Hedge Fund CFO and CCO Perspectives on Adopting the Right SEC Cybersecurity Compliance Approach
The newest Securities and Exchange Commission (SEC) cybersecurity risk management rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act provide mandatory requirements for public hedge funds in addition to existing guidance on risk management, cybersecurity, and operational best practices. The new rules require these firms to assess, measure, and disclose the financial implications of cyber incidents as well as disclose how they manage cyber risk.
Registered funds recognize this new SEC rule as a clear signal of what they can expect in the coming months, and many are looking to third parties for help. Our 2023 Hedge Fund Cybersecurity Trends Report confirmed a distinct shift in the market toward outsourcing cyber programs to improve cyber posture: every hedge fund CFO and CCO we polled will leverage outside expertise in the coming months. As they navigate regulatory challenges, these roles are particularly looking for vendors with industry-specific expertise in regulatory best practices (53% of CFOs and 57% of CCOs).
But that’s where the similarities end. The reasons hedge fund CCOs and CFOs gave for switching to outsourcing show critical differences between how each role prioritizes regulatory compliance, financial implications, and cyber risk management (even as cyberattacks increased 205% over the previous year). Do they choose a proactive, comprehensive approach to cybersecurity (implementing SEC requirements and recommendations)? Or do they decide to do the bare minimum–meeting only the SEC requirements–and live with the risk of ignoring the SEC recommendations?
Hedge fund CCOs are on the hunt for a qualified partner who can ensure accurate cyber risk assessments, comprehensive threat mitigation, and strategic guidance. This year, 58 percent of CCOs told us they’re looking to outsource in response to regulatory pressure to use a third party to manage cyber governance—a 65 percent increase from last year. It was the main factor in their decision to outsource. Only 36 percent of hedge fund CFOs agreed with them.
Instead, half of hedge fund CFOs chose the Great Resignation (compared to just 23% of CCOs) over regulatory pressure as a reason to outsource. They were more concerned about the industry’s loss of skilled IT professionals and its impact on overall cybersecurity and reporting. Hedge fund CFOs’ third driver was housing cybersecurity and managed IT under one roof (42% compared to 27% of hedge fund CCOs). Hedge fund CFOs understand the importance of regulatory best practices but seem to underestimate the need for a strong cybersecurity operations function that provides proactive protection from increasingly threatening bad actors.
Cybersecurity isn’t just a compliance issue; it’s a financial and reputational risk management issue. It’s worth noting that the average cost of a data breach worldwide is $4.24 million per incident. The United States’ own average is $9.05 million. These numbers, coupled with the significant increase in cyberattacks in both severity and frequency, reinforce that strong cybersecurity governance, alone, doesn’t mean your people, systems, and data are safe.
Quality cyber governance programs can ensure your firm has a strong cyber posture, but you need more when bad actors come knocking; that job belongs to security operations (and is why the SEC recommends having strong defenses in place). Agio offers both cyber governance and cybersecurity operations programs to ensure firms meet SEC requirements and recommendations.
Ready to get started? Contact us today.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.