Hedge fund data: a business that is torn between two radically different forces. On the one hand, there is the instinct to share data in order to improve transaction processes: fund managers and investors demand open networks from service providers like administrators, while the service providers themselves are working more closely together, communicating information between the critical parties to a transaction into a hedge fund.
On the other hand, the exposure of networks creates opportunities for cyber crime with the attendant reputational risk this entails.
How then, can fund managers, investors and service providers reconcile the conflicting demands of cyber security with the obvious cost savings offered by outsourcing and the use of the internet to deliver mission critical data? How can we be confident that orders are being securely managed between counterparties when we are being asked to interact with different firms with varying levels of cyber security protocols?
In Comada’s three part series on cyber security, we’ll be looking at some of the critical issues that the alternative funds industry needs to address as a matter of priority. In this, the first instalment, we look at what need to be included in a cyber security policy.
Your cyber security policy – are you ready?
Being aware of the risks is a continuous exercise: Comada, as a provider of secure solutions, communicates regularly with experts who can provide up to date guidance and planning. Strategies are also developing within the hedge funds industry to limit bilateral connectivity, thereby reducing cyber crime risks.
We understand that investors and managers face a rapidly changing security situation. On top of that, regulators and operational due diligence professionals are adding cyber security to the list of business items they wish to inspect. Lack of an informed and enforced policy will create problems for firms in the very near future.
Here are some guidelines to good cyber security policy practice:
- Ensure your policy is prepared in consultation with external professionals, and that it is detailed, including organisation and staffing issues, and how it applies to your clients and across your organisation. Make sure it includes who is responsible for ensuring security, how staff are expected to comply, how you vet personnel, what your password protocols should be, and how you ensure secure access to email, VPNs and your servers.
- Make sure your staff are properly trained: human error is frequently the source of problems, regardless of how tight your policies are. How is desktop software updated? How is anti-virus software installed and updated? How is this process managed, and how much is the individual employee expected to do?
- It is important that external vendors are made aware of security policies, and that they can adhere to these. They should be aware of their responsibilities under the policy.
- As Software As A Service (SaaS) has become an increasingly relevant solution for participants in the industry, your policy should make sure that it incorporates your SaaS vendors, and that they can respond effectively to your regular security audits and are able to implement their services securely.
- Cyber security threats are not simply external – internal data management is also critical. Drafting a policy may also be an opportunity to re-visit internal access protocols. Firms should be aware of who among their employees has access to different pieces of data. Should all your employees have universal access to all your data? Why? Your security policy should govern who has access to software and data and that this cannot be acquired by mistake. This may be harder to achieve in smaller firms like individual hedge funds or family offices, but it can be useful to leverage SaaS applications that have been developed for larger firms, but are now within the price range of the smaller market participant to use.
- Like driving a car, where you partly rely on the competence of other road users, you must still be vigilant. Make sure your policy covers the standards you expect of the firms you deal with, that they are reputable and that they vet their own staff.
In our next bulletin we will look at some of the practical applications available for firms in the alternative investment industry that want to make themselves more secure. How does this all work in practice?
If you would like to receive regular updates from Comada or are interested in speaking to use about our SaaS applications for hedge fund investors, administrators, custodians and TAs, please contact Stuart Fieldhouse (Europe) – sf@comada.com, or Dave Shastri (North America) – ds@comada.com or call +1 441 234 4300.