Any BBIers know about IT compliance for hedge funds in New York State? I’m trying to figure out if there are any IT certifications, standards or compliance requirements for a small hedge fund here in NYC.
Surprisingly little have I found yet, so ask the BBI do I.
Sure - GLBA refers to the Gramm-Leach-Bliley Act, which has provisions that require financial organizations to protect and secure (both in storage and transmission) any customer data. Practically speaking, it refers to both securing operations and to the operational handling of security incidents, from proper notification of the authorities and regulatory bodies to timely notifications of affected customers.
There are a number of AML (anti-money laundering) compliance requirements for IT, but most hover more on the business than the IT side of the shop. Familiarity with the business processes here would serve you well, and the more important ones center around Know Your Customer (KYC) requirements.
Pre and post trade operations tend to have a lot of remote access involved, and usually require some type of risk based authentication that involves secondary (and in some cases tertiary or certificate based) auth. It would serve you well to have a good understanding of how the technology works.
For general cybersecurity operations, FINRA has a good checklist for smaller orgs (I'm assuming you're not taking the lead role over at Renaissance :) The FFIEC has also put together a good cyber assessment tool, which maps back to the NIST Cyber framework
Doesn't hurt to know a few things about incident response - which should be covered in the links above, but there are plenty of good resources out there.
From a certification perspective, SANS has a ton of great security/compliance related certs, and the CISSP is still in high regard with a lot of orgs but although it's listed as a prerequisite for a lot of openings many employers don't care if you're missing it, so long as you know your stuff.
Hope that helps - let me know if you need me to get more specific.
If dealing with anything financial, I'd get a CPA first, intern one or two places, and put 100% emphasis on your tech knowledge as it relates to hedge funds and their systems.
Sorry if this advise was mis-guided, just trying to help. Even as a public company auditor, I was pulled into an internal consulting project by the consulting services practice where programming and software theory would be highly desirable.
This is because the executives and managers you ultimately report to don't see value added solutions and may have zero knowledge of internal controls such as a password policy, unsecured networks ($10B prublic companies still use "password" for their company WiFi).
There are a lot of consulting firms specializing in security requirements for systems (e.g. SOX), that would be helpful for researching and advice if you are actually looking to ensure your compliance.
Generally speaking, investors, as part of their DD, want to know that the organizations that host the data for the fund's account(s) (Prime Broker/Fund Administrators) can provide audit reports that verify the compliance. Depending on the critical and proprietary data that may also be at the Fund itself, or hosted in the cloud, for use by the fund, there are other concerns and considerations.
JCN and other have given great advice and guidance.
This is a very hot area of growth within the industry now, data security, regardless of what is required by laws and perhaps demanded by potential investors.
If I can help guide you to some specific resources or help you ensure that a fund you are working with gets the right advice and experts, feel free to let me know. I'll check back on here.
Here is a good list.
By the way, the audits for the large service providers re:SOX are generally done by the big CPA firms.
Cybersecurity at the HF level are best handled by people on this list, though I am sure many of the big CPA firms could do the IT/Cybersecurity part as well, but are probably cost-prohibitive for smaller funds.
Recent HF Alert List of Compliance Consultants - ( New Window )
Check this site for some good research material.
I can introduce you to some people there if you need me to.
Link - ( New Window )