Don't Forget to Share this Post

Cybersecurity, the SEC and You: Hedge Fund Symposium Highlights

By Kaleigh Alessandro | Tuesday, May 19th, 2015

We were honored to be invited to participate in an exciting event in Boston recently hosted by KPMG. The event, Hedge Fund Symposium 2015, featured a lively panel on cybersecurity to kick off the afternoon. Featuring speakers from Eze Castle Integration, Morgan Lewis and The Baupost Group, the panel discussed the changing cybersecurity landscape for hedge funds and alternative investment firms and shared best practices on how to mitigate risk in this evolving climate. Following are some of our favorite highlights from the event.

  • Malware is seemingly the most common threat to financial firms and can infect a firm’s network as a result of improper use of removable storage media (USB devices), opening of suspicious hyperlinks and attachments or more advanced ransomware technology (think Cryptolocker virus).
     

  • Spear-phishing and social engineering campaigns are also extremely prevalent and can cripple even the most technology-savvy firm. Ultimately, these campaigns are best prevented through proper user training and awareness around information security.
     

  • The SEC’s recent guidance updated by its Division of Investment Management included an interesting footnote. The note essentially concluded that firms have a fiduciary responsibility to provide investment advice/counsel to clients, and a cybersecurity attack or incident that affects the firm’s operations would, in effect, prevent the firm from completing their duties and ultimately may put them in breach of their contract.
     

  • Chasing compliance with regulations is not the right approach for hedge funds and investment management firms. Rather, firms should establish an overall comprehensive security program that is periodically reviewed to ensure it complies with changing requirements.
     

  • Vendor evaluations are critical when it comes to mitigating cybersecurity risk. The SEC specifically called out a lack of proper third party assessments as part of their exam sweep findings.
     

  • Conducting a cooperative study of your firm’s security environment will be more effective and productive than a one-time penetration test.
     

  • Firms should have a solid understanding of who at the firm is responsible for what areas of technology and security. Even if leveraging an outsourced provider, there must be an internal leader to learn the ropes, engage with vendors, and take responsibility for the firm’s security awareness.
     

  • New technologies and capabilities such as ethical hacking and phishing tests can help firms identify security risks both from a technical and user perspective.
     

  • Create a culture of compliance at your firm. If you’re still looking for management support, educate yourself and your team in order to raise executive consciousness around cybersecurity risks and best practices.
     

  • Trust but verify, particularly when it comes to working with outsourced IT and security vendors.

You might also find these hedge fund cybersecurity resources interesting:

Hedge Fund Cybersecurity Whitepaper

Don't Forget to Share this Post

Related Posts

Q&A Summary of Major Themes and Takeaways from ECI’s Webinar on New SEC Cybersecurity Rules
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 2
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 1
Why Your Firm Needs a Governance, Risk and Compliance (GRC) Program
A Comprehensive Approach to Security Automation
A “Just Right” Approach for Just-in-Time Access Management

How Can Eze Castle Integration help you?Contact us today!

Contact Us