Cybersecurity stakeholders, particularly those in information security and legal/compliance, must communicate effectively to ensure that a fund manager’s cybersecurity program is fully implemented and able to respond to cyber attacks. Although managers of all sizes should aim to build in-house cybersecurity expertise to increase responsiveness, some may benefit from outsourcing or co-sourcing certain cybersecurity functions given the involved costs and shortage of qualified workers. Managers must, however, ensure that they properly vet and oversee third-party cybersecurity vendors, and this requires coordination between the chief compliance officer (CCO) and on-site technology leaders. This article, the third in our three-part series, evaluates methods for facilitating communication between cybersecurity stakeholders; outsourcing and co-sourcing of cybersecurity functions; and best practices for employing and overseeing third-party cybersecurity vendors. The first article
discussed the risks and costs associated with cyber attacks; the global focus on cybersecurity; relevant findings observed by the Office of Compliance Inspections and Examinations during the examination of SEC registrants; and cybersecurity best practices. The second article
analyzed the reasons why fund managers should hire a dedicated chief information security officer, reviewed information security governance structures and explored the role of the CCO as a strategic partner. See “Fund Managers Must Supervise Third-Party Service Providers or Risk Regulatory Action
” (Nov. 16, 2017); and “How Managers Can Identify and Manage Cybersecurity Risks Posed by Third-Party Service Providers
” (Jul. 27, 2017).