RFA (Richard Fleischman & Associates) is a leading technology and financial private cloud provider for the asset management industry supporting more than 500 global private equity, hedge fund, fund-of-fund and investment management firms.
To help organisations remain cyber secure RFA is able to advise on documented policies and procedures, technology solutions, as well as provide threat management to mitigate cyber risks.
"We have a set of policies that we create for our clients at the onboarding stage. These cover things such as disaster recovery, the vendor management process (understanding the complete supply chain when using third party IT vendors/cloud providers), as well as equip clients with the correct information for their investors so that they are able to answer cyber-related questions themselves with full knowledge.
"What we find is that some managers bring their IT specialist with them to investor meetings, which puts investors off because if you are the COO you should know everything about the firm's technology," comments George Ralph (pictured), Managing Director of RFA in London.
For start-up managers, this highly regulated environment can all appear quite overwhelming; indeed, in 2018, the EU is poised to introduce General Data Protection Regulation (`GDPR'), which will place even greater emphasis on firms to protect data and demonstrate proper compliance.
To help its clients implement sensible best practices, RFA has developed a risk management process that highlights between 20 and 30 technology risks in any given organisation, the results of which are then provided to the fund's board of directors.
"This means they have regular information on what the main risks are, what mitigating actions are being taken by the manager, and they can talk through those with the fund's investors. Outside of the finance sector, having such a risk management process is actually a standard requirement. If you don't you are failing best practice," says Ralph.
To cut corners, some managers will use industry guidelines such as those provided by the National Institute of Standards & Technology (NIST). The board aren't necessarily going to know if it's a template or not; they will assume they've been written.
But there are risks to being complacent with regards to developing a strong security posture. Investors are becoming more aware of the issues and national regulators such as the SEC are prioritising cybersecurity as a key initiative in 2016.
RFA is one of only a few certified bodies in the UK under the Cyber Essentials Plus scheme, a UK government-backed initiative to help organisations protect themselves against common cyber attacks.
"We do a cyber assessment, it's basically a top-level audit of the organisation to identify risks, and issue the client with a certificate. As part of this solution, we have a portal that clients can log on to and do a self-assessment, which contains around 200 questions," confirms Ralph.
He says that RFA will typically advise clients to conduct one of these audited assessments once a year, during which RFA will go through the responses the client has provided in the self-assessment, check the paperwork, run an intrusion test on the firewall, look at the policies on the firewall and so on.
"A lot of the answers we will already know if they are an existing client of ours. If it is not a client of ours, we would be far more granular with the audit," concludes Ralph.
