Beyond the IT Department: Building Security Ownership Across Funds

The recent $65 million cyberattack on a prominent investment firm didn’t start with a sophisticated network breach or zero-day exploit. It began with a single portfolio manager clicking on what appeared to be a routine investor update email. Within hours, attackers had pivoted through the firm’s network, accessing sensitive fund performance data and client information that took months to fully assess and remediate.

This incident underscores a fundamental truth that many financial firms are still grappling with: cybersecurity accountability cannot be contained within the four walls of the IT department. When security becomes everyone else’s problem, it becomes no one’s responsibility.

Why Security Can’t Live in IT Alone

The traditional model of relegating cybersecurity to the IT team creates dangerous blind spots in hedge funds, private equity firms, and wealth management companies. Investment professionals handle the most sensitive data in the organization daily—fund strategies, portfolio positions, investor communications, and deal structures. Yet they often operate under the assumption that “IT handles security.”

This disconnect becomes particularly problematic during regulatory examinations. SEC and FINRA examiners increasingly focus on security ownership across the entire organization, not just within technical teams. They want to see evidence that portfolio managers understand their role in protecting client data, that compliance officers can articulate cybersecurity risks, and that senior leadership actively participates in security decision-making.

Consider the operational reality of most funds. Portfolio managers access trading systems, research databases, and investor portals throughout the day. They participate in video calls with counterparties, download market data from multiple sources, and frequently work with sensitive documents outside traditional office hours. Each of these activities represents a potential attack vector that no IT department can fully monitor or control.

The problem intensifies when you examine how financial firms actually operate. Deal teams at private equity firms regularly share confidential transaction documents with external parties. Organizational security requires these professionals to understand not just what they can share, but how to share it securely. This knowledge cannot be imposed from above—it must be embedded within the team’s operational culture.

Making Cybersecurity Everyone’s Business

Creating genuine cybersecurity accountability across a financial organization requires moving beyond annual security training sessions and email reminders about phishing. It demands integrating security awareness into daily workflows and decision-making processes.

Start with role-specific security responsibilities. Portfolio managers should understand how their trading patterns might signal potential account compromise. Compliance officers need to recognize the intersection between cybersecurity incidents and regulatory reporting obligations. Business development professionals must grasp how their client communications could expose sensitive firm data.

The most effective approach involves embedding security considerations into existing operational processes rather than creating parallel security workflows. When investment teams conduct their morning market calls, include a brief discussion of any security alerts or concerns. When deal teams prepare transaction materials, incorporate security review as a standard step rather than an afterthought.

Fund administrators and prime brokers increasingly expect their clients to demonstrate mature organizational security practices. This means your investor relations team needs to understand cybersecurity well enough to address due diligence questionnaires thoughtfully. They should be able to explain your firm’s security posture without simply forwarding everything to IT for response.

Training becomes more effective when it addresses real scenarios relevant to each team’s daily responsibilities. Instead of generic phishing simulations, create exercises based on actual investor communications, counterparty documents, or regulatory notices. This approach helps staff recognize threats within their normal workflow rather than in abstract scenarios.

Building Accountability Without Bureaucracy

The challenge lies in creating security ownership without slowing down the fast-paced decision-making that characterizes successful financial firms. Investment professionals resist security measures that interfere with their ability to capitalize on market opportunities or complete time-sensitive transactions.

Successful accountability structures focus on outcomes rather than processes. Instead of mandating specific security tools or procedures, establish clear expectations for protecting sensitive information and let teams determine the best methods within their operational constraints. This approach encourages innovation and buy-in rather than compliance theater.

Consider implementing security champions within each business unit—experienced professionals who can bridge the gap between security requirements and operational needs. These individuals aren’t security experts, but they understand both their team’s workflow and the firm’s security expectations well enough to guide daily decisions and escalate concerns appropriately.

Regular security discussions should become part of existing management meetings rather than separate security-focused gatherings. When portfolio managers review their monthly performance, include a brief discussion of any security incidents or concerns within their activities. This integration ensures security remains visible without consuming excessive management attention.

Documentation plays a crucial role, but it must serve operational purposes beyond compliance. Create decision frameworks that help professionals understand when to consult security teams, what information requires special handling, and how to balance security requirements with business needs. These resources should be practical references, not policy manuals.

Measuring Security Ownership That Actually Works

Traditional security metrics—number of phishing emails reported, training completion rates, vulnerability scan results—provide limited insight into actual cybersecurity accountability across the organization. More meaningful measurements focus on behavioral changes and decision-making patterns.

Monitor how quickly teams report suspicious activities or potential incidents. Fast reporting indicates genuine security awareness and comfort with security processes. Delayed reporting often signals either lack of awareness or fear of blame for security concerns.

Track participation in security-related decisions beyond the IT team. Are portfolio managers engaged in discussions about new trading platform security features? Do compliance officers contribute meaningfully to incident response planning? This engagement demonstrates real security ownership rather than passive compliance.

Examine the quality of security-related questions during vendor evaluations or due diligence processes. Teams that understand security considerations ask better questions and make more informed decisions about technology adoption and business relationships.

Review incident response exercises for participation and contribution quality across different business units. Effective exercises reveal not just procedural knowledge, but understanding of how security incidents could impact specific business operations and client relationships.

Consider measuring security consideration in business decisions. Are teams proactively identifying security implications when evaluating new markets, investment strategies, or operational processes? This forward-thinking approach indicates mature organizational security culture.

Final Thought

The most sophisticated cybersecurity technology cannot protect an organization where security ownership exists only within the IT department. Financial firms that successfully defend against evolving threats recognize that every investment professional, compliance officer, and business development manager plays a critical role in organizational security. This doesn’t mean turning everyone into security experts—it means ensuring everyone understands their specific security responsibilities and feels empowered to act on security concerns. The firms that embrace this distributed model of cybersecurity accountability don’t just achieve better security outcomes; they build competitive advantages through faster incident response, more thorough risk assessment, and deeper client trust in their operational capabilities.