Christian Scott, COO/CISO at Gotham Security, an Abacus Group Company

The alternative investment industry is a prime target for cyber breaches. February’s ransomware attack on global financial software firm ION Group was a warning to the wider sector. Russia-linked LockBit Ransomware-as-a-Service (RaaS) affiliate hackers disrupted trading activities in international markets, with firms forced to fall back on expensive, inefficient, and potentially non-compliant manual reporting methods. Not only do attacks like these put critical business operations under threat, but firms also risk falling foul of regulations if they lack a sufficient incident response plan. 

 To ensure that firms protect client assets and keep pace with evolving challenges, the Securities and Exchange Commission (SEC) has proposed new cybersecurity requirements for registered advisors and funds. Codifying previous guidance into non-negotiable rules, these requirements will cover every aspect of the security lifecycle and the specific processes a firm implements, encompassing written policies and procedures, transparent governance records, and the timely disclosure of all material cybersecurity incidents to regulators and investors. Failure to comply with the rules could carry significant financial, legal, and national security implications.

 The proposed SEC rules are expected to come into force in the coming months, following a notice and comment period. However, businesses should not drag their feet in making the necessary adjustments – the SEC has also introduced an extensive lookback period preceding the implementation of the rules, meaning that organisations should already be proving they are meeting these heightened demands.

For investment firms, regulatory developments such as these will help boost cyber resilience and client confidence in the safety of investments. However, with a clear expectation that firms should be well aligned to the requirements already, many will need to proactively step up their security oversight and strengthen their technologies, policies, end-user education, and incident response procedures. So, how can organisations prepare for enforcement and maintain compliance in a shifting regulatory landscape?

Changing demands

In today’s complex, fast-changing, and interconnected business environment, the alternative investment sector must continually take account of its evolving risk profile. Additionally, as more and more organisations shift towards more distributed and flexible ways of working, traditional protection perimeters are dissolving, rendering firms more vulnerable to cyber-attack.    

As such, the new SEC rules provide firms with additional instruction around very specific prescriptive requirements. Organisations need to implement and maintain robust written policies and procedures that closely align with ground-level security issues and industry best practices, such as the NIST Cybersecurity framework. Firms must also be ready to gather and present evidence that proves they are following these watertight policies and procedures on a day-to-day basis. With much less room for ambiguity or assumption, the SEC will scrutinise security policies for detail on how a firm is dealing with cyber risks. Documentation must therefore include comprehensive coverage for business continuity planning and incident response.

 As cyber risk management comes increasingly under the spotlight, firms need to ensure it is fully incorporated as a ‘business as usual’ process. This involves the continual tracking and categorisation of evolving vulnerabilities – not just from a technology perspective, but also from an administrative and physical standpoint. Regular risk assessments must include real-time threat and vulnerability management to detect, mitigate, and remediate cybersecurity risks.  

Another crucial aspect of the new rules is the need to report any ‘material’ cybersecurity incidents to investors and regulators within a 48-hour timeframe – a small window for busy investment firms. Meeting this tight deadline will require firms to quickly pull data from many different sources, as the SEC will demand to know what happened, how the incident was addressed, and its specific impacts. Teams will need to be assembled well in advance, working together seamlessly to record, process, summarise, and report key information in a squeezed timeframe.

Funds and advisors will also need to provide prospective and current investors with updated disclosures on previously disclosed cybersecurity incidents over the past two fiscal years. With security leaders increasingly being held to account over lack of disclosure, failure to report incidents at board level could even be considered an act of fraud. 

Keeping pace

Organisations must now take proactive steps to prepare and respond effectively to these upcoming regulatory changes. Cybersecurity policies, incident response, and continuity plans need to be written up and closely aligned with business objectives. These policies and procedures should be backed up with robust evidence that shows organisations are actually following the documentation – firms need to prove it, not just say it. Carefully thought-out policies will also provide the foundation for organisations to evolve their posture as cyber threats escalate and regulatory demands change.

 Robust cybersecurity risk assessments and continuous vulnerability management must also be in place. The first stage of mitigating a cyber risk is understanding the threat – and this requires in-depth real-time insights on how the attack surface is changing. Internal and external systems should be regularly scanned, and firms must integrate third-party and vendor risk assessments to identify any potential supply chain weaknesses.

 Network and cloud penetration testing is another key tenet of compliance. By imitating how an attacker would exploit a vantage point, organisations can check for any weak spots in their strategy before malicious actors attempt to gain an advantage. Due to the rise of ransomware, phishing, and other sophisticated cyber threats, social engineering testing should be conducted alongside conventional penetration testing to cover every attack vector.

It must also be remembered that security and compliance is the responsibility of every person in the organisation. End-user education is a necessity as regulations evolve, as is multi-layered training exercises. This means bringing in immersive simulations, tabletop exercises and real-world examples of security incidents to inform employees of the potential risks and the role they play in protecting the company.

 To successfully navigate the SEC cybersecurity rules – and prepare for future regulatory changes – alternative investment firms must ensure that security is woven into every part of the business. They can do this by establishing robust written policies and adhesion, conducting regular penetration testing and vulnerability scanning, and ensuring the ongoing education and training of employees.

The most successful and progressive leaders are embracing ESG or Environmental, Social and Governance principles throughout their businesses, but how are they going about this and is it having a positive effect on their overall performance? 

This was the theme for the latest Brighter Thinking Roundtable, hosted jointly by Menzies LLP and the Chartered Institute of Credit Management (CICM) in London. Senior-level executives from ten organisations attended the event to share their experiences of signing up to an ESG agenda and the difference it has made to their businesses. 

Driven in part by changes affecting tender requirements for public sector contracts and corporate reporting, ESG has become a priority for Boards across the UK, regardless of the size of their organisations. Even though many of the auditing requirements related to ESG performance currently apply only to larger companies, the ‘trickle-down’ effect is such that small and medium-sized businesses realise that demonstrating a commitment to ESG will be critical to their long-term success. 

Embracing the ESG agenda 

Whilst the business case for ESG compliance has strengthened significantly in recent years, business leaders agree that a ‘tick-box’ approach to delivering changes is unlikely to bring lasting benefits. The push to embrace ESG is more likely to prove beneficial if it comes from a genuine desire to make a positive difference to the world and to connect with customers and employees in a more meaningful way. 

Nikki Walker, CEO of Quality Compliance Systems (QCS) Ltd, said: “For us, ESG is core to who we are and a real business driver. Our inclusive culture enables us to maximise the diversity within QCS to connect with our customers. We have benefited massively just by making ESG part of our conversation with customers and employees. One of the measurable benefits has been a decreasing attrition rate.”  

Richard Singleton, Finance Director and Head of ESG at Menzies LLP, is responsible for rolling out the firm’s ESG strategy and developing a new service line for clients. Whilst this work began before the pandemic, it has accelerated significantly in recent years. Describing the firm’s ESG journey, he said: 

“As you might expect from a firm of accountants, we started out by looking at areas such as carbon accounting. We calculated our own carbon footprint and put in place a plan to reduce energy consumption and where possible, switch to renewables. As a relatively low energy user, we set a target to achieve net zero emissions by 2027 and we are making good progress. 

“Whilst focusing on the environment was our starting point, more recently we have recognised how important social value delivery has become to stakeholders internally and externally. Existing employees and candidates have high expectations in this area. They want to know that their employer or prospective employer is doing the right thing – from its approach to diversity and inclusion, to staff remuneration, benefits and training, and they are not afraid to ask questions.  

“At a time when many businesses are facing staff shortages and competing for talent, we recognised that ESG was an opportunity to differentiate our business and wanted to support our clients in achieving the same.” 

Larger companies have tended to lead the agenda on ESG, sometimes initially focused on the corporate agenda due to the questions raised by investors, who want to know they are investing in responsible, sustainable businesses. Karen Young, Director of Accountancy & Finance at Hays UK&I, part of Hays PLC – a firm that employs over 10,000 people – described how looking after the environment, whilst supporting communities and charities, is ‘part of the DNA’ of the Hays business. She said: 

“Doing the right thing is not a new concept. Charity partnerships are a longstanding focus at Hays; one of the first things I was asked to do when I joined the business as a trainee over 25 years ago was to run the London Marathon to raise funds for the Hays’ corporate charity that year, which was Macmillan Cancer Support, a cause close to my heart. This initiative of building strong charity fundraising partnerships has continued to this day. 

“However, Hays now has a global programme called ‘Helping for your tomorrow’ that is about us using our core skills and expertise to help lift the employability of those who may not have the same opportunities as others. The programme focuses on both fundraising and corporate volunteering into local communities.  We have a clear key strategic priority around social value in our UK&I business and our activity is communicated regularly across the organisation and externally too.  

“One workstream is the development of a strategic collaboration with the charity, EveryYouth, which sets out to help disadvantaged young people succeed in life – homelessness being perhaps the most striking indicator of disadvantage. Project Flourish is dedicated to the improving the social mobility of some of the most disadvantaged young people in the UK, through an employability programme. The initiative is designed to help young people gain employment and, just as importantly, develop and flourish once in their new role.” 

Karen also emphasised the importance of strong leadership. She said: “A couple of years ago, one of our Executive Board addressed a meeting and asked us ‘Is the world a better place because Hays is in it? If not, we need to do better’. We took inspiration from this and haven’t looked back.” 

Appointing an ESG leader 

For most small and medium-sized businesses, and some larger ones, it may not be possible to recruit a dedicated ESG leader. Boards are more likely to appoint someone within the business to take on the role. Finance teams are the obvious place to look due to their focus on managing and reporting business data, which is a natural fit for carbon footprint assessments and setting performance-linked targets. Sometimes a representative from the HR team is pulled in to provide a ‘people perspective’ and to support the cascade of information internally. However, there is no hard and fast rule and other businesses might choose to appoint the head of investor relations or sales director as their new ESG leader. 

For some businesses, the nature of their activities can be difficult to reconcile with a socially responsible agenda. For example, debt collection can be perceived as having a negative impact on society, but some businesses are trying to change this by adopting an ESG-led approach.  

David Sheridan, Operations Director at ARC (Europe) Ltd, a consumer-focused debt collection agency based in Walton-on-Thames, explained: “Employee wellbeing and mental health awareness is an important area for us. Some of our customers have mental health problems, so our employees are trained to deal with this in an empathetic way, providing signposting to health services and other support where needed.  

“Alongside our Employee Assistance Programme, we have dedicated St John’s ambulance mental health first aiders within our business to provide our teams with the training and support to deal with challenging conversations with customers who are really struggling with serious mental health issues. In an industry with a high attrition rate, we also recognise that handling challenging calls can affect employee wellbeing. We take this seriously by really listening to what they want and ensuring that our pay and benefits packages are aligned.” 

Rebecca Williams, Coface’s Head of Direct Products UK & Ireland, echoed the importance of focusing on real needs, saying: “When implementing ESG strategies, as employers we must take care not to overlook the basics: this is when it could become a tick-box exercise. We should start by really making sure we know what our stakeholders need from us and develop work streams that make a tangible difference.” 

Finding the right ideas that will engage employees and sit well with customers can be a challenge for employers, particularly when budgets are tight and teams are stretched due to worker shortages. Nevertheless, business leaders had plenty of ideas to share. Menzies LLP hosts ‘Make a Difference Week’ in July each year, offering a menu of fund-raising and community engagement activities for employees to get involved in, some close to local offices and others on a national scale. Hays is partnering with an organisation called Neighbourly this summer to deliver a volunteering programme to people in local communities called ‘Hays gets Neighbourly’.   

Richard Singleton added: “Some of the best feedback we have had from employees was around Earth Day (22 April, 2023), when we gave each employee a voucher to buy a plant. They felt good about working for Menzies and caring for the plant reminded them of the importance of nurturing the environment. Some employees said the initiative had a positive effect on their families too, as their children were able to help with the planting and watch it grow.” 

Greening up supply chains is a problem area for some businesses, and it can be time consuming initially. Putting in place processes to help the business make greener choices will lead to better decisions in the future. Running ‘blind testing’ workshops to get employee feedback on proposed switches for pens, paper and coffee can increase engagement and encourage individuals to offer their own ideas.  

For small and medium-sized businesses, embarking on an ESG journey can be daunting and knowing where to start is important. Understanding stakeholders’ needs is critical, but if employers get it right there can be tangible business benefits – from increased employee and customer engagement through to reduced attrition rates and a better-motivated, more productive workforce. Summing up the main message from the roundtable, Sue Chapple, Chief Executive of the Chartered Institute of Credit Management (CICM), said: 

“For those that are wondering whether now is the right time to embark on an ESG journey, or take it to the next level, the question should not be ‘do we want to do this?’ but ‘when shall we start?’” 

First published at Credit Management magazine.