In their 15 April, 2014 Risk Alert OCIE Cybersecurity Initiative, the US Securities and Exchange Commission (SEC) identify 28 measures to gauge the effectiveness of a regulated firm’s preparedness to combat cyber threats. In fact the guidance actually raises 71 actions they consider important to address in any effective cybersecurity programme. Our brief was to ensure alignment with SEC cybersecurity guidance.
We performed an end-to-end review of a US hedge fund’s security policies, incident management processes, access controls, event monitoring, user awareness practices, and vendor governance, aligning the SEC guidance to industry standard cybersecurity frameworks to ensure complete coverage. We also reviewed the hedge fund’s primary technology vendor and admin services company.
We used in-house bespoke valuation and risk tools, which were mainly excel based, an SQL service data repository and documentation storage in file shares with dedicated on-site routers to provide a conduit to the primary technology provider.
We identified the high priority improvement opportunities on which the hedge fund should focus, aligning their budget priorities with the SEC guidance and defining a roadmap for continuous improvement. During the review, it became clear to the hedge fund that a new technology provider was required, and our work also helped to inform their selection process.