Page 30

Cayman Funds 2016

Rob Aspinall is a director with Intertrust Cayman. He can be contacted at: rob.aspinall@intertrustgroup.com specialist staff and sophisticated technology required to maintain cuttingedge cybersecurity controls. Potential threats aren’t just from outright criminals, but also from foreign governments, activist groups and even industry competitors. Further, the structure of conventional hedge funds creates specific vulnerabilities in that they outsource a significant part of their day-to-day operations to various service providers who are subject to the oversight of the board of directors. These service providers require a constant flow of confidential fund information in order to effectively perform their services, whether it be fund administration, investor services, investment management, brokerage, risk management or governance. The average hedge fund also generates and retains a huge amount of data, much of it highly confidential, including sensitive personal information. Today’s cyber criminals are well aware of how hedge funds operate and can easily identify and exploit the weakest links in the flow of information between service providers to their advantage. Any piece of fund data in the wrong hands could be damaging. To a sophisticated cyber criminal, seemingly insignificant information could actually be used, in conjunction with other data points, to inflict real losses on the fund’s investors. Even where monetary losses aren’t incurred, the ensuing reputational damage to the fund and its service providers could potentially be catastrophic. The role of the board Hedge fund boards should be aware of the current cybersecurity and financial crime risks the fund currently faces, and their own responsibilities in the eyes of regulators. Directors can play a proactive role in helping funds not only to meet minimum regulatory requirements, but also to build an enhanced security oversight function, with a better risk management and assessment regime in place. This will inevitably require regular updating, as cybersecurity risks evolve on a continuous basis. Boards should consider implementing a policy document that lays out what the fund’s board and service providers (including the investment manager) should be seeking to achieve in terms of expected security standards. A proportionate response may be needed for smaller funds with limited resources, but all boards should be visiting this issue as a matter of urgency. The Alternative Investment Management Association (AIMA) has published practical guidance for hedge fund firms, setting out practical steps for defending its member firms against cybersecurity threats. It emphasises that boards have an important role to play as stakeholders in this process, including ensuring that cybersecurity risk management is tabled for discussion as a standing board agenda item. It is important that fund directors remain properly informed about where sensitive data resides and the levels of security delegated to each of the fund’s service providers, most notably the investment manager and administrator as they are often in possession of personally identifiable information, and that this understanding is revisited and updated on a regular basis. 30 CAYMAN FUNDS | 2016 Potentially the weakest link? An integral part of a fund’s information flow rests with its own board of directors, or the equivalent party providing governance if the fund is not structured as a company. A well-informed board of directors is essential to a properly managed hedge fund. Hedge fund directors need to be provided with sufficient information to properly engage and understand the specific risks relevant to the hedge fund they oversee. They also need to ensure that the information being received strikes the right balance between a comprehensive overview of the fund’s operations and the appropriate level of specific detail, when necessary. These fiduciary obligations mean that hedge fund directors often have access to highly sensitive fund information and need the ability to properly analyse, and protect, that information. If the hedge fund’s directors are properly involved in the affairs of the fund, they will ultimately receive and retain substantial volumes of the fund’s most sensitive information. Inevitably this makes information security concerning receiving, reviewing and storing this data a major concern. This is particularly prevalent in the fiduciary industry which provides a diverse array of operating models ranging from the standalone, high-profile, individual with a basic level of technological infrastructure and support, through to full-time, professional directors operating within corporate environments with access to a highly sophisticated technology infrastructure and dedicated IT support staff. Hedge fund directors should prepare themselves for a noticeable increase in due diligence enquiries from fund investors, regulators and other service providers focused on understanding and mitigating these threats. As the hedge fund industry evolves and becomes increasingly institutionalised, fund directors and the organisations they work for must also demonstrate these traits to remain competitive. Fund investors will also need to be assured that directors have the ability and resources to invest in IT specialists, documented policies and stateof the-art technology to properly manage and protect the fund information that comes within their control. Conclusion In today’s highly sophisticated fund industry, a hedge fund director who cannot demonstrate a robust cybersecurity understanding or environment is at a competitive disadvantage and will find it hard to compete against those that have spent the time and resources addressing these threats. Hedge funds strive to achieve a world-class infrastructure, devoting significant time and resources to hiring top-class service providers in order to attract and retain investors. Fund directors can play an important role in helping hedge funds develop and maintain a robust cybersecurity environment, but they can also be the weakest link in the chain themselves if they haven’t adequately addressed how they are receiving and housing their fund’s data. Ultimately directors are no different from any of the service providers they oversee and even well-intentioned industry participants could potentially be a threat to the fund and its investors if they are operating on outdated technology, or fail to have adequate data protection policies in place. As a board director should be well aware, the consequences of an unsophisticated approach to cybersecurity are all too inevitable. “Hedge fund directors should prepare themselves for a noticeable increase in due diligence enquiries from fund investors, regulators and other service providers focused on understanding and mitigating these threats.”


Cayman Funds 2016
To see the actual publication please follow the link above