The UK Hedge Fund Standards Board (HFSB) announced on September 17, 2015, that it has added a “Cybersecurity Memo” to its Toolbox function. http://www.hfsb.org/sites/10377/files/cybersecurity_hfsb_toolbox_.pdf
The Toolbox provides guidance to managers, investors, and fund directors on fund-related issues such as governance, internal processing, and reporting. The Toolbox acts as a complement to the HFSB’s standard-setting activities.
The memo provides:
An overview of existing high-level cyber risk management tools.
Appendix B of the Cybersecurity Memo sets out existing cybersecurity frameworks, such as the NIST Cybersecurity Framework and the ISO/IEC 27000 series, alongside an explanation of the approach each framework takes to cyber risk management. The HFSB then provides its own assessment of each approach, though it does not ultimately recommend one over another.
A framework to identify a firm’s key digital assets (“crown jewels”).
The HFSB stresses the importance of understanding an organization’s vulnerabilities and what it describes as the organization’s “crown jewels” (such as confidential information, customer personal data, critical systems, proprietary algorithms, and trading books). To assist firms in identifying their own “crown jewels,” the Memo provides a sample table that breaks down the possible threats, potential impact of exploitation, and other considerations for suggested “crown jewels.”
A list of practical “quick win cybersecurity action items”.
The list of “quick win cybersecurity action items” is essentially the “low hanging fruit” of information security. The Memo lays out administrative, technical, and physical security measures that amount to, from the HFSB’s perspective, the minimum of what an organization should be doing with respect to cybersecurity. Examples include regular data backups; anti-virus, email, and web filtering; access controls; and username and password protection.
An overview of “cybersecurity projects” to enhance a firm’s resilience.
The HFSB recommends that firms undertake additional “cybersecurity projects” to tailor each firm’s approach to addressing cybersecurity threats. The projects are more comprehensive suggestions than the “quick win cybersecurity action items,” and are designed for information lifecycle management. The recommendations cover, among other actions, tracking the flow of information throughout the organization; training employees; maintaining an incident response plan; and continuing to reassess the firm’s cybersecurity program with an emphasis on benchmarking against best practices.
Assistance in the development of an “Incident Response Plan”.
The HFSB underscores the importance of an incident response plan in the Cybersecurity Memo. To assist firms in developing a comprehensive plan, the Memo identifies certain categories of information to include, such as a risk assessment that evaluates the level of response appropriate to different types of incidents; a list of critical infrastructure; and a list of emergency key contacts, which includes regulators and law enforcement for incident reporting purposes. The Memo further suggests an action plan for reporting and escalating a cyber incident, and emphasizes that roles and responsibilities related to the response plan should be clearly defined.
An overview of regulatory requirements, guidance and approaches to cybersecurity.
Recognizing the patchwork of laws, regulations, and guidance related to cybersecurity, the HFSB attempts to simplify things with a chart in Appendix A of the Memo. The chart lists relevant regulators who have provided materials on cybersecurity, accompanied by a brief description of the material’s content and the HFSB’s observations. Though the accompanying descriptions are by no means comprehensive, it is a welcome compilation of applicable guidance.
Conclusion
The HFSB’s Cybersecurity Memo reflects a global trend of heightened focus on cybersecurity by regulators.
The HFSB’s guidance is one of myriad global efforts focused on understanding cybersecurity and offering business guidance on best practices and regulators’ expectations.
Regulated businesses should prepare for the onslaught of regulations by assessing their cybersecurity posture and verifying that their cybersecurity practices are consistent with industry best practices and available guidance.
The benchmarks for assessing cybersecurity should include the legal requirements and regulatory guidance available both in the UK and globally, given that regulators are looking to best cybersecurity practices globally to formulate their guidance.