US regulator the Securities and Exchange Commission (SEC) announced its cybersecurity plans for RIAs and funds back in February 2022, almost two years ago. Those rules still aren’t finalized, but 2024 could be the year when alternative investment fund managers receive their marching orders with regards to their cybersecurity infrastructure.
But for those that use a fund administrator – something that, particularly in the private markets, isn’t as prevalent as it should be – you should be asking them about their cybersecurity program as well. Fund administrators are responsible for providing various services to investment funds, such as accounting, reporting, compliance, valuation, custody, etc. These services involve handling sensitive and confidential data of the funds and their investors, such as financial statements, personal information, and transaction records. Therefore, fund administrators need to have a robust cybersecurity program in place to protect this data from unauthorized access, theft, manipulation, or loss.
A cybersecurity program for a fund administrator should cover the following aspects:
Risk assessment and management: identifying and evaluating the potential threats and vulnerabilities that could affect the fund administration data and systems and implementing appropriate controls and measures to mitigate them.
Data protection and encryption: ensuring that the fund administration data is securely stored, transmitted, and accessed, using encryption, authentication, authorization, and backup techniques.
Network and system security: securing the fund administration network and system infrastructure, using firewalls, antivirus, intrusion detection and prevention, patch management, and configuration management tools.
Incident response and recovery: establishing and testing a plan to respond to and recover from cyberattacks and incidents, including reporting, investigation, containment, eradication, restoration, and improvement actions.
Education and awareness: training and educating the fund administration staff and clients on the best practices and standards of cybersecurity and promoting a culture of security and responsibility.
There are, of course, benefits to the fund administrator by implementing a robust cybersecurity program, including enhancing their reputation, and gaining a competitive edge.
But this is about you, the alternative investment fund manager. 2024 could well see the finalization of the SEC’s cyber rules, which will likely cause a rush from fund managers to comply with the new rules in terms of their own businesses. But making sure your front door is locked won’t help if your back door isn’t, so ensure that your fund administrator – and any other third party that you use that handles client and employee sensitive data – is doing their bit to protect themselves and you.
**********
Anthony D. Mascia is Managing Partner at EFSI. Connect with him on LinkedIn here.
EFSI is an independently owned, SOC-1 compliant, full-service fund administration firm. We provide accounting, reporting, administrative, and capital introduction services to a wide range of alternative investment funds including hedge funds, funds of funds, private equity funds, real estate funds, venture capital funds, and family offices. The center of EFSI’s service incorporates resilient technology and accomplished staff, providing clients a tailor-made service with exhaustive transparency. Give us a call today or reach out to our support team online. We look forward to hearing from you soon.