Eze Castle Integration. “Previously they put a lot of trust in their CTO, their service providers, to implement best practices around how to protect the firm. Now, rather than thinking someone else is taking care of it, there’s more emphasis on documenting everything and making sure that everybody is singing from the same hymn sheet.
“Everybody within a hedge fund should have a better understanding of what’s in place with respect to data privacy and infrastructure security. There needs to be firm-wide knowledge.”
A WISP acts as a blueprint. Just like the compliance manual, it sets all the firm’s internal policies and procedures covering everything from service provider outages to how often system passwords should be updated and so on.
“We start off by gauging where the client is. Do they have an IT policy? What type of infrastructure do they have in place? Fortunately for us, a lot of firms who have been calling us are existing clients so we have a good understanding of what they have in place. We as a firm follow industry best practices and implement those across our clients’ infrastructures,” explains Smith.
What Eze Castle is able to do in producing the WISP is apply their expertise (having already written dozens of WISPs for financial institutions) and paint a picture of how well a firm is protected against cybersecurity threats. This immediately overcomes the very real issue of ‘Key Man risk’. Say the CTO were to up sticks and join a competitor. If nothing has been written down and documented, nobody in the firm would have a clue as to how their IT infrastructure operates.
“Until it has been documented, everyone works off of assumptions,” comments Smith, who continues:
“We help put the controls in place to address data privacy. Some firms have documented this in their compliance manual, which we would make reference to in the WISP. It sets out a firm’s IT functions and applications and prioritises them.
“If a cyber attack takes place and impacts one system, having it documented means the manager will see where the impact is and what effect it will have on the rest of the firm.”