Cybersecurity: How Alternative Investment Companies Manage Operational and Regulatory Risks

View Press Release here.

View entire White Paper here.

Executive Summary

Security within the alternative investment community has always been a key component of any well-run business plan. The ability to “keep the bad guys out” is a core mandate of operations and technology teams as well as a prerequisite for funds’ IT initiatives. Cybersecurity – comprising the people, processes, and systems required to ensure proper access to information by and only by authorized employees, clients, and third parties – is seeing a renewed emphasis in the financial services industry in 2014 and for firms with an out-of-date or informal cybersecurity plan, now is the time to act.

With the explosion of mobile, social, and cloud computing in recent years, financial services firms have felt pressure like never before to increase the number of ways that they can interact with their clients through technology. At the same time these firms are becoming more enticing targets for attacks from outside actors, who are taking advantage of an increased attack surface area as financial services firms become more transparent and available to their clients and investors through technology. This combination resulted in the financial services industry being one of the primary targets for cyber-attacks in 2013.

Regulators, particularly the Securities and Exchange Commission, have taken note of this trend and are doing their part to address the problem by placing increased scrutiny on cybersecurity risk management in 2014. Earlier this year, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released an alert on declaring an initiative to assess cybersecurity preparedness in the securities industry. The risk alert and its corresponding appendix with a sample of requested documents should be required reading for all financial services firms.

Though in many ways the quantity of cybersecurity threats has never been greater, and the regulatory scrutiny never more focused, there are a number of practical, actionable steps that financial services firms can and should be taking right now to address the problem head on. Gravitas has prepared a framework for assessing a firm’s cybersecurity preparedness, and, subsequently, its resilience to operational threats and regulatory compliance requirements. This whitepaper provides a foundation for that framework by highlighting how firms should create awareness, generate procedures, and add the required technologies through our six-layered cybersecurity strategy: Physical, Network, Malware, Access Control, File Monitoring, and an Incident Response Plan.