“Life is dangerous”, we heard at a technology debrief at GAIM Ops Amsterdam 2016. While the financial services industry as a whole used to be ahead of the curve on cybersecurity, a regulator argued earlier that day, some parts of the industry – including asset managers – are falling behind.
Our speaker made the case for taking decisive, common sense and above all rapid action on cybersecurity. Many firms are spending a lot on covering every eventuality – and costs for cybersecurity have spiralled upwards. As one panellist noted, compliance is the last thing that many asset managers want to spend money on. But regulatory pressure from the United States, and soon Europe, means that inaction is no longer an option.
Ahead of GAIM 2016, we spoke to Jérôme de Lavenère Lussan of Laven Partners about how hedge funds are achieving compliance but also gaining comparative advantage from investing in technology.
Do you believe managers are getting value-for-money on operations and compliance solutions from service providers today?
No, but nor are they challenging the current model which is a classic pay-per-hour service or pay-per-AUM. What would bring value are fixed-price solutions. Those can be aided by software but a software that is only providing a component: for example, reporting or document hosting is not a complete software solution and still requires a lot to be done by and at the will of the compliance team. What would bring real value is fully-compliant software designed to match the law. That is a complete software solution that slots into a workflow and reduces costs and time consumption. Today for many small managers, compliance costs are about £12,000 a year with little added value. The same binary support of reviews or regulatory updates can be done much more effectively with software.
Read the entire interview and watch exclusive video with Jérôme.
A key distinction to make is between indiscriminate attacks and targeted attacks. The former are familiar – phishing emails sent out to huge email lists purchased online, probing the weak spots in an organisation and their network. Another example cited was an email sent round the office promising pictures from the office party with a link to a dodgy website – our panellist telling the story added that everyone who clicked on it was sent directly to IT training. New methods like ransomware involve more work, but are more lucrative. The target of this attack accidentally installs an application which promptly locks off part of their data – demanding payment, usually in bitcoin.
However, often the simple interventions are the most effective. Quick wins might include having your teams lengthen their passwords or use two-factor authentication for important accounts. Don’t using USB sticks to transfer data within the firm. Other system-level solutions are free. One panellist monitors peaks and troughs in the use of IT systems in his firm – when activity is flatlining, he can see a single individual interfering with the network. Our panellists agreed that CEOs and COOs are key champions of cybersecurity – why? Because they will have to answer to clients.
So how to move forward? The key thing is that US regulators, and the European authorities that are following them closely with new rules, are all using the same framework for cybersecurity. The US National Institute for Standards and Technology set these out in 2013, and they can be read in full here. It’s guided above all by a risk management approach – which provides flexibility. As the NIST Framework document states:
With an understanding of risk tolerance, organizations can prioritize cybersecurity activities, enabling organizations to make informed decisions about cybersecurity expenditures…Organizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services.
So how do we size up the risk – and the cost? Panellists threw around $50 as the street value of personal data – and so at scale cybercrime is big business. But let’s not get alarmist, interjected one speaker. Just as hackers are getting more and more sophisticated, so is the technology firms can use to thwart them. More significantly, the technology is emerging to automate business processes in a secure, compliant manager – bypassing the human point of failure that leads to breaches in the first place.
We were joined by Jerome Lussan, CEO, Laven Partners; Richard Haas, Chief Operating Officer, CapeView Capital; Thomas Deinet, Executive Director, Hedge Fund Standards Board and James Tedman, Managing Director, ACA Aponix (Europe). Our moderator was William Jenkins, Director, Co-Head Operational Due Diligence, Amundi Alternative Investments.