The U.S. Securities and Exchange Commission means business when it talks about requiring asset managers to ring-fence their companies against cyber security threats, according to Ryan Bateman, head of technology at Virginia-based asset manager Sands Capital Management.
“Cyber Security is at the start of every client due-diligence meeting that I’ve been doing over the past six months,” Bateman said earlier this week at the Linedata Exchange. “Since the SEC’s notification went out, it’s become important from everyone’s perspective. When you’re talking to your executive team, talking to the board, it’s a reputational risk problem.”
Following a risk alert issued on April 15, the SEC began conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cyber security. The SEC also published a document outlining best practices a hedge fund must have from the standpoint of cyber security.
The examinations focus on each entity’s cyber security governance, identification and assessment of cyber security risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber security threats.
Bateman noted the harm that can be done to a business and the number of customers it might lose for something caused by a third-party vendor as was the case with Target. “From a reputational risk standpoint you have to invest extremely heavily in security,” said Bateman. “We have selected a third-party vendor as our chief risk officer, chief cyber-security officer that manages our systems. We have layers and layers of technology. We started investing at Sands Capital several years ago, well before it became a big topic of conversation.”
Hedge fund cyber security is a focus area, especially given recently renewed vigor from firms to beef up security in advance of the anticipated release of a Written Information Security Policy (WISP) for hedge funds based on the SEC’s Cyber-Security Risk Alert questionnaire distributed in April. This interest from firms to boost security in advance of industry guidelines represents a new level of concern for and protection from intrusion in the financial services space.
“As many firms are aware of cyber security, but do not take action or the necessary steps to protect their data, firms do not obtain updated software systems, have inadequate password conventions and firewalls, and do not know how to safely transmit confidential information,” said Joe Holman, CEO of Orangefield Columbus, a global hedge fund administrator. "With the right security and software, leakage of information and questioning the integrity of a fund can be prevented.”
Featured image via bluebay2014/Dollar Photo Club