As cybersecurity risks have increased world-wide, both the SEC and the NFA have dictated that hedge funds and private equity funds have a plan to assess, manage and address risks and incidents. The security threat to private funds is real for all types of funds, big and small, complex and simple. However, cybersecurity planning for this group must be individualized to a great extent due to the wide range of IT configurations that exist. This article will discuss the required elements of cybersecurity planning as they relate to a variety of typical private funds, including hedge funds and private equity funds.
Element 1: Governance: Regulators are anxious to see some sort of governance process in place around cybersecurity issues. Should this be a committee? An individual? Out-sourced or in-house? Often with very small fund groups, the ability to convene even a meeting, let alone a standing committee, is limited. Larger groups may pull in a variety of personnel into a committee, but often their specific expertise in technical areas is limited, making meetings unproductive and sometimes counter-productive. Having a technical expert as oversight can be a good solution for many groups.
Element 2: Security and Risk Analysis: Whether this analysis is difficult or easy will obviously depend on the complexity of the firm’s IT set-up. Particularly in the private equity area, we see some fund groups with extremely simplistic IT. A typical “simple” fund group might have all these elements: cloud-based document retention, one office, one network, limited personnel access to data, outsourced IT provider, limited use of specialized software and mobile devices, reliance on an administrator to handle investor data, and just a landing page for a website. On the opposite end of the spectrum are the “complex” firms, whose IT configuration may involve: multiple offices, multiple networks and multiple party access to data, internal IT staff, firm-created or modified software, heavy dependence on Firm-controlled mobile devices, internal marketing functions accessing investor data routinely and a firm website with changing content and investor access. Penetration testing and employee vulnerability testing (aka “phishing testing”) are often discussed as part of the risk analysis, however there a various types of testing and in-depth testing may not be necessary for the simpler firms. In sum, the degree of a firm’s complexity will determine the depth of risk analysis that needs to be done.
Element 3: Security Protective Measures: All firms must assess their risks and implement appropriate protective measures. However, the simple firms will require less in the way of protection than the more complex firms. Add a firewall? Segment the network? Add back-up and encryption functionality? Real-time system monitoring? Patch software? Enforce password protocols and upgrade authentication methods? Perhaps all of the above, or maybe just a few changes are necessary.
Element 4: Incident Response and Recovery: Firms need a plan to respond to, and recovery from, a cybersecurity incident. All firms need to document cybersecurity incidents and in some cases report them to appropriate authorities. However, simply defining the term “incident” may vary at different types of fund groups. And, once defined, a more formalized team response may be required at a more complex firm, while less of a process may be in place at a simple firm. Simpler firms will tend to rely more on out-source IT resources, while others may have internal personnel specifically devoted to this function. Note however that within the realm of IT personnel, the ability to respond and recover from a cybersecurity incident is not a skill that all IT employees will have: this can require a highly specialized response.
Element 5: Employee Training: Cybersecurity training needs vary widely, depending on the degree of vulnerability that employees exhibit. Training can range from general infrequent sessions for all employees to specialized training for IT personnel.
Element 6: Due Diligence on Third-Party Service Providers: Firms must determine which service providers warrant review, and which do not. Further, if due diligence is to be done, the firm must determine what level of review is necessary, i.e., in depth vs. cursory. Firms utilizing mainstream service providers may be able to rely on standard documents such as SSAE reports, while other providers will require a closer look. Depending on the mix of service providers utilized, fund groups may be facing more or less of a due diligence project.
In conclusion, the key to putting in place an effective cybersecurity program varies widely,
and it is important for all private fund groups to tailor their programs according to their specific needs.
