As many of you are aware, there is an increased regulatory and investor focus on cybersecurity in the funds space (just last week the Cayman regulator issued this circular). In this guest post, my friend Erik Kellogg discusses one of the key cybersecurity issues that start up and emerging managers should address.
One of the biggest cybersecurity issues facing financial firms, hedge funds and service providers right now is the inadequacy of an initial Written Information Security Policy (WISP). A WISP is a control document that lays a cyber secure framework to protect your information, reputation and investments by stating specifically what you will and will not do within your infrastructure. Your WISP is most likely the very first thing the SEC or CFTC will ask for should they be initiating a cybersecurity audit.
In fact, this is the very reason a RIA was fined $75,000 and blasted on Twitter last year. The SEC wasn’t overly concerned with the actual data breach, but the lack of proper documentation. Without running a full assessment of your infrastructure and internal processes, it’s difficult to write a truly comprehensive and effective WISP. But, here are a few items to include if you are a start-up fund manager writing it yourself:
- Password Policy – State the strength, life and rules of your passwords.
- Personal Identifying Information (PII) – Any data that is considered PII should have rules around how it is gathered, stored, used and destroyed.
- Access Controls – Explain who is allowed to access what data and why.
- Ownership – Outline who owns and takes responsibility for specific data. Also, designate a person responsible for the cybersecurity within the firm.
- Cybersecurity Measures – List the controls you have in place regarding cybersecurity. This can include remote access, antivirus, outsourced IT, firewalls, etc.
- Data Protection Identification and Priority – Clearly identify and prioritize the data you are protecting and what you are doing to protect it.
When creating your WISP document, be as detailed as possible while still leaving your firm some operational space. The main idea with the WISP is to say what you do and do what you say.
Do not put too much pressure on the actual formatting of your document. Since this is a living document that will evolve, don’t worry if you “have enough”. Remember every firm and fund is different, so is the cyber documentation that supports it.
Erik Kellogg is the founder of inCyber Security, a cybersecurity company focused on the financial industry. inCyber Security offers cybersecurity assessments and services to help make sure their clients’ data and processes are safe. Using assessment findings, they can help managers stay ahead of US regulatory cybersecurity audits. They work closely with clients’ IT staff and vendors to ensure all areas of regulatory cybersecurity are addressed properly. Contact Erik at firstname.lastname@example.org if you would like to discuss your firm’s cybersecurity requirements.