The Trojan horse in the room

Private fund managers have improved their cybersecurity policies, but they’ve still a way to go to satisfy the regulators. Why is it proving so hard to be compliant?

The Securities and Exchange Commission’s message on cybersecurity is slowly getting through to most private fund managers. Since the agency’s former chairwoman Mary Jo White warned it was the “biggest threat to financial services” – and other staff echoed her sentiment – firms have worked hard to ramp up their programs.

The agency’s recent sweep – its second in four years – found that most of the firms it examined had written cybersecurity policies and procedures in place and nearly all conducted periodic risk assessments. This is a definite improvement on the last assessment which found that “comparatively fewer” had taken these steps.

But there’s still some way to go and the agency did find shortcomings remain – many policies were not tailored to the specifics of the firm, others not reviewed annually where required. At a systems level, several firms were using outdated operating systems.

Why is cybersecurity proving to be such a mammoth task for fund managers which have been equipped with regulatory guidance for a few years? For some, it is the size and cost of the task. As one private equity firm told pfm earlier in the year, cybersecurity is an expensive business. Training staff, installing new systems if required and paying companies to test those systems comes with a large price tag.

But, given that the cost of a data breach has an even greater price tag – financial and reputational – the cost should really be weighed against the benefit.

A lack of internal expertise is another factor. An IT helpdesk may be equipped to deal with desktop issues, but staff are generally not trained in security and cannot implement a cybersecurity program. A number of firms are addressing this by hiring a chief technology officer to oversee the implementation and maintenance of a cybersecurity strategy.

This is a measure most firms, particularly those that are growing, should consider as a priority, a panelist at sister title Private Equity International’s Investor Relations Forum in New York said.

Another factor is the changing nature of cyber warfare. No matter how prepared a firm may be for existing threats, the risks are growing as criminals develop more tools and achieve more success. This means every fund manager has to continually upgrade what they use, or be at risk in the future. Frequent cyber risk and threat analysis is essential, not a nice-to-have.

Cybersecurity may be a moving target, but this excuse will not wash with the regulator, or investors, in the event of a breach. Private fund managers must take heed of the SEC’s warnings and advice, and make sure they do not become complacent as they refine and maintain the policies most have worked hard to put in place.