Cybersecurity was one of the most important issues for alternative investment firms during 2015. In the US, the SEC will continue to target hedge funds and investment advisory firms with weak cybersecurity policies and procedures. SEC regulations already state that investment firms must take adequate steps to secure clients’ personal information and regulators will be scrutinising firms’ practices to identify and penalise those with weak cybersecurity defences. If firms do not take the appropriate steps to secure data, they can face SEC fines.
In the EU, measures to increase online security were enacted in December 2015. The Network and Information Security (NIS) Directive is the first piece of European legislation on cybersecurity, and will require provide several industries, including banking, to enact appropriate security measures and report any incident to the national authorities.
It is vital for financial sector firms to keep in mind that technology and policy are interdependent, and must be aligned in order to achieve the desired level of cybersecurity protection. A clearly defined approach to IT risk management encompassing both technology and policy is the most effective method of securing data and protecting against potential threats. IT risks can include those pertaining to infrastructure, security, and human factors. In order to mitigate risks appropriately, firms need to move away from the silo approach of viewing IT risk as simply a technology issue, and think it about it as an issue with deep ramifications for the entire business. When undertaking a risk assessment, firms should outline the costs from both a monetary and reputational perspective.
The Markets in Financial Instruments Directive II, also known as MiFID II, was initially set take full effect in January 2017, with many firms being advised to start preparing early last year. One of the major facets of the regulation is that all financial sector firms will be required to record all telephone and electronic communications that relate to client orders in order to protect investors. While the compliance deadlines around MiFID II were recently postponed, it’s never too early for firms to begin taking proactive steps to ensure they are ready when the rules take full effect. The majority of the UK based alternative investment sector still faces an immense amount of work in order to ensure their IT systems will adhere with the new regulation. Hedge funds that will be affected by MiFID should begin implementing technology solutions that ensure all communications are recorded and accessible. There are five simple steps that firms should follow when beginning to evaluate their MiFID II ready technology strategy, which including scoping the work to be done, identifying data retention requirements, understanding how their data lifecycle will be managed, plugging gaps in the current communications infrastructure, and finally, selecting a trusted, knowledgeable technology party to make the entire process seamless.
The European Market Infrastructure Regulation (EMIR), follows the G20 commitment to clear all standardised OTC derivative contracts where appropriate, through central counter parties, and will bring a significant administrative burden to hedge funds. The regulation, which first came onto the scene in late 2012, aims to improve transparency and reduce risks that are associated with the derivatives market by enacting central organisational, conduct of business standards for central counterparty clearing houses and trade repositories. While this regulation in itself may not require technological change, it will still be critical for firms to streamline as many back and middle office processes as possible in order to make them as efficient and as competitive as possible. Firms will have to comply with enhanced reporting of all contracts entered in trade repositories, and will need to implement enhanced risk management standards and operational processes. The full regulation is set to apply for the largest institutions in September 2016, and in March 2017 for all other applicable firms.
Basel III, also known as the Third Basel Accord, is a global regulatory framework that applies to bank capital adequacy, stress testing, and market liquidity risk. The regulation impact risk management departments, and requires financial firms to perform additional calculations and submit an increased amount of data to regulators. In response, firms impacted by the regulation should consider implementing enterprise wide risk management strategies. Firms should begin preparing by reviewing current risk management strategies and by introducing stress testing, as robust IT systems serve as the foundational layer to this increased activity.
Safe Harbour, initially established in 2000, was a hotly debated issue in 2015 after the agreement was overturned by the European Court of Justice. Safe Harbour was the name of an agreement between the United States and European Union that served to provide a standard group of requirements for transferring data between these countries, and regulated the method in which US based companies could transfer the data of European citizens. The ruling will create an additional technology burden on many financial sector firms in the short term, as it enables regulators in each individual country to determine specifications around how citizen data can be utilised. As a result of Safe Harbour, Hedge funds and investment managers with an international presence will need to encrypt data, or ensure it stays in the country of origin. Firms facing these challenges will need to take great care to ensure that their data is secure and able to be stored, transferred and processed internationally.
So how can firms prioritise and prepare for the enhanced regulatory environment that is in store for 2016? Firms can start by ensuring that they are cyber-secure as soon as possible, as a strong cybersecurity posture is a crucial facet of each regulation. And firms should also keep in mind that in addition to the regulations outlined above, 2016 will likely see additional pieces of legislation coming down the line. To be ready, firms need to streamline as many processes as possible, in order to make time to revise strategies and comply with enhanced reporting.
Before undertaking any strategy review, always consult with a trusted technology partner that will guide you through the process and ensure that your firm is in complete compliance with regulations.
Published in Bob’s Guide, January 25, 2016