The IT and cyber security infrastructure of a start-up fund is instrumental to its fate and can be key to determining whether it fails or succeeds. Therefore, a consultative approach in this regard can ensure their framework is fit for purpose and can effectively support the fund’s growth objectives.
The IT and cyber security infrastructure of a start-up fund is instrumental to its fate and can be key to determining whether it fails or succeeds. Therefore, a consultative approach in this regard can ensure their framework is fit for purpose and can effectively support the fund’s growth objectives.
“Both investors and managers have become a lot more involved and informed in relation to IT and cybersecurity, which, in turn, allows them to be more engaged with their providers and the solutions they implement,” explains John Araneo Managing Director and General Counsel of Align Cybersecurity.
Vinod Paul, Chief Operating Officer at Align, highlights how, although the end-user of IT solutions has always been sophisticated, the last two years have demonstrated a growing realisation of how important an IT platform is in the ultimate success of a firm: “The operational due diligence, but more importantly, the regulatory landscape has changed so much, that players are now taking an active, participatory lead in wanting to understand their personal threat landscape and minimise the risk.”
Until a few years ago, fund managers were satisfied to have service providers simply monitor their IT and cyber environment. Now, they want to understand their data footprint, they ask to see reports and want to understand how their risk profile is changing and what can impact it.
The greater scrutiny potential investors are applying when conducting operational due diligence (ODD) exercises is also driving this enhanced interest. Araneo notes: “Managers get one bite of the apple in an ODD meeting with investors. If they miss one question, there are 20 other fund managers waiting to take their place. This has contributed to managers being more informed and therefore engaged with these matters.”
Understanding the risks
Elevating this engagement even further means ensuring managers understand that cybersecurity is not a project, it’s a process. “The idea is that start up managers do not need to invest USD$100,000 into a cyber program before they launch. Rather, they need to demonstrate to their potential investors that they understand what their risks are and that they are making reasonable and methodical efforts over time to mature their cyber program,” Araneo outlines.
This paradigm, therefore lends itself very well to a co-sourcing relationship between managers and a service provider like Align. According to Paul, the reason for this growing consultative dimension is that managers now understand that they need to have the proper building blocks in their foundation from day one: “The strongest house is built on robust foundations. You need to include many layers of additional protection and understand these need to be monitored regularly to make sure everything is still fit for purpose. It’s not just about building the house, but about maintaining it as well.”
He adds that although managers can choose to purchase software themselves, simply procuring the program is not sufficient to create a robust IT environment: “The ‘secret sauce’ is in configuring the software correctly, in monitoring it effectively and ensuring the platform itself is always available. Doing this yourself is like buying a Tesla, then building an electric charging station yourself and trying run the maintenance alone – which no one would ever do. Therefore, managers should not try to do this with their IT which is one of their most critical assets.”
Araneo adds: “Cybersecurity is a truly a multifactorial challenge that requires a multidisciplinary response. It’s complicated enough for managers to navigate through the appropriate IT and technology infrastructure licenses and configure them to meet the prevailing industry standards and, unfortunately, cybersecurity adds an additional plane of complexity to this IT/cyber matrix.
“All fund managers, especially start-ups need to make sure they have a trusted adviser in this space. They need to embrace the fact that cyber requires a percentage on the budget and they need to set aside a responsible, realistic budget for doing this. The service providers in the space have all evolved enough to give good advice and making the right decision is crucial for emerging managers.”
The right partners will also help guide start up managers through any regulatory changes. Araneo points out the recent proposals issued by the Securities and Exchange Commission in February 2022 on cybersecurity: “We are 12 or 18 months away from required regulatory change and although this represents a significant uptick in maturity, quality and content of cybersecurity policies across the industry, it is something fund managers will need to contend with for the rest of the year and into the coming year.”
Therefore, it is helpful for those looking to launch in the current environment to have access to providers with their finger on the pulse; those who understand what changes will be ushered in by these proposals and can assist and support the start-ups in this regard.
Leveraging relationships
Choosing a provider with the right fit will further elevate the consultative relationship signposted earlier. Paul observes: “I have been working in this industry for 20 years and historically, the relationship between manager and IT provider was strictly a vendor-client one. This has evolved and the partnership between the two has become the central nervous system of a fund launch; it’s a vital organ which can be directly tracked to the eventual success of that fund.”
Araneo believes the industry is at the beginning of a new era: “Never before has IT and cyber security been so important. The security threats and controls are going to continue evolving – just like they shifted dramatically when people moved from working in the boardroom to their dining room table. Fund managers looking to launch need to think about meaningful risk management of cyber threats as a whole function of their business from day one.”
John Araneo General Counsel & Managing Director, Align Cybersecurity
John Araneo possesses a broad corporate legal background, encompassing investment management law, data privacy and cybersecurity law, corporate governance and employment law. John is an published author, established cybersecurity expert and a well-known thought-leader on the legal, regulatory, governance and employment law issues related to cybersecurity. Previously, John practiced law in the investment management space for over 20 years, most recently as a partner of Cole-Frieman & Mallon, LLP, a firm that represents over 2000 asset management clients.
Vinod Paul, Chief Operating Officer, Align
Vinod Paul brings over 20 years of in-depth financial services and technology experience to his role as Align’s Chief Operating Officer. Vinod’s responsibilities include the oversight and strategic development of Align’s Managed Services offerings, including Align Cybersecurity™, the company’s comprehensive cybersecurity risk management solution. In his current role, Vinod is also responsible for managing senior client relationships with alternative asset managers, providing ongoing guidance with respect to industry best practices and forward-looking trends in Managed Services. Vinod serves on the Forbes Technology Council, a collective of invitation-only communities.
