With the Securities and Exchange Commission now requiring registered investment advisors to prove they are doing their best to reduce the risk of data and other security breaches, hedge fund managers are quickly waking up to the need to assign a dedicated chief security information officer (CISO) to the task.
Although the SEC’ s guidelines apply to all registered fund managers, hedge fund management shops are often the most vulnerable to cybersecurity risk because of their secret sauce — the valuable information on trading strategies — and their list of prized institutional investors. They also often store their critical data in an external location, where they may not have complete control over security measures.
Under the SEC’s new more rigorous oversight, hedge fund managers of all sizes must now ensure that their external and internal network connections can withstand a breach from two common threats — malware which creeps into the system when downloading emails or files or an unauthorized internal or external access into a data application. If they don’t, they face financial losses, reputational risk and regulatory fines.
In an April 15 communique issued by the Office of Compliance, Inspections and Examinations (OCIE), the securities watchdog said that one of the questions they would ask during annual exams is whether hedge fund managers have appointed a chief security information officer. Even if the positions doesn’t formally exist, they will need to disclose who is in charge of cybersecurity. This would include setting up the policies and procedures, monitoring internal networks and applications, overseeing external service providers and correcting any breaches immediately.
Although the SEC isn’t requiring a CISO be appointed, hedge fund managers are still edgy, expecting the worst during examinations. Five US hedge fund management firms, speaking with FinOps Report, say they have struggled with the choice of a CISO.
“Somebody has to do the job, sign off the work was completed, and face the consequences if it isn’t,” one compliance manager at an East Coast hedge fund tells FinOps. “We’ve been through some heavy-duty internal discussions that made us aware that this position isn’t like other compliance positions, because its only incidentally about operational and financial risk. This is really about the technology.”
Who the hedge fund management firm selects appears to depend on the size of the firm as well as the types of investors and range of risks involved. “Smaller to mid-sized hedge fund managers might automatically pick the internal chief technology office, while larger ones — those with over US$1 billion in assets under management — would appoint a separate dedicated cybersecurity officer. Others might outsource most of the work but retain the title in-house with the CTO,” says Jay Baris, chair of the investment management practice at Morrison & Foerster in New York.
Finding the person with the right combination of technical, operational and legal acumen isn’t easy. The cost of a dedicated cybersecurity officer might be prohibitive to all but the largest hedge fund managers, yet the most obvious lower-cost alternative — the chief technology officer– isn’t necessarily the best choice. Granted, the CTO might initially be pleased with prospect of an additional title and pay raise, but that doesn’t mean he or she can or will even want to do the job, caution some cybersecurity experts.
“CTOs might understand technology applications and data flows within the fund, but that isn’t necessarily the same as expertise in preventing data breaches or stopping cybersecurity incidents,” points out Eldon Sprickerhoff, chief security strategist for eSentire, a cybersecurity services company specializing in alternative investment funds.
Bottom line: the CTO will likely need help, and the assistance could come from cybersecurity specialists for hire. “There are multiple options depending on the internal capabilities of the hedge fund management firm and how much work it wishes to outsource,” explains Yigal Behar, chief executive officer of 2Secure, a New York based technology firm specializing in cybersecurity risk. “In some cases, a hedge fund manager will only want an assessment and testing to be completed by a third-party provider, while in other cases it might ask for the provider to also craft the documentation on rules and procedures.”
As is the case with all outsourcing agreements, there there is no outsourcing the ultimate legal liability. That remains with the hedge fund management firm. “We are tasked with providing assistance but do not take on the task of outsourced chief cybersecurity officer,” cautions Behar. “The CTO would still be responsible for signing off that all the work was completed correctly.”
Such a responsibility may have some candidates for the CISO positions postponing a decision until they talk to their attorneys. While CTOs are clearly C-level executives, until now they have not experienced any personal risk of regulatory enforcement actions. Granted, their jobs might be on the line in the case of a serious error, but that’s a far cry from being whammied by the SEC down the line for negligence.
Chief Scapegoat Officer?
While it remains unclear whether the SEC would take personal action against a CTO or other designated official deemed responsible for inadequate or faulty cybersecurity procedures, the recent history of compliance officers singled out for censures and fines cannot be comforting. Observing that the term “cheif scapegoat officers” has been discussed by worried candidates for the CISO roles, Sprickerhoff warns, “The CTO or other executive needs to think twice before taking on the added work, because of the compliance ramifications.”
Are CTOs worried? The CTOs at the five hedge fund management firms surveyed by FinOps certainly admitted to being a bit apprehensive about meeting the SEC’s standards. “Based on the fact that the SEC is using a new official title to describe new legal responsibilities, we have concerns that it will penalize individuals the same as it has chief compliance officers,” says one CTO at a hedge fund management firm. He points out that CISOs are specialized compliance officers, the same as chief anti-money laundering officers who have been penalized by the SEC.
But CTOs aren’t the only ones being tapped to take on the work of chief security information officers. In fact, given that expert cybersecurity assistance is available, risk managers might be a far better candidates, says Larry Wagner, principal of the financial services practice at management consultancy Navint in New York. The reason: managing cybersecurity risk is just that — managing risk. And who better to do so than the chief risk officer?
So instead of the CTO running the cybersecurity show, the CRO would do so. Under such a scenario, the CRO could be in charge of the overall program, while delegating the evaluation and correction of vulnerabilities, as well as devising any necessary policies and procedures and ensuring they are frequently reviewed.
Of course, the CTO would still be responsible for a lot, including analyzing, installing and testing any new software applications. The CRO would likely turn to the chief compliance officer to create the appropriate documentation — or manuals — outlining just what policies and procedures are being used and how they will be tested. Such documentation must also include a gameplan for rapid response when a breach is discovered.
Playing Well with Others
“Regardless of who the firm selects as the chief cybersecurity officer, the role ultimately requires an in-depth understanding of technology, risk and compliance, while providing collective intelligence to the business,” explains Brian Lozada, director of information security for hedge fund technology provider Abacus Group in New York. “As it would be difficult for one individual to have equal experience in all three, whoever is selected would still need to work with their peers.”
Of the five hedge fund management firms contacted by FinOps, three have decided or are leaning toward naming their CTO to handle SEC’s laundry list of functions involved with handling cybersecurity risk. One firm will depend on its chief risk officer and the other on its chief compliance officer. Two firms are going to outside consultants for further help. “Ultimately, it will become a collective effort,” acknowledges the CTO of a hedge fund, who is now holds the title of chief cybersecurity officer as well.
However, CCOs, CROs and CTOs often butt heads when it comes to policies and procedures. CCOs and CROs typically err on the side of caution, while CTOs are often left holding the bag in terms of implementing the technology to support their decisions. One of the CTOs who spoke with FinOps also mentioned the thankless job of dealing with budgetary constraints imposed by the chief financial officer in the “no excuses” environment of an aggressive hedge fund.
As a result, CTOs may consider themselves as second-tier C-level executives. The same might be true of chief risk officers who, considering recent financial fiascos of prominent fund management shops, have is plenty of evidence to suggest that CROs are often the last to be heard or don’t make their voices heard loudly enough.
While CCOs may win the respect of their chief executive officer, there may not be so much respect from business line units who must follow what they consider to be cumbersome rules. If CTOs feel underappreciated, and CROs feel unheard, CCOs may well feel maligned.
Given such sentiments and the potential personal liability of whoever takes on either the official title or just the responsibilities of the chief cybersecurity officer, it stands to reason that hedge funds better plan to provide more corporate resources, as well as the person to do the job. That means not only broad executive support, and the appropriate budget to hire consultants and purchase the necessary technology, but also the necessary enforcement clout.
Such resources must come from the top, from a chief executive who will not only allocate time and funding, but also demand top-to-bottom cooperation in the firm. A no-nonsense tone in emails and official memos to each managers and employee should communicate that cybersecurity policies are mandatory and errors are not acceptable. .
“It all comes down to risk awareness that needs to be trickled down to all employees,” says Behar. “Regardless of who takes on the CISO function, a cybersecurity specialist can’t do his or her job, if the CEO remains ignorant of the potential risk involved with failing and just how easy it is to do so.”
For the notoriously secretive hedge fund sector, wanting to keep their systems and data safe is natural, but the pressure being exerted by the SEC may push them into thinking a lot harder about day-to-day precautions. “It’s not about if it will happen, but when it will happen,” cautions Lozada. “An ounce of prevention in the form of vigilance will go a long way.”
Leave a Comment
You must be logged in to post a comment.