Relieving The Regulatory Burden: Cyber Security and Asset Management

By Jonathan Wiser | 28 April 2016

The regulatory burden placed upon the asset management community increases year on year. If this wasn’t enough, growing cyber security breaches - for companies globally – have become a major concern; one that cannot be neglected. Luckily, we’ve recently caught up with Geoff Hecht, Partner at Ashland Partners, to share his thoughts on some of these issues.

Would you be able to introduce yourself and give us an overview of your role?

I am a Partner with Ashland Partners, an investment-specialist CPA firm, providing audit and consulting services, hedge funds, private equity and real estate firms, investment companies, and insurance companies. My main role is to manage approximately 70 client relationships, focusing on verifying investment advisors’ claim of GIPS compliance. In addition, I manage other performance attestation engagements such as Strategy Examinations. Prior to joining Ashland Partners, I was a Portfolio Analyst in the Performance Measurement Group of Fiduciary Trust Company International where I was responsible for institutional account performance and analytics. Currently, I am located in Ashland’s New York office and my client base includes firms in Europe, North America, South America, Africa and the Caribbean, which has given me the opportunity to work with a diverse set of investment managers. I have earned a Certificate in Investment Performance Measurement (CIPM) from the CFA Institute and I am a member of the CIPM Association. I received an undergraduate degree in Finance from the University of Delaware.

With the swathes of regulations globally, companies are increasingly looking to 3rd party providers for assistance, what sort of challenges are your clients coming to you with?

From a regulatory standpoint, the biggest challenges firms are currently contacting us about involve cybersecurity. Our average client is slightly over $10 Billion in AUM so we work with a fair amount of advisers that do not have the internal resources and in-house expertise to meet the growing cyber security requirements put for by global regulators. For this reason, we have been getting a lot of inquiries regarding our ability to assist firms with policies & procedures, risk assessments, vulnerability scanning, penetration testing, etc. For firms doing business in the United States and registered with the SEC, we have seen an increase in Surprise Custody Examination requests due to the amended Custody Rule which increased the requirements of Rule 206(4)-2 (the “Custody Rule”) of the Investment Advisers Act of 1940 (“Advisers Act”), such as obtaining reasonable belief, and included/expanded the surprise custody examination requirement to have another set of eyes on client assets and provide additional protection against their misappropriation. Finally, the increased regulation has also driven prospective clients to contact us about becoming GIPS compliance and verified or have another performance attestation completed. We have noticed advisers becoming more proactive about following a set of standards or getting their performance examined in order to show they are
putting their best foot forward by having their firm and/or performance reviewed by a third-party.

Across the US, there is a high emphasis placed on GIPS within the asset management community; year on year, this is also growing in prominence across European firms – what advice would you give to a company looking to become GIPS compliant?

The earlier a firm decides to become GIPS compliant and verified, the better. The longer the firm waits to begin these processes, the more difficult it becomes to complete them whether its having to locate books and records for historical time periods to support performance or retroactively creating composites which entails ensuring a discretionary fee-paying accounts, even terminated ones, are included for all periods under review. Another reason for a firm not to wait to become GIPS compliant and verified is some prospective clients will only engage a firm if said firm is GIPS compliant and verified. I often come across firms that inevitably want to become GIPS compliant and verified but keep on putting it off because no prospective clients have ever required it or they assume the internal resources needed or the cost of third-party verification or prohibitive. Although there are
costs to coming into compliance, maintaining that claim and engaging a verifier, those costs have lessened, especially in the area of verification. The earlier a firm claims comes into compliance and sets up controls for maintenance, the lower the total cost will be. For most firms, one $5 to $8 million client would generate enough fees to fund claiming compliance with GIPS and being verified and provide a return on investment.

Moving away from regs, and onto another particularly pertinent topic for firms at the moment; cyber security. What can asset managers do to future-proofing against potentially imminent cyber-threats?
It is wise to consider the imminent threats separately from the regs because the cyber security threat landscape changes much more rapidly than the regulations do. In order to future-proof against cyber threats, I would suggest a three-pronged approach:
First, asset managers should implement a comprehensive and flexible information security program. This program should include all of the components that regulators require, but should be considered a "living document" that always evolves and changes to the current threat landscape. The program should morph as threats emerge and evolve because a static program is an ineffective program. Second, asset managers need to educate themselves on the current threat landscape. This includes being aware of common attacks that are happening to firms, emerging threats that are arising in the word, and how these trends may affect you. For example, phishing and other forms of social engineering continue to be popular vectors of attack, there is a rise in browser-based exploits hitting the world, ransomware is on the rise, mobile devices are being used as a way into networks, and the "Internet of Things" will open backdoors into networks. These threats also pertain to all of your third-party service providers, so asset managers must understand how your vendors can compromise your security. Finally, asset managers must assume that they WILL be attacked. It does not matter if you are big or small. Small firms are getting attacked every day. If a firm believes that, "we are too small to be a target," that is called "security through obscurity" and it simply doesn't work anymore. Ashland Partners have seen numerous small firms hit by cyber threats. The era of cyber security is here, and it needs to be part of the regular course of business. Having cyber security become part of your day-to-day lives is the best way to future-proof against
Is this approach manageable for firms of all sizes (e.g. smaller companies with tight budgetary constraints)?
In the case of cyber security, firms can either decide to insource, outsource or create a combination approach based on their budgetary and resource constraints. Each firm needs to decide which approach best works for them and then execute. The most important thing is that they are meeting regulatory requirements, which generally involve annual assessments of risks, creating annually reviewing controls to mitigate those risks, annually testing controls and providing appropriate training to the firm’s employees. There are no requirements that any or all of this work needs to be performed internally or externally, but it needs to be performed and the results documented. In some firms, there may be internal resources in the compliance and IT departments to
cover these needs. In others, there may be the resources but not the expertise. Finally, the last group, which we see the most, contains firms that simply cannot manage the whole program on their own so they outsource some or all of the cyber program with the knowledge that they are ultimately responsible for the results.
Any final thoughts?

One area that is a focus of regulatory bodies now and will likely increase in the future is vendor due diligence. We have seen extensive efforts from our bank clients in this area through increased questionnaires and other requests for information about Ashland Partners’ business and interaction with the bank. This is starting to trickle down to investment managers, who in many cases, don’t know the right information to request. In addition, simply requesting information from your vendors is not sufficient. Regulators want managers to analyze and understand how your vendors pose risks to their firm. That is time-consuming and a specific expertise. Most investment managers do not have the luxury of a risk department so the task falls on others within the investment manager, who likely do not have the time nor the expertise. Vendor due diligence is going to increase in importance. Although it is for more than cyber security issues, regulators and others know that a firm’s vendors can be the weak link if the vendor has not made the appropriate preparations to support the investment manager’s needs.
By Jonathan Wiser, Head of Content, Osney Media.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development