NGS Super falling victim to a cyber hack last year served as a reminder that cybersecurity is one of the leading concerns when it comes to operational risks in financial services.
But Matt Siddick, senior director of operational risk solutions at bfinance, has emphasised that operational risks extend far beyond cyber threats, pointing to an “intricate web of relationships” between external asset managers, service providers and operational due diligence processes.
Namely, he said that the most interesting day-to-day challenge for those involved in ODD is the shift in greater use of alternative investments and investment managers.
“Higher exposure to alternative asset classes, and particularly private markets, can open investors up to greater operational risks,” Siddick wrote in a piece penned for InvestorDaily.
“At the risk of over-generalising, we do still observe that private market managers – despite considerable institutionalisation through recent years – tend to have less well-defined control frameworks, weaker policies and less investor-friendly procedures, on average, than their more traditional public market-focused counterparts (though shortcomings are to be found among the latter also, of course).”
As such, he warned investors should not just assume that an asset manager has appropriate control functions in areas such as valuations, cash wires and fee calculation.
For example, Siddick said a recent ODD exercise revealed a manager whose inadequate processes had opened them up to a phishing attack, wherein cyber criminals had been able to wire money from one of the firm’s funds.
“Appropriate questions to identify vulnerabilities would include: what processes has a manager implemented to mitigate the risk of internal fraud with respect to cash movements from the fund? Has the firm adopted technology to segregate cash wire authorisation rights?” he advised.
Siddick added that private markets have historically been subject to lower levels of regulatory oversight, although this has begun to change.
“Regulators around the globe are increasing their focus on managers operating in private markets, in terms of both regulatory frameworks and visible enforcement priorities.”
Namely, the US Securities and Exchange Commission is increasing its regulatory focus on private fund advisers, while UK-based Financial Conduct Authority is conducting a review of private market valuations.
However, he conceded that certain regions have shown varying levels of commitment to implementing these practices.
“The European Union’s Alternative Investment Fund Managers Directive has normalised the practice of appointing an independent administrator to EU-domiciled private markets funds.”
“However, many non-EU-domiciled vehicles, it should be noted, continue to be internally administered.”
Noting that APRA’s focus on cyber security still deserves praise, Siddick reminded investors that cyber risk management “does not exist in a vacuum”.
“Operational risks – cyber and beyond, in-house and external – should be considered holistically and given appropriate prioritisation”
“Moreover, with a stronger understanding of what “good” looks like now, super funds can apply “lessons learned” to internal operations. Both excellence and errors exhibited by investment managers have relevance in-house,” he concluded.