The  cybersecurity risk management regulations for publicly traded companies, issued by the U.S. Securities and Exchange Commission (SEC) in August 2023, augment the existing guidelines related to hedge fund risk management, cybersecurity, and operational excellence.  

Public companies regulated by the SEC must now assess, quantify, and disclose the financial repercussions of material cyber incidents along with describing to investors their strategies for managing cyber risk. As the SEC continues to sharpen its focus on cybersecurity compliance and is expected soon to finalize similar cyber risk rules for registered investment advisors and funds, it’s no surprise RIAs are exploring outsourcing options. 

Critical Hedge Fund Industry Trend: Outsourcing Cyber Programs 

The 2023 Hedge Fund Cybersecurity Trends Report showed that all firms surveyed are considering outsourcing their cybersecurity programs within the next 24 months.  Hedge fund Chief Compliance Officers (CCOs) and Chief Technology Officers (CTOs) appear, however, to have differing motivations for this shift.  

Hedge fund CCOs said they are looking to a third party to address regulatory pressure to use an outside provider (58%) and for regulatory and industry-specific cybersecurity best practices (57%). And while only 23 percent of hedge fund CCOs mentioned investor pressure to engage a third-party vendor, that number was three times more than CTOs (7%).  

On the other hand, hedge fund CTOs expressed the need for a partner who can safeguard a work-from-anywhere environment (47%) and consolidate cybersecurity and managed IT services in one place (44%). Almost half (47%) of CTOs acknowledge regulatory pressure to outsource, but only 10 percent were concerned about finding a vendor with regulatory and industry-specific best practice expertise.   

cyber governance be confidently sec audit ready today

Why You Need to Outsource 

Regulators or investors may pressure hedge funds to outsource their cyber programs to enhance security, transparency, and compliance if there are no internal resources to provide this expertise. Working with a third-party vendor provides several benefits:  

  • Expertise Gap: Regulators expect hedge funds to work with cybersecurity experts because they have specialized knowledge and experience. For most hedge funds these skills can be provided by external experts that in-house teams may lack. This ensures that the fund’s cybersecurity measures are comprehensive and current. 
  • Third-Party Validation: Regulatory authorities require hedge funds to validate and assess their cybersecurity measures. This validation by an independent outside third party ensures that the fund’s systems and practices meet industry and regulatory standards. 
  • Risk Assessment: Regulators want to see firms conducting risk assessments and audits. These risk assessments when outsourced to security professionals help identify vulnerabilities, assess risk exposure, and recommend appropriate security measures, fostering a more secure environment. 
  • Independent Oversight: Utilizing an external provider for cybersecurity adds an independent layer of oversight. This independence can be crucial in preventing conflicts of interest and ensuring that cybersecurity policies are not compromised for business interests. 
  • Continuous Monitoring: Some regulations may require hedge funds to perform continuous monitoring of their systems and networks. This ongoing scrutiny helps detect and respond to threats promptly. Using external resources specialized in monitoring for cybersecurity events and incidents provides this necessary oversight and insight. 
  • Incident Response: Regulatory authorities examine that hedge funds have incident response teams in place. These teams can provide rapid, specialized assistance in the event of a cyber incident, ensuring a swift and effective response. Most firms lack this expertise internally and can leverage outside providers to fill the gap. 
  • Compliance Verification: Outsourcing cybersecurity to a third-party provider can assist hedge funds in verifying their compliance with regulatory requirements. External experts can confirm that the fund’s cybersecurity practices align with industry-specific and regulatory best practices. 
  • Benchmarking: Regulators may encourage the use of external providers for benchmarking against industry standards and peers. This helps hedge funds gauge their cybersecurity readiness and identify areas for improvement. 
  • Data Protection Standards: Regulations, such as GDPR or CCPA, may require the engagement of specialized providers to ensure the protection of sensitive data and compliance with data privacy laws. 
  • Regulatory Mandates: In many cases, regulators explicitly recommend the use of external providers for cybersecurity in their guidelines or directives if the registrant lacks appropriate expertise. 

 Cyber resilience in the alternative investment industry is vital when cyber threats have increased in frequency and severity. Sixty-six percent of respondents to our cyber trends report said the number of attacks is up (a 205% increase over last year), and 78 percent said time to resolution increased.  

Cybersecurity and Regulatory Compliance Intersect 

The discrepancy between CCO and CTO responses (especially that CTOs didn’t prioritize expertise) highlights a focus on meeting minimal compliance requirements rather than addressing the broader issue of comprehensive regulatory adherence. Hedge fund CTOs may be undervaluing the importance of regulatory and industry-specific expertise.  

It’s no surprise that CCOs seek expertise and regulatory compliance while CTOs prioritize the practical aspects of cybersecurity. However, balancing these perspectives is essential for firms striving to effectively meet the newest SEC rules and ensure robust cyber resilience. 

In the landscape where cybersecurity and regulatory compliance intersect, it’s becoming increasingly evident that the two are intrinsically linked. A well-maintained and secure infrastructure not only enhances cybersecurity defenses but also aids in meeting regulatory requirements.  

Configuration management, patch schedules, managed access, disaster recovery plans, and data encryption are key steps to reduce risk. By regularly assessing and addressing key infrastructure aspects, firms can build a solid foundation for compliance and cybersecurity resilience. That’s where Agio comes in. 

Confidence, Knowing Agio Has You Covered 

Our IT Infrastructure Assessment is a customized evaluation that examines your IT infrastructure, looking at outdated software, system configurations, and user permissions. Then we assign an IT health score and give you a detailed plan for operational reliability, data fortification, and trustworthiness.  

As your hedge fund navigates this dynamic landscape, remember that it’s not merely about compliance checkboxes or cybersecurity tools—it’s about building a secure, compliant, forward-thinking ecosystem. Our holistic approach to cybersecurity not only ensures you’re ready for SEC compliance but also ensures resilience, trust, and long-term success. 

Ready to get started? Contact us today. 

See also  Preparing for the New PCI Standards: More Stringent Requirements and Complexity Coming After March 31, 2024