How Fund Managers Should Structure Their Cybersecurity Programs: Background and Best Practices (Part One of Three)

Nation-states, organizations, groups and individuals continue to employ increasingly sophisticated methods to target information systems and computer networks. Governments and regulators – including the SEC and the U.K. Financial Conduct Authority – are also intensifying their scrutiny of organizations’ cybersecurity programs. See our two-part series “Navigating FCA and SEC Cybersecurity Expectations”: Part One (Jan. 7, 2016); and Part Two (Jan. 14, 2016). As a result, it is becoming more expensive to combat and contain cyber-related attacks. Given that cybersecurity is an enterprise-wide risk, fund managers must, at a minimum, ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This article, the first in a three-part series, discusses the risks and costs associated with cybersecurity attacks; the global focus on cybersecurity; relevant findings observed by the Office of Compliance Inspections and Examinations during the examination of SEC registrants; and cybersecurity best practices. The second article will analyze the need for fund managers to hire a dedicated chief information security officer, review information security governance structures and explore the role of the chief compliance officer as a strategic partner. The third article will evaluate methods for facilitating communication between cybersecurity stakeholders; outsourcing and co-sourcing of cybersecurity functions; and best practices for employing and overseeing third-party cybersecurity vendors. See our two-part series on how fund managers can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape” (Dec. 3, 2015); and “A Plan for Building a Cyber-Compliance Program” (Dec. 10, 2015).

To read the full article

Continue reading your article with a HFLR subscription.