Understanding your responsibilities

Originally published in the March 2016 issue

To get a sense of how big an issue cybersecurity is these days, you need only turn on the news. It seems that every week another household brand suffers a major breach. In the past 12 months alone, Lloyds, Barclays, and JP Morgan all lost customer data, cyberterrorists triggered a flash crash on NYSE, and the 2014 HeartBleed bug compromised tens of thousands of websites. The age of the cyber threat is well and truly here. Yet this wall-to-wall coverage can create the impression that cybersecurity is mainly the province and concern of the big boys. While it is the major attacks that make the headlines, more than 60% of all cyberattacks are targeted at small businesses, and, in the US at least, one in two small firms report having been targeted. This makes sense, for the same reason that smaller businesses are more likely to be targeted by criminals – less security provides more opportunities.
As a result, the issue is high on the regulatory agenda across the globe, with authorities all emphasising its importance. The drive is perhaps most explicit in the US, where the government is spearheading efforts to combat the threat through the Comprehensive National Cybersecurity Initiative.

The SEC, CFTC, NFA and FINRA have all taken steps to strengthen their cybersecurity capabilities – expanding and updating their guidelines and requirements to match. Since 2014, the SEC has also been running a series of inspections and examinations with a focus on technology and cybersecurity preparedness, with the latest round of examinations announced in a Risk Alert in September.
In Asia, regulators are making very similar noises. At the tail end of last year, Hong Kong’s SFC issued a circular relating to cybersecurity risk, outlining the policies and procedures firms need to have in place, and making it clear that licensed businesses are expected to conduct regular self-assessments of risks and controls in this area.

More recently, Hong Kong and Singapore’s monetary authorities have both issued letters to financial firms re-emphasising the importance of cybersecurity risk management. These warnings chime with the actions of governments in the region, many of which have established specific cybersecurity agencies over the past two years.
In Europe and the UK, activity has been more subdued. But it would be a mistake to take this as a sign that the authorities are more sanguine about the threat. While the EU announced a new Cyber Security Strategy back in 2013, the FCA has not said much explicitly.

However, the FCA does in fact have a policy on data security, dating from when it was the FSA. The advice and guidance still stands. It makes clear that firms should take data security very seriously, that it will be reviewed as part of normal supervision, and that poor data security practices can result in enforcement. Although no new guidance has been provided by the FCA, its update – FCA Risk Outlook – makes it clear that cybersecurity is high on its agenda.
Minor differences aside, it is clear that regulators the world over are more or less singing from the same hymn sheet on this issue, and for good reason: as the news should make clear, the more sinister cyber-threats are quite literally an attempt to corrode our society’s ability to properly and reliably manage money and information. Even the smallest financial firms are home to incredibly sensitive personal and financial data. This is fast becoming a major concern for investors, and the regulatory agenda simply reflects this.
So what do hedge fund firms need to do? Depending on the jurisdiction, most of the rules and regulations regarding various data security practices have been in place for some time. Data protection, privacy laws are already well established and have been for some time. Many firms will have had recovery plans as well as privacy, office security and mobile policies – to name a few – at varying levels. But historically (and in many cases currently) these policies have become disconnected and partial, and not all necessarily pulling in the same direction.

The focus and challenge for US firms since the onset of the SEC examinations has been to pull these disparate threads together (enhancing and extending them appropriately) into a cohesive and comprehensive Written Information Security Policy (WISP). This should be a priority for non-US firms too.
What should this involve? It is to some extent an inventory – an assessment of all the ‘points’ within your firm that present a potential security risk. Desktops, mobiles, laptops, servers, information on the cloud – firms need to have a clear view of how their security policy covers all these bases. Proper, retrievable documentation is incredibly important. When the regulator (or an investor) comes knocking, you will need to be able to immediately show, in detail, the steps you are taking to ensure that clients’ data is secure.
A policy needs to protect against external threats. This means multiple layers of security, regularly scanning internal devices, assiduously keeping software up to date, removing server banner information, having an outbound as well as inbound firewall, and more.
But this is far from the whole picture. The biggest risk area for any firm is internal, namely the actions of your own employees. Employee behavior – intentional or unintentional – is responsible for nearly 40% of all information leakage.

For example, in a real-life case scenario, a firm took a flash drive, put a sticker on it reading, ‘discretionary bonus information’, and planted it in the break room. Within hours it was gone. The simplest procedures can prove the greatest weakness, and while clever technology is the first thing that typically comes to mind when we think of cybersecurity, less glamorous operational measures are just as – if not more – critical. This means training and education, clearly communicated policies, and looking out for odd employee behavior patterns.
Getting the right policies, procedures, training and technology in place is step one. It needs to be tested, ideally via a third party, to see if it actually holds. A WISP that only works on paper is worthless, and the regulator will certainly test your systems itself. As the above examples show, there is a gap between even the most clearly stated policy and a successful culture of compliance. Another aspect that sometimes gets overlooked is that your protections and policies need to extend beyond your own firm. You are ultimately responsible for your own and clients’ data, and if in the course of your business, you share your data with third party providers, you may still be responsible for ensuring the security of that data.

It is your responsibility to ensure that the third party has adequate security and procedures in place, and that those conform to the standard set in your own WISP. This needs to be carried out at the start of any relationship, via the terms and agreements. Of course, terms and agreements are not always followed, but this must be another due diligence consideration when working with third party providers. Do I trust this company with my firm’s data?
There is a lot to consider when it comes to ensuring your firm’s cybersecurity policies and infrastructure, and far more than can be covered comprehensively here. Speaking to your IT provider and compliance advisor can be good first steps. But the message is clear: it is a priority. It is a priority for your investors, it is a priority for the regulator, and it should be a priority for you.