Sign up for free newsletter


John Araneo, Align Cybersecurity

Cybersecurity challenges for investment managers

The Cybersecurity phenomenon has completely changed the game in both the investment management industry and the broader financial services sector. 

Attacks on fund managers, investment advisers and other fiduciaries ("Fund Managers") are increasing in frequency, sophistication and severity. And both the regulators and the investor community have been paying close attention. To responsibly manage Cybersecurity risk, Fund Managers need to, at minimum: (i) understand certain existing legal obligations and an evolving regulatory focus; (ii) comprehend fundamental IT and technology principles; (iii) monitor evolving threats, technologies and attack protocols; (iv) appreciate its data use and information work flows; and (v) simultaneously manage its employees' training needs, its vendor controls and its investors' expectations. Align Cybersecurity" solves all of these challenges.

As it stands today, Cybersecurity law consists of a crazy quilt of federal, state and international laws and statutes, which are further complicated by additional industry-specific rules and best practices, together creating a body of jurisprudence that is disjointed and convoluted. Similarly, since early 2014, we've seen regulatory initiatives demonstrating that Cybersecurity is squarely in the crosshairs of investment management regulatory bodies, including the SEC. Examples include the SEC's recent "Cybersecurity Sweeps," its triaging Cybersecurity as a top regulatory priority for the last four (4) years running and its recent enforcement actions activities, which have induced at least one seven-figure settlement. 

And yet the elements of constructing a model Cybersecurity Program remains unclear, leaving Fund Managers struggling to understand their legal, compliance and fiduciary obligations. 

"Clearly, ‘Cybersecurity Preparedness' is viewed by the regulators as both a core control and a minimum standard, yet one which they refuse to define," says John Araneo (pictured), managing director, Align Cybersecurity, and general counsel of Align. "The guidance provided to date has been largely principals-based, failing to provide a clear construct on precisely how to design an unimpeachable Cybersecurity Program. Unfortunately, in the absence of any bright line rules or black letter law espousing the required elements of a sound Cybersecurity Program, Fund Managers have been left scratching their heads on how to comply."

Cybercrime has evolved into a vexing cat-and-mouse game: criminals make a move, you counter it, they counter your counter, while damages accrue. Cybercriminals don't just target technology, they target human flaws through myriad vectors of attack, including phishing, business email compromise (BEC), malware and ransomware. WannaCry and other devastating ransomware outbreaks have taught the world that cybercriminals gain an upper hand due to a false sense of security, lack of training and obsolete systems. Fund Managers must remain informed of these emerging and evolving risks as they develop. 

"In the new era of Cybersecurity where threats are omnipresent, Fund Managers require a comprehensive solution that enables firms to stay one step ahead of cybercriminals," says Vinod Paul, COO of Align. "Align launched Align Cybersecurity specifically to fill this void in the investment management space and recently assembled an elite team of Cybersecurity subject matter experts encompassing legal and compliance, IT and technology and security protocols. Our Cybersecurity Advisory Services offer an unparalleled suite of solutions, helping Fund Managers design customised Cybersecurity Programs that will satisfy regulators, please investors and empower employees." 

other gfm publications