ACA Aponix, a division of ACA Compliance Group, provides financial services firms with a 360-degree, independent approach to technology risk and governance. The ACA Aponix team conducts comprehensive risk assessments to help fund managers identify potential gaps and vulnerabilities in their information security framework in order to mitigate associated risks to their business.
At a high level, the ACA Aponix product offering involves performing risk assessments, mock audits, vendor due diligence, network penetration testing (both internal and external), training (which includes phishing exercises), tabletop exercises, and helping clients produce a Written Information Security Programme (WISP).
Vendor risk is one of the biggest concerns of clients currently. Many service providers may have access to managers' IT networks and data, and whilst in the past this was not generally regarded as a risk to their organisations, that is no longer the case.
Consequently, over the last year ACA Aponix has expanded its due diligence practice, hiring a new director to further strengthen that side of the business as clients look to keep a closer eye on their service providers.
"Many of the recent high-profile hacking episodes have involved service providers as opposed to the managers themselves," says Kris Lau, Senior Principal Information Security Consultant at ACA Aponix.
"We've also expanded our offering to include portfolio company due diligence to support private equity managers; this is a big area of focus for us. The experience of the ACA Aponix team really sets us apart from our competitors and is, in my view, our biggest asset. Many of us have come from the buy-side and have been on the receiving end of cyber security services in our previous roles."
ACA Aponix employs a phased approach to working with each new client. At the beginning of an engagement, ACA Aponix will visit the client and conduct an initial risk assessment to identify any issues.
"Part of that assessment involves making recommendations and helping clients determine how to fix the issues we identify," continues Lau. "Then, we will typically run mock audits to identify and address any outstanding issues in advance of any potential visit by the regulator.
"A major part of our offering, therefore, is trying to help clients build a comprehensive information security programme, not just for the sake of satisfying the regulators but to get clients accustomed to viewing security as a normal part of their business. Then, no matter what regulatory inspection comes along or what new threat emerges, they are prepared as well as possible."
The last thing fund managers should do is compartmentalise cyber risk. Fund managers are increasingly recognising that the effects of a cyber breach are reputational as well as financial and should not be viewed differently than any other risks to which the business is exposed.
"A comprehensive information security programme should be an integral part of a firm's overall risk management. We involve everyone from senior management to the most junior staff when running mock audits and tabletop exercises. Helping to spread that awareness across an organisation, should, in our view, help to mitigate cyber risk," says Lau.
On winning this year's award, Lau says: "It is an honour. Our dedication to our clients, the services we provide, and our focus on team training enable us to routinely update our offerings to help keep clients protected from evolving cyber security risks."
