This Guide to Sound Practices for Cyber Security (the “Guide”) is the initiative of AIMA’s Sound Practices Committee.
The Guide sets out principles that an investment manager should consider when developing a cyber security programme as part of its overall compliance and operations. While the intention has been to produce this resource for general use, it should not be assumed that one-size fits all. The size, nature, jurisdiction of regulation and complexity of an investment manager’s operations and investment strategy may mean that some or all of the sound practices as set out in the Guide are in fact inappropriate to the business of a particular investment manager. Additionally, technological capabilities and regulatory requirements will change over time. Accordingly, the sound practices should not be regarded as definitive or “best” practices, though ideas for growth and development may be provided.
As a general resource, the Guide should not be regarded as a substitute for professional advice, which should still be obtained where appropriate. Further, the Guide does not replace any applicable legal or regulatory requirements, which are likely to be more detailed than the sound practices described.
We would like to thank the contributors to this guide, all of whom have volunteered their time and worked hard to produce this Guide. We intend to revise the Guide further as and when material developments occur.
Principal, RSM US LLP
Director, Asset Management Regulation, AIMA
- Matthew Franko, Principal, RSM US LLP
- Christopher Vella, Technology Due Diligence Analyst, Albourne Partners
- Darren Tingley, Executive Director, Head of Security and Internal IT, Enfusion
- David J. Sampson, Vice President of Consulting, Thrive
- Ferdisha Snagg, Counsel, Cleary Gottlieb Steen & Hamilton
- George Luchita, Head of Cyber Security & IT Infrastructure, FM Capital Partners
- George Ralph, Global Managing Director & CRO, RFA
- Melissa Harbhajan, Vice President - Operational Due Diligence, BNY Mellon
- Nadia Salih, Operational Due Diligence Analyst, Kedge Capital
- Peter Kim, Managing Partner, Absolute Return Partners
- Peter Lambert, Chief Operating Officer, Tweeddale Advisors
- Simon Du Plessis, Head of Consultancy, Twisted Fish
- Stephen O’Keeffe, Senior Manager - Cybersecurity, Privacy & Forensics, PwC
- Tony Adams, Associate Partner, Cyber Risk Practice Lead, GD Financial Markets
What’s new in this edition
The 2022 Edition of the Guide includes, among other things:
- a new glossary;
- a revised cyber threat landscape overview, including most recent examples of cyber-attacks (Section 2);
- an update to third-party risk management (Section 4.1.1);
- an update to vendor due diligence and supply chain contracts (Section 4.1.2);
- a number of revisions to the section on employees, including remote working and access control policies and procedures (Section 4.2);
- a revised technology section, including updated protection measures (Section 4.3);
- an update to the section on cloud native technology (Section 4.3.7);
- revisions to testing and ongoing assessments (Section 5); and
- a new section on ICT and cyber-related regulation and guidance (Appendix C).
Table of Contents
1. Executive summary
2. Cyber threat landscape
2.1 Attack types
2.2 Traditional threat actors
2.2.1 Nation states
2.2.2 Organised criminal actors
2.2.3 Opportunistic actors
2.3 Non-traditional threat actors
3. Initial considerations for a cyber security programme
3.1 Executive engagement
3.2 Basic security defences
4. Elements of an effective cyber security programme
4.1 Governance and strategy
4.1.1 Oversight and accountability
4.1.2 Policies and procedures
4.2.1 Personal protection
4.2.2 Remote working and access controls
4.2.3 Approving, managing and reviewing user privileges
4.2.4 Education and training
4.3.1 Data protection
4.3.2 Protection measures
4.3.3 Detection measures
4.3.4 Audit and controls
4.3.5 In-house development considerations
4.3.6 Cloud service considerations
4.3.7 Cloud native technology
5. Testing and ongoing assessments
6. AIMA Cyber Security Checklist
APPENDIX A - Glossary of Common Attacks
APPENDIX B - Threat Matrix
APPENDIX C - Regulatory Landscape
The Long-Short is a new podcast by the Alternative Investment Management Association, focusing on the very latest insights on hedge funds and private credit.
Each episode will examine topical areas of interest from across the alternative investment universe with news, views and analysis delivered by AIMA’s global team, as well as a host of industry experts.
This week, The Long-Short spoke to two cyber security experts from RSM US LLP, Matthew Franko and David M. Collins and to AIMA’s James Delaney, Director, Asset Management Regulation, to understand more about what an investment manager should do to prepare and respond to a cyber threat or disruption.
Listen to this episode and subscribe on Apple Podcasts
Listen to this episode and subscribe on Spotify
Listen to this episode and subscribe on Google Podcasts
This podcast is the sole property of the Alternative Investment Management Association (AIMA). This audio production and content are intended as indicative guidance only and are not to be taken or treated as a substitute for specific advice, whether legal advice or otherwise. AIMA permits use or sharing of the content in media or as an educational resource, provided always that proper attribution is made. The rights in the content and production, including copyright and database rights, belong to AIMA.
AIMA CyberTech Virtual Forum
AIMA is pleased to announce the CyberTech Virtual Forum an inaugural half-day virtual conference focusing on all cyber and technology related developments impacting the alternative management industry.
Speakers will discuss critical themes in cyber risk and resilience and how technological advances are shaping the future of the alternative investment industry.
To find out more and register click below.
AIMA CyberTech Virtual Forum 2022