The average hedge fund is often a lean operation with limited headcount, which leans more towards the front office. As such, areas such as IT and cybersecurity are typically outsourced. Many have chosen not to hire CISOs but have instead chosen to appoint outsourced partners/consultants to conduct risk assessments, including appraising the manager’s third party vendor relationships.
“We are one of the largest counterparties to some of our clients: we provide their IT, we are custodians of their data and we provide systems that enable them to run their business,” comments Viktor Tadijanovic (pictured), Founding Member and CTO of New York-based Abacus Group. “We are their outsourced IT platform and we provide a number of cybersecurity controls and technologies. Given the number of high profile attacks, clients increasingly want to improve their cybersecurity posture to put their house in order.”
One of the main reasons for embracing the outsourced IT model is that the costs of building and maintaining internal technology resources is prohibitively expensive, given the amount of compliance and regulatory requirements that hedge funds face today. However, this means that proper checks and balances need to be in place when using a third party IT vendor.
Evaluating a client’s IT partners, like Abacus, includes looking at the investment they are making in cybersecurity, as well as the transparency they provide.
“The nature of the service we provide is a black box. Everything works but the client doesn’t know how it works. Consequently, lot of work is done providing a window of transparency into that black box to show clients our controls and make ourselves accountable. We continually make investment into those areas,” confirms Tadijanovic.
He adds that one of the challenges that IT service providers face is that there are, as yet, no industry standards and guidelines in place.
“We try to get ahead of this by providing a set of documentation that anticipates what our clients will want to know about us,” explains Tadijanovic. “We go through an annual SSAE 16 audit, which produces a System and Organisation Controls (SOC) report outlining our controls and practices. We produce a standard document for each client that describes our technology and our controls. We have completed and routinely maintain the AITEC questionnaire, which we make available to mutual clients upon request. We also use some open standards such as SIG for information gathering. Standard Information Gathering is one of the emerging standards and provides some good guidelines on how to perform due diligence.”
The SIG questionnaire, produced by industry body Shared Assessments, is essentially a holistic tool for risk management assessments of IT and cybersecurity. Tadijanovic confirms that Abacus have partnered with Shared Assessments and have purchased the rights to use their questionnaire.
“We fill out their questionnaires, covering all the different controls from human resources hiring practices to technology, back-up disaster recovery plans, etc. We also bring in third parties to evaluate our security posture three times a year. They do a penetration test and issue a report, which we also make available to clients,” states Tadijanovic.
Tadijanovic concludes that the aim with all of these reports is to teach each client how to use them “to improve their security stance, so that if the regulator or an investor visits them, they know what to say”.