Photo Credit: © Egor - stock.adobe.com
As a general matter, risk management is a critical practice for fund managers, allowing them to mitigate risk, achieve sustainable outperformance and attract and retain assets and investors. In the past, risk management was typically an exercise practiced by larger, institutional-type investment banks such as JP Morgan and Citi, but it is becoming a new trend across all types of financial institutions following the 2008 financial crisis.
After the 2008 financial crisis many institutions, whether asset managers or institutional investors, began to focus on risk management seriously after suffering heavy losses. Since that period, it has been generally accepted that cybersecurity presents not just a systematic risk, but an existential one.
The primary focus of this article is to expound specifically on Cybersecurity Risk Management. Below are some of the recent compliance and cybersecurity trends that are alive and well in the alternative investment space and the broader financial markets and which have, seemingly overnight, been placed squarely on the shoulders of today’s hedge fund manager.
Recent Compliance and Cybersecurity Trends:
- EU General Data Protection Regulation (May 2018): The new GDPR standards for processing, storing and securing the personal data of EU citizens will have far-reaching influence and the threat of potentially significant fines; even if you don’t work extensively within the EU, expect this move to inspire regulation elsewhere.
- The Securities and Exchange Commission (“SEC”) Doubles Down (2017): The SEC’s Cybersecurity Examination Unit was bolstered by its newly-minted sibling unit, the SEC Cybersecurity Enforcement Division, which aims enforce the SECs’ rapidly developing Cybersecurity policy.
- New York State Takes the Regulatory Lead (2017): In 2017, New York became the first state to set minimum cybersecurity standards (23 NYCRR Part 500), affecting banks, insurance companies, and financial services institutions (a “Covered Entity”) and, albeit to a lesser extent, also affects the various entities that provide services to these Covered Entities. Companies will likely still be scrambling toward compliance, and similar measures in other states may soon follow.
- Evolving Framework and Emerging Security Standards: Standardization is not always associated with legislative enforcement. For example, organizations such as the National Institute of Standards and Technology (“NIST”), provides a helpful, research-driven cybersecurity framework and guidelines, as the Cybersecurity landscape continues to form.
Every fund manager needs to understand the legal, compliance and fiduciary obligations in connection with Cybersecurity Risk Management and to engage in the process of designing, implementing and periodically assessing a framework of cybersecurity policies, procedures and controls (a “Cybersecurity Program”). Unfortunately, in the absence of a concerted body of regulations that explicitly pronounce the fundamental ingredients of a sound cybersecurity program, fund managers are perplexed on how to comply.
The following are essential elements to implementing a successful risk management process:
- Identifying and quantifying risk: Start by uncovering and identifying risk by brainstorming and realizing how it might affect projects and their outcomes.
- Analyzing the risk: After identifying the risk, the next step is determining how likely each of those risks is going to happen through qualitative and quantitative risk analysis.
- Evaluating the risk: Make the list of risks simpler by categorizing them based on their importance. Classifying risks will help you prioritize those that require immediate attention.
- Treating the risk: In this step, you will mitigate those risks that ranked as the highest ranked risks to reduce the risk level.
- Monitoring and reviewing the risk: To ensure that your efforts are effectively working you need to have a detailed monitoring process.
Align Cybersecurity's unique methodology to its comprehensive Cybersecurity Risk Management solution offers regulatory compliant solutions that are continuously monitored, tested and evaluated. Our multi-disciplinary team of subject matter experts is uniquely qualified to provide Cybersecurity Advisory Services across technology, operations, compliance, HR and governance, to help you detect risks and identify and manage threat points. To speak with an Align Cybersecurity expert, click the button below to schedule a free consultation.
Download our whitepaper, Cybersecurity 101 for Fund Managers: Designing a Cybersecurity Program, to learn more about:
- The legal and regulatory landscape
- The regulators' cybersecurity initiative
- Key elements of a fund manager's cybersecurity program
- How to demonstrate to regulators and the investor community your firm has “cracked the code” on hedge fund cybersecurity