Cybersecurity Risk Assessment for Fund Managers
11 January 2017
"Cybersecurity threats know no boundaries. That's why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC. Through our engagement with other government agencies as well as with the industry, and educating the investing public, we can all work together to reduce the risk of cyber attacks.”
This pronouncement is attributed to Mary Jo White, outgoing Chair of the Securities and Exchange Commission (SEC). Rule 30(a) of Regulation S-P requires registered broker-dealers, investment companies, and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."
Firms that don’t follow the law and experience a data breach could suffer financial losses, SEC fines, loss of customer confidence and reputation harm.
For example, a recent SEC investigation found that an investment firm violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of personally identifiable information (PII) and protect it from anticipated threats or unauthorized access. The management fund suffered a data breach in which customers’ PII was stolen. In addition to the cost of the data breach itself, the firm agreed to be censured by the SEC and pay a $75,000 penalty.
Developing and implementing a thorough set of cybersecurity policies and procedures is no small effort for a fund manager. Companies may be asking, “Where do we start?” or “How do we know we’ve covered everything?” The SEC, as part of its regulatory examinations of investment firms, now looks at cybersecurity policies and procedures and how well they are being followed. Therefore, the stakes are high, so getting it right is critically important.
To answer these and other pertinent questions, the financial media company The Deal recently hosted a webinar on “Cybersecurity Risk Assessment for Fund Managers.” The panel of experts included Meghan McAlpine, Director of Strategy and Product Marketing, Intralinks; Sarat Mynampati, Director of Cyber Security Services, KPMG; and John McGuinness, Managing Director, Legal & Compliance, StepStone. Senior writer David Marcus of The Deal hosted the discussion.
The discussion covered a wide range of relevant topics, such as:
- What are the most important types of data and information that must be protected?
- What are some of the policies and procedures that should be used as a starting point?
- How does the human element impact cybersecurity?
- What is a “risk culture” and how does a firm build one?
- What kind of employee training will best help to create awareness and instill a sense of responsibility for protecting data and information assets?
- What is the right level of investment in cybersecurity?
Some highlights from the discussion:
“Given that the SEC has said this is one of their top issues, it’s important for firms to have strong policies and procedures in place, but a balance is needed,” said Meghan McAlpine. “You can’t lock down everything at your firm, so an initial step for fund managers is to figure out what their most important assets are and then work to put policies and procedures in place to make sure they protect those assets.”
“In terms of what is most important to protect – the “crown jewels” of the organization – there are two types of data that are critically important,” said Sarat Mynampati. “One is investment data, how your portfolios are looking, and algorithms that you have within your funds. Second is the client data itself and all of the personal information that you have. These two sets of data are very critical, both for the reputational risk and the value of the market itself, but also for the regulatory reasons as well.”
“It’s important to identify specific risks to your business,” advised John McGuinness. “If you have a high volume of active traders, for instance, your PA trading might be something you focus on a little bit more than a manager that tends to be in a less frequently traded type volume. It goes to building up a risk culture in the company and educating people about what the risks are. One advantage in this industry is that everyone is a fiduciary and is being held to a higher standard. It comes directly with that knowledge that everyone who is working at an investment advisor has that fiduciary duty to their investors. So that’s a great guideline to bring home to people when you’re trying to build up that culture.”