By Meghan McAlpine – Given the uptick in new funds being raised, competition for investors’ capital has increased significantly. Investors are being more thorough in the diligence process and almost always requesting more information than what’s presented in a standard DDQ. In order to compete for this capital, fund managers are providing a substantial amount of information to investors.
The industry as a whole is seeing an increase in transparency, which has been insisted upon by investors over the past several years. Performance, while a very important factor, is only part of the criteria that investors are considering when determining whether or not to invest in a fund. Transparency is becoming an increasingly important factor to the success of a fund. According to a survey completed by Intralinks and Opalesque, 89 per cent of hedge fund investors and 71 per cent of PE and real estate investors didn’t invest in a fund due to transparency issues.
Alternative asset managers are providing more information to garner allocations, but they are concerned about sharing this sensitive information. The dissemination of investment and portfolio information becomes a double edge sword after hearing about the cybersecurity headlines hitting the media. Managers are facing an increased pressure to guard against cybersecurity risks. Regulators are requiring that firms have strong cybersecurity policies and procedures in place. Investors are also analysing fund managers’ cybersecurity measures during the diligence process.
Recently, the alternative investment industry has seen a large number of more sophisticated cybersecurity attacks. According to the FBI, cybersecurity is the top priority for the criminal side of the Bureau. Fund managers have personal identifying information for its investors, proprietary information and large sums of money changing hands on a regular basis. These factors all have contributed to an increase in cybersecurity attacks on the alternative investment industry.
What are the risks?
Given the amount of information being shared by fund managers and the sensitive nature of this information, there are several risks to the manger in the event of a breach:
- Monetary risk – there have been instances where fund managers have been attacked and wiring information for an investor has been changed so that funds go directly into the account of a hacker, potentially losing the fund millions of dollars.
- Reputational risk – Investors want to make sure that fund managers have strong policies and procedures in place. If an attack occurs, investors may lose confidence in the manger and may look to redeem their allocations, or not re-up in an upcoming fund.
- Competitive advantage – If a hedge fund’s proprietary trading algorithms get into the wrong hands it could weaken their competitive advantage over other funds.
- Regulatory risk – Regulators are coming down hard on firms that don’t have strong policies and procedures in place, which could mean hefty fines for a manager that doesn’t take cybersecurity seriously.
How to protect against cybersecurity risk?
In terms of cybersecurity risks, one important area of focus for fund managers should be communication with their investors. Due to the industry’s shift to increasing transparency, there is a large amount of data being sent to investors. It’s important for managers to have a secure system in place to share this sensitive information.
Many managers are using email to communicate with their investors. It’s easy to use, has minimal cost and is widely accepted. However, it’s one of the least secure communication methods, providing zero ability to control information once sent. There is a high likelihood of email being hacked which could result in the loss of sensitive client data, strategy information, and proprietary portfolio positioning.
Organisations with the right communication platform in place can adhere to transparency requirements, while maintaining control over the data they are sending. Many fund managers are turning to investor portal solutions to communicate with their investors. The technology serves as a safe alternative to e-mail – acting as a secure and central communication hub providing both documents and data to clients. Document and user-level permissions allows GPs to take control of who has access to what content, allows them to watermark documents or prevent printing and quickly revoke access to documents at any time – even after they have left the system.
Third party vendors
Many fund managers are moving towards cloud-based solutions instead of building a customised communication platform in-house. Many third party solutions have a solid infrastructure and a high level of security along with strong investor adoption levels. These systems can offer significant cost savings versus the money spent on developing a customised in-house solution and supporting that solution going forward.
Because many managers are moving to out-sourced solutions, it is important that they make sure to complete thorough vendor due diligence, especially on those third parties that are hosting sensitive data for them. Funds should have strong cybersecurity procedures and controls in place and make sure that service providers are held to the same standards. It is important to ask the right questions of service providers to make sure they are taking cybersecurity seriously. Investors are also increasingly requesting information on third party vendors to make sure their information is secure. Many managers will do penetration testing and conduct on premise checks of vendor’s infrastructure. Being comfortable with a vendor’s security policies and procedures and is critical.
Making cybersecurity a priority
The alternative investment industry is moving away from a culture of secrecy and towards public openness. Transparency is a key criteria of investors’ decision to deploy capital to a fund. Fund managers need to meet these demands to remain competitive. Managers also need to be careful about how they share this sensitive data with investors. Making sure they have strong cybersecurity policies and procedures in place can protect the fund from a variety of losses. Any communication system that is put into place should be robust, with the ability to lock down documents, remove permissions at any time and fully tested, meeting stringent security standards. No one can be fully protected from an attack, but those firms with strong cybersecurity policies and procedures in place are much more capable of withstanding a breach.