Abacus Group and Medicus IT have merged. Learn more.
Abacus Group and Medicus IT have merged. Learn more.
By Jonathan Bohrer, President, Abacus Group
The investment management space is highly regulated, with the SEC leading the way in the US, the FCA in the UK, and many other oversight bodies operating globally. As is the case in any regulated industry, this oversight brings many benefits, helping to maintain stability in the investment space and to protect the interests of participants.
Basic reporting requirements that monitor systemic risk across markets are a common requirement across global regulators. These requirements give regulators visibility into private fund activities, like key asset holdings and other investment-related reporting requirements, including public disclosures of securities that large institutional investors hold to prevent insider trading.
Just as important as what regulators do require is what they don’t. Of particular interest here is the topic of cybersecurity “compliance” and the common misperception that regulators insist on investment managers employing an independent third party to assess and administer cybersecurity programs.
In fact, most regulators recommend “good hygiene practices” for cyber, and in many cases have put out guidelines for how managers should conduct their operations. However, at no time has any regulator suggested, or required, third-party independence to achieve any of these goals.
One noteworthy new development is the recent decision by the US SEC to withdraw its proposed cybersecurity rules entirely, along with 13 other rule proposals, undoubtedly influenced by the “smaller government” posture of the current political administration.
While we applaud the government for recognizing where its reach should end, we heavily support the implementation of the proposed cyber rules for any investment manager wishing to operate a safe, secure, and responsible technology stack.
For these managers, though, one of the key questions is what approach do they take to build and maintain their IT and cybersecurity estate? With the argument that regulators require a separation of IT and cybersecurity functions now debunked, the case for a unified provider approach comes through much more clearly.
There are significant benefits to leveraging your MSP, or your internal IT team to perform cyber governance and assurance, and substantial downsides to utilizing a disconnected third party for these functions.
For instance, one of our ‘competitors’, a cyber consultant, sent out a notification to their, and our, mutual clients highlighting a suspicious email impersonating an SEC official as a “watch out”.
This is a remarkably “old tech” approach to cybersecurity. Abacus’ systems had already identified and quarantined the malicious emails without harming users or disrupting their daily workflows. It is another compelling example of why a singular, harmonized, action-driven cyber MSP is now the most effective form of cyber hygiene for investors.
The truth is any manager with a material amount of assets under management (greater than $150M) needs to be laser focused on cybersecurity risk assessments, vulnerability scans, GRC documentation, and responsive, live, remediation actions. In this context, to drive efficiencies and keep systems secure, the team that is responsible at a firm for overall IT delivery, networking, and cloud engineering clearly also needs to be the team entrusted with cyber governance. That’s because they are best positioned to design secure systems architecture, patch it, monitor it and remediate against threats in the quickest and most informed and efficient manner.
After all, these teams live with the firm’s technology day in and day out, which leads to the most contextual perspective possible. Contrary to that, an independent third party only sees the environment through the single vector from which they approach it. In addition to their limitations in perception, their hands are virtually tied when it comes to enacting defenses or mitigating open risks.
The inefficiency of having to first contact the MSP or internal IT team is like ordering a package and then finding it gets passed through multiple couriers, resulting in multiple delays and errors along the way. Compare that with a single driver collecting your parcel and heading straight to your door, delivering exactly what you need quickly and efficiently.
The investment management world stands alone in the narrative that there needs to be a third-party cyber assessor. In all other industries, trusted MSP/MSSPs shoulder the burden of performing these functions.
The heavily-regulated medical services industry is a case in point. It is burdened with HIPAA data requirements that are even more onerous than in financial services.
MSPs in the healthcare sector provide the full spectrum of IT and cybersecurity services in a seamless and efficient manner that results in a holistic cybersecurity experience for medical customers; third parties not required.
Moreover, in our own financial space, we can point to a material portion of our client base that utilizes Abacus IT services as well as cybersecurity services and enjoys a highly-functional seamless experience each and every time.
To learn more about the benefits of a unified MSP/MSSP like Abacus Group, download our eBook.
These Stories on Blog
.png)
.png)
Founded in 2008, Abacus Group is an innovative, award-winning IT and Cybersecurity managed service provider offering an enterprise integrated platform specifically designed for the unique needs of the financial services industry.