News / Cybersecurity Challenges for Investment Managers

July 12, 2017

The following article originally appeared in Hedgeweek’s special report: Cybersecurity in Europe 2017.

The Cybersecurity phenomenon has completely changed the game in both the investment management industry and the broader financial services sector. Attacks on fund managers, investment advisers and other fiduciaries (“Fund Managers”) are increasing in frequency, sophistication and severity. And both the regulators and the investor community have been paying close attention.

To responsibly manage Cybersecurity Risk, Fund Managers need to, at minimum:

  1. Understand certain existing legal obligations and an evolving regulatory focus;
  2. Comprehend fundamental IT and technology principles;
  3. Monitor evolving threats, technologies and attack protocols;
  4. Appreciate its data use and information workflows; and
  5. Simultaneously manage its employees’ training needs, its vendor controls and its investors’ expectations.

Align Cybersecurity™ solves all of these challenges.

The Legal Landscape and a Mounting Regulatory Focus

As it stands today, Cybersecurity law consists of a crazy quilt of federal, state and international laws and statutes, which is further complicated by additional industry-specific rules and best practices, together creating a body of jurisprudence that is disjointed and convoluted. Similarly, since early 2014, we’ve seen regulatory initiatives demonstrating that Cybersecurity is squarely in the crosshairs of investment management regulatory bodies, including the SEC. Examples include the SEC’s recent “Cybersecurity Sweeps,” its triaging Cybersecurity as a top regulatory priority for the last four (4) years running and its recent enforcement actions activities, which have induced at least one seven-figure settlement.

And yet the elements of constructing a model Cybersecurity Program remains
unclear, leaving Fund Managers struggling to understand their legal, compliance and fiduciary obligations.

“Clearly, ‘Cybersecurity Preparedness’ is viewed by the regulators as both a core control and a minimum standard, yet one which they refuse to define, said John Araneo, managing director, Align Cybersecurity, and general counsel of Align. “The guidance provided to date has been largely principals-based, failing to provide a clear construct on precisely how to design an unimpeachable Cybersecurity Program. Unfortunately, in the absence of any bright line rules or black letter law espousing the required elements of a sound Cybersecurity Program, Fund Managers have been left scratching their heads on how to comply.”

The Cat-and-Mouse Game of Cybercrime

Cybercrime has evolved into a vexing cat-and-mouse game: criminals make a move, you counter it, they counter your counter, while damages accrue. Cybercriminals don’t just target technology, they target human flaws through myriad vectors of attack, including phishing, business email compromise (BEC), malware and ransomware. WannaCry and other devastating ransomware outbreaks have taught the world that cybercriminals gain an upper hand due to a false sense of security, lack of training and obsolete systems. Fund Managers must remain informed of these emerging and evolving risks as they develop.

“In the new era of Cybersecurity where threats are omnipresent, Fund Managers require a comprehensive solution that enables firms to stay one step ahead of cybercriminals,” said Vinod Paul, COO of Align. “Align launched Align Cybersecurity specifically to fill this void in the investment management space and recently assembled an elite team of Cybersecurity subject matter experts encompassing legal and compliance, IT and technology and security protocols. Our Cybersecurity Advisory Services offer an unparalleled suite of solutions, helping Fund Managers design customized Cybersecurity Programs that will satisfy regulators, please investors and empower employees.”

Read more on cybersecurity planning for fund managers and financial firms: