How Fund Managers Should Structure Their Cybersecurity Programs: CISO Hiring, Governance Structures and the Role of the CCO (Part Two of Three)
Hedge Fund Law Report
A fund manager’s chief compliance officer (CCO) or chief technology officer may appear to be the natural choice to develop and oversee the firm’s cybersecurity program. Nevertheless, given that those officers likely lack requisite expertise and are burdened by other responsibilities, fund managers should hire a dedicated chief information security officer (CISO) to serve in this function. Although no one governance structure is appropriate for all organizations, CISOs must be sufficiently independent and empowered to challenge organizational initiatives. This does not mean, however, that CCOs should be voiceless; rather, they must partner with CISOs, leveraging their unique skills in policy management, monitoring and investigating. This article, the second in our three-part series, analyzes the reasons why fund managers should hire a dedicated CISO, reviews information security governance structures and explores the role of the CCO as a strategic partner. The first article discussed the risks and costs associated with cyber attacks; the global focus on cybersecurity; relevant findings observed by the Office of Compliance Inspections and Examinations during the examination of SEC registrants; and cybersecurity best practices. The third article will evaluate methods for facilitating communication between cybersecurity stakeholders; outsourcing and co-sourcing of cybersecurity functions; and best practices for employing and overseeing third-party cybersecurity vendors. See “RCA Panel Outlines Keys for Hedge Fund Managers to Implement a Comprehensive Cybersecurity Program” (Jun. 18, 2015).