Executive Summary

GUIDE TOSOUND PRACTICES FOR

CYBER SECURITYVersion 2.0 (July 2017)

Technological advances have brought great efficiencies to alternative asset managers (referred to throughout this Guide generically as ‘investment managers’), but not without introducing new and unexpected risks. Rapid technological developments often tend to introduce both novel opportunities and previously unimagined risks. In today’s world, cyber security is one of the biggest challenges facing business and it is often difficult to appreciate what businesses should really be worried about in terms of cyber threats. Until now there has been very little guidance tailored to investment management firms in general, and alternative asset managers in particular. This has raised questions both about investment managers’ understanding of the various cyber security-related issues and how they could impact their businesses, as well as their overall level of preparedness.

Investment managers who have considered the extent of cyber risks in their business will already know that there is no one-size fits all solution: each investment manager’s reaction must be appropriate to them, and proportionate to their budget. Throwing money at the problem is not always the most effective solution. With this in mind, the Guide walks through the material considerations in the wider cyber debate to enable investment managers to have informed internal discussions about what they need to do within their own organisations to respond to the threat and continue to be an effective investment manager.

Some of what is referenced in the Guide many investment managers may do already, some of it may be new or provide a new angle to the debate for some investment managers, and there will be much along the scale in between, but the overall message is that doing nothing is not an option.

The Guide is not intended to be the solution to any investment manager’s cyber security issues. It is designed to frame the principles of the debate rather than directing it. The Guide seeks to enable those responsible for the implementation of a cyber security programme

to really understand the universe of problems as well as to consider more sensibly what is and what is not applicable to them. The Guide also tries to differentiate between what are seen as advanced defensive techniques and those which are more basic to enable some selection to be made between base layer protection and something more complex. While there is an acknowledgement of the most sophisticated of cyber threats and protection techniques, the focus of this Guide is to concentrate upon doing the straightforward things really well.

The Guide will help investment managers:

• understand their critical assets and threats targeting these assets in order to determine what their overall risk to the threat is;

• assess what their cyber security goals are in the context of their risk tolerance; and

• assess whether their current governance structure and existing information security policies and procedures are sufficient for meeting those goals.

The Guide will also assist investment managers in improving their understanding of the nature and scope of the cyber threats facing them and the developing regulatory context being applied to cyber security matters. Section 2 of this Guide explores the nature and scope of the cyber threat facing investment managers, looking at the types of attackers and what motivates them, and it also provides some real examples to illustrate the current threat environment. Section 3 then discusses the developing regulatory context.

Because the hedge fund community shares many common features with other players in the financial services world, an investment manager’s reaction needs to consider the same issues:

• employee education,

• executive engagement,

• ongoing monitoring,

Executive summary

2

Guide to Sound Practices for Cyber Security | Version 2.0 ( July 2017)

Foreword to Version 2.0 (July 2017)What’s new in this version1. Executive summary

2. The nature and scope of the cyber threat2.1 Attack types2.2 Traditional threat actors2.2.1 Nation states2.2.2 Organised criminal actors2.2.3 Opportunistic actors2.3 Non-traditional threat actors2.3.1 Hacktivists2.3.2 Insiders3. Regulatory and technical context3.1 The changine approach in the UK and Europe3.2 Technical context

4. Initial considerations for a cyber security programme

4.1 Forming a business plan to address cyber security4.2 Critical security defences4.3 Culture - Executive engagement and

responsibility 5. Elements of an effective cyber security

programme5.1 Governance (basic)5.1.1 Oversight and accountability5.1.2 Policies and procedures

5.2 Employees5.2.1 Personal protection (basic)5.2.2 Home and mobile working and access controls

(basic)5.2.3 Approving, managing and reviewing user privileges

(basic)5.2.4 Education (basic)5.3 Technology5.3.1 Data protection5.3.2 Protection prevention5.3.3 Detection measures5.3.4 Audit and controls5.3.5 In-house development considerations5.3.6 Cloud service considerations5.3.7 Certification6. Ongoing assessmentsAPPENDIX A - Glossary of Common AttacksAPPENDIX B - Regulatory Links

APPENDIX C - Additional Cyber Security Resources

APPENDIX D - Threat Matrix

APPENDIX E - Cyber Security Checklist

APPENDIX F - Data Pivacy

APPENDIX G - AIMA Working Group members for Version 2.0

APPENDIX H - AIMA Working Group members on original 2015 publication

APPENDIX I - About AIMA

• proper procedures and auditing,

• self-testing,

• personal device control,

• managing risks from relationships with third-parties, and

• appropriate insurance.

Accordingly, the rest of the Guide elaborates on the considerations relevant to the development, operation and maintenance of an effective cyber security programme. The discussion in the Guide focuses on matters such as governance, employee related considerations, the technology that can be used for data protection, threat prevention and threat detection and how these technologies can be developed in-house or using cloud services.

Table of Contents

3

Guide to Sound Practices for Cyber Security | Version 2.0 ( July 2017)

Electronic copies of the full Guide to Sound Practices for Cyber Security, Version 2.0 ( July 2017) are available to AIMA member contacts via the AIMA website. The electronic copies are subject to a limited licence and are reserved for the use of AIMA members only.For further details on AIMA membership, please contact Fiona Treble (ftreble@aima.org), who will be able to assist you.

DisclaimerThe Guide is not a substitute for specific advice, whether legal, regulatory, tax or other advice, nor for professional judgement. It does not seek to provide detailed advice or recommendations on the wider ranging corporate governance issues.© The Alternative Investment Management Association Ltd, 2017

AIMA members have exclusive access to a growing library of industry references:

Due Diligence Questionnaires: Guides to Sound Practice:• Clearing Members • Business Continuity Management• Fund Administrators ^ • Cyber Security• Hedge Fund Boards of Directors • Selection and Periodic Assessment of Administrators^• Hedge Fund Managers ^ • Valuation ^• Individual Fund Directors • Investor Relations• Prime Brokers • Liquidity Risk Management *• Vendor Cyber Security • Market Abuse and Insider Trading *

Guides and Guidance Notes: • Media Relations

• Fund Directors’ Guide • Operational Risk Management• Guide to Liquid Alternative Funds • OTC Derivatives Clearing• Guide to Managed Accounts * • Paying for Research• Implementing MiFID II • Selecting a Prime Broker• Side Letter Guidance• Expense Allocation Guidance * * Forthcoming ^ Update in progress

About AIMAAIMA, the Alternative Investment Management Association, is the global representative of the alternative investment industry, with more than 1,800 corporate members in over 50 countries. AIMA’s fund manager members collectively manage more than $1.8 trillion in assets. AIMA draws upon the expertise and diversity of its membership to provide leadership in industry initiatives such as advocacy, policy and regulatory engagement, educational programmes and sound practice guides. AIMA works to raise media and public awareness of the value of the industry. AIMA set up the Alternative Credit Council (ACC) to help firms focused in the private credit and direct lending space. The ACC currently represents over 80 members that manage $300 billion of private credit assets globally. AIMA is committed to developing skills and education standards and is a co-founder of the Chartered Alternative Investment Analyst designation (CAIA) – the first and only specialised educational standard for alternative investment specialists. AIMA is governed by its Council (Board of Directors). For further information, please visit AIMA’s website, www.aima.org.

4

Guide to Sound Practices for Cyber Security | Version 2.0 ( July 2017)