When it comes to the world’s largest hedge funds, any news regarding their positions on stocks or other asset classes can move the markets, which means cybersecurity is becoming increasingly important. Chief compliance officers are now finding themselves with a lot to learn about digital safety and just using the Internet in general. As we move into 2016, it’s important for funds and other investment firms and advisers to be aware of the changes made by the Securities and Exchange Commission this year and how they can keep their proprietary information safe until they are either ready or required to release information on their positioning.
New expectations for chief compliance officers
Hedge fund service firm Blue River Partners has released its end of the year compliance report summarizing this year’s changes from the SEC’s Office of Compliance Inspections and Examinations (OCIE). The firm starts by highlighting an October speech by OCIE Chief of Staff Andrew Donohue, who provided a summary of what’s now expected of chief compliance officers.
Perhaps the most important piece of the puzzle is all the new laws and regulations regarding use of social media by hedge funds and cybersecurity. All it takes is one hack for insider trading to become an issue, as in theory, hackers could simply get into a fund’s systems, steal information regarding an undisclosed position, and then either buy up shares before it is disclosed and/ or release the information early after purchasing shares.
Chief compliance officers also must have a deep understanding of the firm they work for and how it identifies and resolves conflicts of interest. Further, they must understand the target customers and the firm’s policies and procedures, and have sufficient resources to comply with all the laws and regulations pertaining to compliance.
Hedge funds must be aware of cybersecurity risks
Blue River Partners points out that throughout 2015, the SEC did issue a number of risk alerts, announcing in January that it would start focusing on cybersecurity compliance in its 2015 Examination Priorities. The following month, the agency issued an alert summarizing the sweep exams that can be conducted to analyze threats that broker-dealers and investment advisers face.
In April, the OCIE issued an alert outlining a number of cybersecurity threats and advice, and then in September, the agency explained its new Cybersecurity Examination Initiative, which means hedge funds and other firms will face more tests, procedures and controls to evaluate their controls and procedures.
Blue River Partners provided the following list of helpful links for chief compliance officers to get up to speed on the new cybersecurity guidelines and compliance requirements:
- SEC’s 2015 Examination Priorities
- SEC’s February Cybersecurity Examination Sweep Summary
- SEC’s April Cybersecurity Guidance
- SEC’s September Risk Alert describing the Cybersecurity Examination Initiative
Cybersecurity Interpretive Notice
Blue River Partners also reports that in August, the National Futures Association adopted its Cybersecurity Interpretive Notice, which requires all of its members to adopt and enforce an Information Systems Security Program by March 1, 2016. The program must cover a number of areas like a security and risk analysis, a description of any safeguards they are taking against threats or vulnerabilities, how they evaluate breaches that have been detected, and how they educate and train employees regarding cyber-safety.
An executive at the firm must approve the program, and its effectiveness must be continually monitored and reviewed on a regular basis.
Compliance calendar for Q1
Blue River’s report also covers the other big changes made by U.S. regulators in 2015 (those not pertaining to cybersecurity). The firm put together this calendar to help compliance officers prepare for important deadlines that are coming up in the first quarter of 2016:
The firm also compiled this chart for the annual compliance obligations for 2016: