Cybersecurity: A Key Area of Focus for Hedge Funds
Audit-readiness is top of mind for alternative investment firms as regulators reveal examination priorities for the year ahead. The SEC and FINRA both identified cybersecurity preparedness as a key area of focus on 2015 exams.
11 March 2015
Audit-readiness is top of mind for alternative investment firms as regulators reveal examination priorities for the year ahead. On separate accounts in January, the SEC and FINRA both identified cybersecurity preparedness as a key area of focus on 2015 exams.
The fact that the same issue is being tackled separately, by two regulators, means that general partners (GP) should raise the urgency level on cybersecurity and begin thinking about how they can lock down their IT infrastructure and recover the required list of documents for examiners.
Examinations Target Never-Before Examined Investment Companies
As an extension of last year’s exam initiative, the SEC has stated that it will continue to carry out risk-based assessments of funds that have been registered for more than three years but have not yet been examined.
Investors May Ask Questions, Too
On February 3 the SEC issued findings from last year’s cybersecurity examination sweep. Investors were sent an alert with the results, which is sure to raise questions from limited partners (LPs) around the legitimacy of the fund’s cybersecurity strategy. In addition to providing a response to examiners, be prepared to relay this to the investor community as well.
Prepare for a Quick and Detailed Audit Response
An audit is only successful if essential documents are readily available. Even if a firm’s networks and information are truly locked down, if the chief compliance officer (CCO) isn't prepared to deliver required information to examiners quickly and accurately, this could lead to an assumption that the fund’s security strategy may be undisciplined — potentially resulting in a compliance failure.
The following are questions CCOs should consider to better position a fund for a quick and detailed response to an audit:
- Have you checked for weaknesses in your cybersecurity plan? In a previous post, we gave you tips for building a comprehensive security plan. This includes defining best practices and establishing a procedure for internal governance. Commit the resources to train your employees now, because without their compliance, any security plan could fail.
- Do you know where to gather key documents an examiner might request? Work with your internal IT department and/or outside vendor to conduct an organization-wide audit of your data assets. What information about the fund is being shared internally and externally with third parties? Document- and user-level permissions — which captures audit trails, automates back-up for a single file, and offers admin reporting — can help to automate this process.
- How do you ensure your IT vendors comply with internal compliance processes? Be proactive and sit down with your service providers to figure out what a response might look like to the SEC’s sample audit questionnaire. Consider drawing out the vendors’ certifications, data security and de-construction policies, number of successful penetration tests and ask for a site visit to assess the vendor’s infrastructure (if it will allow it).
Kylie Horner is an Associate in Strategy and Product Marketing at Intralinks. She is part of the team responsible for determining go-to-market strategies for the debt capital markets and alternative investment businesses. Prior to joining Intralinks, Kylie worked in marketing and communications at ACTIV Financial, a financial information technology firm. She graduated from the University of Colorado at Boulder with a degree in Journalism, and a specialization in global media.