US based hedge funds are finding themselves under more scrutiny with regards to increasing regulatory demands on adherence to Cybersecurity requirements. The SEC continues to release OCIE Risk Alerts that outline the multitude of requirements hedge funds need to be prepared to address, as well as disclose their specific solutions during audits. With regulations approaching, the question being asked is how far will the regulators take this, and ultimately who is responsible?
Many of the very large hedge funds have the capital to invest in enterprise grade security technologies as well as have an internal Chief Information Security Office (CISO) and/or Chief Technology Officer (CTO) on staff a mature information security program already in place, the vast majority do not. Thus, who owns the risk for Cybersecurity?
Over the past ten years the role and responsibilities of hedge fund Chief Compliance Officers (CCO's) have increased in scope and duty such that they now fill one of the most pertinent and visible roles at US hedge funds. Typically considered a role that manages the direct relationship between new regulation and the increased demands placed on their already existent compliance programs, CCO's are now trying to understand the expectations on them with respect to Cybersecurity. Over the past two years, the SEC has stepped up their expectations on hedge funds to prove they have taken proper measures to initiate, manage and disclose their internal processes as well as their technology footprint to ensure they are well protected with respect to Cybersecurity risks.
In 2014, the SEC surprised the hedge fund industry with the announcement of an examination sweep of 49 Registered Investment Advisors to better understand how these advisers were addressing the legal, regulatory, and compliance issues associated with Cybersecurity. In 2015, they published the results of this sweep, and followed it up with the issuance of an OCIE Risk Alert letter, which outlined 28 separate items that Advisors should be prepared to address in their next audit or examination. As the mandates are coming from a regulatory organization, this responsibility is falling to the CCO. While, the CCO is steeped in skills and knowledge of laws, regulation and development of process to adhere and comply, they now are responsible for security related technologies such as dual-factor authentication, intrusion detection and prevention systems (IDS/IPS), log management and incident response plans. As is typical in the hedge fund space, firms are looking to find solutions through outsourcing to third-party providers. Many service providers are evolving their products and services to capitalize on this now fast growing market. The challenge for the CCO is that while they can outsource the task, they are unable to outsource the risk.
While it does NOT make sense for CCO's to seek out new education degrees in Information Technology and/or Cybersecurity, it does make sense for them to better understand the five functions driving the Cybersecurity measures. The OCIE initiatives are based around a Framework Core outlined by the National Institute of Standard and Technology (NIST). The Five Functions are "Identify, Protect, Detect, Respond and Recover". All references and requests will tie back into one of these five Functions. While most CCO's will continue to outsource key Cybersecurity tasks such as Network/Firewall Management, Data Encryption, Penetration Testing etc.., it will be important for them to understand the specific Function these services tie back into, and develop / document internal processes to show adherence to the Functions, as well as to the various subcategories that groups such as the OCIE have extended into the hedge fund industry.
Further, it will be important to lean on the learning's of others, as well as those who have suffered ahead of them. The US Hedge Fund industry has always been a somewhat of a close community, where many industry groups have sprouted up to provide channels to share best practices and knowledge around operational and regulatory objectives. Lastly, it is good to take note of those instances where regulators have already taken action, as it is often beneficial to learn from the mistakes of others. Last year, the SEC settled charges related to Regulation S-P against St Louis Investment Adviser R.T. Jones Capital for failing to safeguard customer information. The SEC's press release quoted the Co-Chief of the SEC Enforcement Division's Asset Management Unit, Marshall S. Sprung, saying, "As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients' private information and they need to anticipate potential Cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs." The Order specifically notes that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt customer information stored on its server or maintain a response plan for Cybersecurity incidents.
In closing, the challenges for CCO's will continue to grow as the amount of responsibility continues to increase at a pace faster than the resources they have available to address and manage them effectively. With respect to Cybersecurity it will be important to leverage third-party technology and Cybersecurity experts. However, it will be equally if not more important for them to understand how these services help them adhere to the Regulatory Functions being outlined by the OCIE.