NFT: Financial IT guys, hedge fund compliance?

Obviously they'd have to follow the same IT audit, security and compliance objectives that any other financial would (SOX, GLBA, AML KYC, etc.) but are you referring to something business specific to hedge funds?

But no idea what the others are. Can you tell me what those are? The requirement is still a bit vague, investors in the fund want to know that IT operations are secure and for that they’re looking for some kind of certification or compliance. Does that make sense?

In comment 13674829 trueblueinpw said:

Quote:

But no idea what the others are. Can you tell me what those are? The requirement is still a bit vague, investors in the fund want to know that IT operations are secure and for that they’re looking for some kind of certification or compliance. Does that make sense?

Sure - GLBA refers to the Gramm-Leach-Bliley Act, which has provisions that require financial organizations to protect and secure (both in storage and transmission) any customer data. Practically speaking, it refers to both securing operations and to the operational handling of security incidents, from proper notification of the authorities and regulatory bodies to timely notifications of affected customers.

There are a number of AML (anti-money laundering) compliance requirements for IT, but most hover more on the business than the IT side of the shop. Familiarity with the business processes here would serve you well, and the more important ones center around Know Your Customer (KYC) requirements.

Pre and post trade operations tend to have a lot of remote access involved, and usually require some type of risk based authentication that involves secondary (and in some cases tertiary or certificate based) auth. It would serve you well to have a good understanding of how the technology works.

For general cybersecurity operations, FINRA has a good checklist for smaller orgs (I'm assuming you're not taking the lead role over at Renaissance :) The FFIEC has also put together a good cyber assessment tool, which maps back to the NIST Cyber framework

Doesn't hurt to know a few things about incident response - which should be covered in the links above, but there are plenty of good resources out there.

From a certification perspective, SANS has a ton of great security/compliance related certs, and the CISSP is still in high regard with a lot of orgs but although it's listed as a prerequisite for a lot of openings many employers don't care if you're missing it, so long as you know your stuff.

Hope that helps - let me know if you need me to get more specific.

Thanks jcn. A few of my friends from college are in fin tech but they didn’t really have much for me. I’ll bone up on what you posted and let you know if I have any questions. Really appreciate the info!

The only thing I can suggest - try to read up as much as you can on the structure of the business itself. My familiarity with hedge funds is limited to having worked with investment banks' prime brokerage services on the IT security side, but I have a general working knowledge of the way the business works (a prerequisite if you're trying to secure the place).

If you want to combine accounting/auditing with tech, you'll make a lot of money due to high demand in public and private accounting/finance offices in a hired consultant role. Most of the managers and partners have little idea on how to work basic programs let alone ensuring IT integrity is maintained.

If dealing with anything financial, I'd get a CPA first, intern one or two places, and put 100% emphasis on your tech knowledge as it relates to hedge funds and their systems.

Sorry if this advise was mis-guided, just trying to help. Even as a public company auditor, I was pulled into an internal consulting project by the consulting services practice where programming and software theory would be highly desirable.

This is because the executives and managers you ultimately report to don't see value added solutions and may have zero knowledge of internal controls such as a password policy, unsecured networks ($10B prublic companies still use "password" for their company WiFi).

for almost 20 years. My compliance experience is more on the business side (Form PF, AIFMD, etc), rather than IT, tho I am nowhere near an expert.

There are a lot of consulting firms specializing in security requirements for systems (e.g. SOX), that would be helpful for researching and advice if you are actually looking to ensure your compliance.

Generally speaking, investors, as part of their DD, want to know that the organizations that host the data for the fund's account(s) (Prime Broker/Fund Administrators) can provide audit reports that verify the compliance. Depending on the critical and proprietary data that may also be at the Fund itself, or hosted in the cloud, for use by the fund, there are other concerns and considerations.

JCN and other have given great advice and guidance.

This is a very hot area of growth within the industry now, data security, regardless of what is required by laws and perhaps demanded by potential investors.

If I can help guide you to some specific resources or help you ensure that a fund you are working with gets the right advice and experts, feel free to let me know. I'll check back on here.

Mike, who would do the audits and what would be the compliance criteria? My firm can run through a list of checks compiled from the various good practices and regulations for data security but that’s not really any sort of official standard.

the audits done for HFs can be handled by many of the following firms. Many specialize more on the business side, but some handle the IT audits as well.

Here is a good list.

By the way, the audits for the large service providers re:SOX are generally done by the big CPA firms.

Cybersecurity at the HF level are best handled by people on this list, though I am sure many of the big CPA firms could do the IT/Cybersecurity part as well, but are probably cost-prohibitive for smaller funds.


Recent HF Alert List of Compliance Consultants - ( New Window )

handles a ton of IT outsourcing for the HF industry, including tons of smaller HF firms....and may be the best resource for you to start. I'm sure you have heard of them.

Check this site for some good research material.

I can introduce you to some people there if you need me to.
Link - ( New Window )