Technology

Passing the assessment

Striving to build state-of-the-art cyber-defences is all well and good. But all is for naught if a manager cannot demonstrate the quality of those systems, procedures and practices to an increasingly savvy investor community and band of regulators. Investor due diligence questionnaires and regulatory exams are evolving with the times. In this final section, the report seeks to identify the areas of interest for third parties and the ways managers can prepare for their assessments.
October 2017

Report Overview

Evolving questionnaires

Like managers, investors have been on a steep learning curve with regards cyber-security of late, and changes to their operational due diligence procedures have been forthcoming. What five years ago was a simple ‘tick box’ exercise lumped in with general IT matters is now, managers interviewed said, a dedicated half an hour discussion covering, among other topics, penetration tests, phishing scams and data encryption. The questions, too, are evolving. Exhibit 3.1 offers a flavour of the types of question investors are asking on several key topics now, compared to five years ago. Two key areas of focus can be extrapolated:

1) Deployment of resources: investors want to know how managers are spending their cyber-security budgets and utilising specialist staff and vendors, not just that they are.

2) Monitoring and procedural evolution: most significantly, sophisticated investors want to see evidence of monitoring and that procedures and protocols will evolve with time.

That second point is the crux. A manager who is able to demonstrate to investors that they are not just thinking about today’s threats, but tomorrow’s threats and beyond, is best placed to impress. And the trend is largely agnostic to investor size and location. All types of professional investor in North America and Europe are dedicating an increasing amount of time in their operational due diligence conversations to cyber-security questions and evolving their focus, interviewees said. One UK-based allocator praised the role of UK- and US-based trade bodies among fund managers for making cyber-security a priority in recent years.

Impressed investors

In Section 2, we discussed how very few hedge fund managers consider themselves ‘behind the curve’ of the industry with regards their cyber-security measures. Investors, it seems, would agree. Our research suggests that investors have been impressed with the progress that managers have made in the past five years. The COO of one fund of hedge funds (FoHF) manager the Insights team interviewed said that the improvement in standards generally could be seen everywhere, “in the documentation, the third-party penetration testers that managers are bringing in, and the upgrades to firewalls”. Investors are also understanding of the sensitivity of the topic, accepting that managers can only answer certain questions in-person or during conference calls, and that some documents can only be shared on-site.

But does this mean that the investor community’s knowledge of cyber-security matters has improved? The evidence of that is less clear. Certainly the quality of investor questions has increased, but one might argue that this is a by-product of the increased input from trade bodies and investment consultants, which has seen due diligence questionnaires in general become longer and more detailed, rather than the increased ability of investors to digest the answers. A common complaint from managers in recent years is that institutional investors are asking for more information without understanding if or how they can use it. For now, cyber-security appears to be following this trend.

Reluctance to report

Part of the problem is that investors are not receiving first-hand examples of attacks at managers that would allow them to learn and improve. In each of JP Morgan’s last two annual global hedge fund investor surveys, cyber-security failures were the least frequently revealed issues during due diligence, although there was a slight uptick from 1% in 2015 to 3% in 2016 (Exhibit 3.2). The Insights team believes there are several factors at play here: manager security measures are of relatively high quality, investor knowledge is relatively low, and the incentive for managers to report/reveal anything cyber-related more than the most desperate of breaches is practically non-existent. Not only do managers fear telling investors about a breach, but they want to use the fact they have made no such reports a selling point.

The solution is not straightforward. Cyber-attacks are common and evidently so, but there is no reliable data on the extent to which managers are suffering serious breaches. Investors the Insights team spoke with said they were yet to have a manager report a breach, and would only expect to be updated in the most serious cases. Even regulators are finding such evidence hard to come by; earlier this year SEC chair Jay Clayton signaled a softer line on cyber-security failings to encourage firms to report attacks. So what is the potential path? To draw a parallel, investors have come to accept that a manager’s performance will dip, and now managers use examples of how they have overcome periods of disappointing performance in ‘the story’ they tell during a pitch. Could managers also make overcoming cyber breaches part of ‘the story’? Until one manager does so publicly, this may prove a hard sell.

How tough are regulators being?

Relatively few managers surveyed have been submitted to a cyber-security exam by their regulator or expect to be (Exhibit 3.3). However, a greater proportion of UK-based respondents expect to be submitted to a cyber-security exam in the near future (35%) than US-based respondents (22%). HFM believes this to be a result of how vocal their respective countries’ regulators were last year rather than their intentions. For example, the SEC and its Office of Compliance Inspections and Examinations have been producing guidance on cyber-security and updates on exams since early 2015 (Exhibit 3.4). By contrast, the FCA published its first significant guidance in May 2017 following a speech on the topic by the regulator’s director of specialist supervision in September 2016. It seems probable, therefore, that the FCA appears a little late to the party, and that UK managers believe the increase in noise over the last 12 months will mean an increase in action over the next 12.

What that action will look like is open to interpretation, but, generally speaking, there are signs that regulators will be lenient. Over the course of 2014, the FCA received cyber-attack reports from five firms it regulated, in 2015 that increased to 27 and in 2016 there were 89 reports. However, not one of the attacks reported in 2015 or 2016 were from asset managers. As demonstrated, reputational risk is among managers’ biggest concerns when it comes to cyber-attacks. As noted earlier, the high likelihood is that managers are suffering breaches but choosing to deal with the matter quietly. Will other regulators follow the SEC in softening their approach to cyber failures in order to gather more reliable data? The clues are in each region’s latest guidance and activity.

The US

US regulators have been among the most active and the most vocal on cyber-security globally. The SEC undertook 75 examinations of regulated entities in 2016, of which they found 26% were unprepared. The NFA has adopted a quieter approach but, as noted by HFMWeek in August, has been intensifying its examination process since early 2017. NFA exams are less invasive than SEC exams, more along normal business protocol lines, interviewees said. The NFA’s approach feels more like a guiding hand, they added, focusing on workshops and the educational materials surrounding these examinations, and avoiding “curveballs”. Firms might expect a less intense experience from the SEC going forward, as chairperson Clayton’s aforementioned new approach suggests. Among the SEC’s key recommendations according to its guidance, and likely areas of focus in the coming months, include:

• Identifying the information at risk and the risk landscape;

• That management understands the threats, outsourcing is not enough;

• Educating staff, with training sessions at least every year;

• Controlling access to certain information silos and types;

• Understanding and mitigating third-party risk; and

• Contributing to the welfare of the industry through information sharing.

The UK

No UK-based manager interviewed by the Insights team had experienced a dedicated cyber exam by the FCA, although several reported fielding cyber-related questions during a general exam in the last six months. The COO of one sub-$500m AuM manager praised the regulator’s approach during his meeting as “performed with common sense rather than a clipboard”. As noted, many managers expect the FCA’s cyber focus to intensify in the months to come as the regulator clarifies its position and protocols following its first significant themed guidance and speeches in late 2016 and 2017. Additional initiatives the FCA will focus on beyond the standard guidelines are expected to include:

• Firms gaining accreditations such as the ‘Cyber Essentials’;

• Deeper assessment of data encryption and password strength; and

• Examination of disaster recovery speeds and back-ups.

Asia

Reports of SFC cyber exams of asset managers did not reach the Insights team, but the Hong Kong regulator has produced several pieces of online guidance, including those concentrating on online trading accounts. Of the 27 attacks reported to the regulator in the 18 months prior to March 2017, most concerned trading accounts. Its approach will likely follow a similar path to the SEC and FCA, with such requirements as the need to monitor IP addresses and trading patterns. In Singapore, meanwhile, managers should expect increased attention of cyber processes following the formation in September 2017 of the jurisdiction’s Cyber Security Advisory Panel (CSAP). The group’s first meeting is scheduled for this month.

Mainland Europe

European regulators have been slower off the mark than many of their global counterparts when it comes to cyber-security guidance. The Swiss regulator, FINMA, makes reference to timely responses to attacks and the restoration of normal business operations in an updated circular for the banking industry in late 2016, while ESMA is yet to publish specific guidance. The EU super regulator, however, does refer to other areas of regulation, such as the AIFMD and EMIR, for standards. Its incoming General Data Protection Regulation (GDPR), and for banking, the Network and Information Security Directive (NISD), should also be on the radars of cyber savvy European managers, prescribing changes to the way firms hold and destroy information, an issue that will also affect counterparty relationships.

Assessing vendors

Hedge fund manager concerns about third- and fourth-party risk arose during most HFM Insights interviews of cyber threats. The key issue was vendor security: who has a manager’s data and what were they doing with it. These risks also have significant impact on regulatory examinations and operational due diligence, as regulators and investors alike are increasing their interest and sophistication in this area. Regulators want to see that these risks have been assessed and that knowledge of potential failures and mitigating processes are in place. Best practice for vendor management should focus on the storing and transmitting of data. Managers should ensure that their vendors’ protocols are as good as if not better than their own.

Managers should ensure that their vendors’ protocols are as good as, if not better, than their own

Vendor size is a significant factor when assessing counterparty cyber risk. Large vendors have scale and expertise, but may surreptitiously outsource certain functions and services, creating a potential a blind spot for data handling and GDPR stipulations. Smaller vendors, meanwhile, have less robust structures and data handling processes, a potential issue under GDPR which is yet to make clear the extent to which its more onerous requirements extend to smaller entities. Most of the managers with legacy vendor agreements said there had been no issues in updating the language where necessary.

Manager governance

Almost all the hedge fund managers surveyed by HFM Insights have a written policy on cyber-security (Exhibit 3.5). More than that, what used to be a paragraph in a larger piece of company literature is now a confidential, standalone document; typically more than ten pages long and often only leant to investors during on-site visits. The SEC’s guidance has been particularly influential here. The US regulator requests of firms a Written Information Security Plan (WISP) covering a range of different perspectives, from data controls to mobile phone policy. The most sophisticated managers are using the SEC guidance as the basis for the WISP and building out from there.

Cyber-security is also becoming a more regular fixture during hedge fund manager board meetings. As Exhibit 3.5 also shows, 25% of firms the Insights team surveyed have a board member designated to cyber-security matters as well as a written policy (no firm had a designated board member without a written policy). According to a study by KPMG last year, almost half of hedge fund managers discuss cyber-security at each one of their board meetings, compared to 16% who discuss it only when it is an issue (Exhibit 3.6). However, the study also found that close to 40% of managers discuss the topic just once a year, suggesting there remains plenty of room for improvement.