Guide to Sound Practices for Cyber Security

Foreword

This Guide to Sound Practices for Cyber Security (the “Guide”) is the initiative of AIMA’s Sound Practices Committee.

The Guide sets out principles that an investment manager should consider when developing a cyber security programme as part of its overall compliance and operations. While the intention has been to produce this resource for general use, it should not be assumed that one-size fits all. The size, nature, jurisdiction of regulation and complexity of an investment manager’s operations and investment strategy may mean that some or all of the sound practices as set out in the Guide are in fact inappropriate to the business of a particular investment manager. Additionally, technological capabilities and regulatory requirements will change over time. Accordingly, the sound practices should not be regarded as definitive or “best” practices, though ideas for growth and development may be provided.

As a general resource, the Guide should not be regarded as a substitute for professional advice, which should still be obtained where appropriate. Further, the Guide does not replace any applicable legal or regulatory requirements, which are likely to be more detailed than the sound practices described.

We would like to thank the contributors to this guide, all of whom have volunteered their time and worked hard to produce this Guide. We intend to revise the Guide further as and when material developments occur.

Matthew Franko

Principal, RSM US LLP
James Delaney

Managing Director, Asset Management Regulation

Contributors

Matthew Franko, Principal, RSM US LLP
Christopher Vella, Technology Due Diligence Analyst, Albourne Partners
Darren Tingley, Executive Director, Head of Security and Internal IT, Enfusion
David J. Sampson, Vice President of Consulting, Thrive
Ferdisha Snagg, Counsel, Cleary Gottlieb Steen & Hamilton
George Luchita, Head of Cyber Security & IT Infrastructure, FM Capital Partners
George Ralph, Global Managing Director & CRO, RFA
Melissa Harbhajan, Vice President - Operational Due Diligence, BNY Mellon
Nadia Salih, Operational Due Diligence Analyst, Kedge Capital
Peter Kim, Managing Partner, Absolute Return Partners
Peter Lambert, Chief Operating Officer, Tweeddale Advisors
Simon Du Plessis, Head of Consultancy, Twisted Fish
Stephen O’Keeffe, Senior Manager - Cybersecurity, Privacy & Forensics, PwC
Tony Adams, Associate Partner, Cyber Risk Practice Lead, GD Financial Markets

What’s new in this edition

The 2022 Edition of the Guide includes, among other things:

a new glossary;
a revised cyber threat landscape overview, including most recent examples of cyber-attacks (Section 2);
an update to third-party risk management (Section 4.1.1);
an update to vendor due diligence and supply chain contracts (Section 4.1.2);
a number of revisions to the section on employees, including remote working and access control policies and procedures (Section 4.2);
a revised technology section, including updated protection measures (Section 4.3);
an update to the section on cloud native technology (Section 4.3.7);
revisions to testing and ongoing assessments (Section 5); and
a new section on ICT and cyber-related regulation and guidance (Appendix C).

Podcast

The Long-Short is a podcast by the Alternative Investment Management Association, focusing on the very latest insights on the alternative investment industry.

Each episode will examine topical areas of interest from across the alternative investment universe with news, views and analysis delivered by AIMA’s global team, as well as a host of industry experts.

This week, The Long-Short spoke to two cyber security experts from RSM US LLP, Matthew Franko and David M. Collins and to AIMA’s James Delaney, Director, Asset Management Regulation, to understand more about what an investment manager should do to prepare and respond to a cyber threat or disruption.

Listen to this episode and subscribe on Apple Podcasts

Listen to this episode and subscribe on Google Podcasts

Listen to this episode and subscribe on Amazon Music

Disclaimer
This podcast is the sole property of the Alternative Investment Management Association (AIMA). This audio production and content are intended as indicative guidance only and are not to be taken or treated as a substitute for specific advice, whether legal advice or otherwise. AIMA permits use or sharing of the content in media or as an educational resource, provided always that proper attribution is made. The rights in the content and production, including copyright and database rights, belong to AIMA.

AIMA CyberTech Virtual Forum

AIMA is pleased to announce the CyberTech Virtual Forum an inaugural half-day virtual conference focusing on all cyber and technology related developments impacting the alternative management industry.

Speakers will discuss critical themes in cyber risk and resilience and how technological advances are shaping the future of the alternative investment industry.

To find out more and register click below.