ACA Aponix provides financial services firms with a 360-degree, independent approach to technology risk and governance. Over the past 12 months, the firm has grown its client roster to 150 clients spanning the US and Europe, and is now signing contracts in Asia. To support this expansion, its client-facing team has grown by 300 per cent and added offices in London and the West Coast of America in addition to New York.
Cybersecurity has become one of the most important operational considerations for hedge fund managers today, particularly as regulators such as the Securities Exchange Commission in the US make it a key priority for 2016. As James Tedman, (pictured) Managing Director, ACA Aponix (Europe) comments, the sophistication of attacks has increased significantly over the past 12 months:
"Challenges go well beyond implementing the most common technical tools of firewalls, intrusion detection, spam filters, and the like, and require a broader effort from more than just the IT team. Getting buy-in from the entire business is critical, and staff training is valuable in ensuring staff know their roles and responsibilities, as well as understand the risks that funds are exposed to."
Indeed, having a robust cybersecurity programme is now a regulatory requirement for any SEC or NFA regulated fund and Tedman expects other regulators, including the UK's FCA, to follow suit during 2016.
"The cornerstone of the regulators' requirements is a cybersecurity risk assessment but this is a tricky and hugely time consuming thing for the average hedge fund to undertake internally, and outsourced IT providers and even internal IT departments are conflicted – you can't mark your own homework! Our independence from products or vendors means that we can offer impartial advice based on our knowledge of funds, cybersecurity and technology best practices," says Tedman.
On 1 March 2016 the National Futures Association followed the SEC's example by formerly introducing the Cybersecurity Interpretive Notice. Cybersecurity risk assessments with regular reviews, written information security policies, staff training, vendor due diligence, deployment of appropriate protective measures and recordkeeping around programme implementation are now all regulatory requirements for NFA member firms says Tedman, who expects the FCA to publish similar guidance to that of other regulators.
"Many funds are concerned that they will struggle to meet the requirements for different regulators but the good news is that they are all broadly in lock step with each other and are using the National Institute of Standards and Technology (`NIST') framework as the basis for their programmes."
Aside from cyber attacks, another challenge for the funds industry is vendor risk. Outsourcing back- and middle-office functions has become popular, meaning that sensitive data resides outside of the four walls of the fund manager.
Tedman says it is critical that funds make efforts "to understand where that data is and the measures and controls in place to secure it. There are various generic vendor due diligence templates available but firms also need to ask pointed questions to determine the specifics of the vendor's implementation for their firm.
"We help our clients to map out data residence and flow both inside and outside their infrastructure to identify which vendors have access to sensitive data. This helps to determine which vendors to include in the due diligence exercise for which we have built a proprietary portal with custom questionnaires for each vendor type," confirms Tedman.