Takeaways from the 8 April Lunch & Learn –Hosted by Marex with IQ-EQ and Capiteq

‍

Cybersecurity isn’t just an IT problem. It’s a businessrisk, a regulatory obligation and – more than ever – a matter of survival.

As cyber threats become more frequent and sophisticated,regulators globally are turning their attention to asset managers. Theirconcern? The industry is not up to par with banking in terms of IT controls andoperational resilience.

But how do fund managers, particularly smaller firms andfamily offices, meet rising expectations with limited internal resources?

This is the challenge we set out to explore at ourrecent Lunch & Learn, ‘Cybersecurity Crisis in FundManagement’, hosted at Marex’s offices in Hong Kong.

We brought together Philippa Allen, Managing Director of Regulatory Compliance at IQ-EQ and Marco Rayner, Founder and Managing Director of, a specialist IT provider to asset managers and family offices. I moderated the discussion, which was frank, practical and packed with real-world insight.

‍

Philippa unpacked where regulators are heading and how to interpret their expectations, while Marco shared lessons from the frontlines of cyber incidents, from phishing attacks and social engineering to compromised investor communications and the chaos of business disruption.

‍

Here I share the key themes and best practices from the discussion.

The legal and regulatory backdrop: scrutiny without structure

The discussion opened with a clear message: regulators are ramping up pressure on fund managers to improve cyber resilience.

As fiduciaries, asset managers have a responsibility to protect client interests. That means demonstrating responsibility not only for capital, but also for data, systems and operational continuity.

In terms of the global regulatory environment we agreed that all regulators are very focused on cybersecurity and highlighted some of the stand out regional benchmarks

• Hong     Kong’s SFC has issued a 2024 cybersecurity review (initially focused     on brokers, but with broad application) flagging common failings and     highlighting six focus areas: patch management, network security, audit     logs, data encryption, access controls and third-party oversight.
• Singapore’s     MAS continues to lead in Asia with its TRM (Technology Risk     Management) framework; we agreed a clear benchmark for good practice.
• Europe’s     DORA (Digital Operational Resilience Act) introduces prescriptive     obligations across incident reporting, governance, testing and vendor risk     management.

‍

Accountability is a consistent theme, and firms must ensure clear internal ownership of cyber oversight.

Even where regulatory guidance is evolving, firms areexpected to demonstrate that appropriate controls, governance and monitoring are in place. Many are looking to established frameworks, like TRM in Singaporeor DORA in the EU, as reference points for shaping internal policies andprocedures.

What fund managers can do: practical steps across the SFC’s six focus areas

The discussion surfaced practical steps that fund manager scan act on, especially smaller firms navigating these challenges with lean teams and outsourced support.

Framed as both best practice and business-critical hygiene, I’ve structured them here around what we see as the six focus areas for the SFC.

Patch management

• Patch     like clockwork: Monthly patching is the minimum standard. Anything     less creates dangerous gaps. A single unpatched device can lead to a     full-blown breach. Confirm your IT provider is delivering this and get     monthly reports on what was patched and what wasn’t.
• Scan     for vulnerabilities every month: Annual scans aren’t enough. Threats,     including zero-day exploits, change daily. Systems, like Microsoft 365,     support automated scans but they need to be configured – go for monthly     scans and patch critical vulnerabilities immediately.
• Demand     visibility from outsourced IT: Even if your patching is outsourced,     you’re still accountable. Ask for patch status reports, vulnerability scan     summaries and confirmation of remediation actions every month.

Network security

• Use     Endpoint Detection and Response (EDR): This isn’t just antivirus. EDR     tools provide continuous monitoring, containment and remediation features     which provide you full control over endpoint security. It’s your early     warning system to monitor devices, detect threats and isolate and respond     to incidents quickly.
• Restrict     access to known, secure devices: Make stringent rules as to what     devices can access your company data. Work with your IT team to define     which devices are permitted and apply controls to enforce it.
• Limit     access with conditional access policies: Restrict logins by     geography, IP range, device or user type. For example, only allow logins     from Hong Kong and Singapore on company issued devices. For travelling     users, place them in a temporary roaming group. It’s a simple layer that     blocks hundreds of attack vectors.
• Monitor     risky users: The riskiest users are often the most senior. Microsoft     and other platforms flag risky behaviour, such as malware clicks, unusual     logins or crypto site visits. Review alerts and respond quickly.
• Audit     for legacy tech: Outdated systems are a gift to attackers. Windows     10, for example, reaches end-of-life in October 2025. Replace unsupported     software and legacy hardware before they create security gaps.

Audit logs

• Extend     your log retention: Many systems store only 30 days of audit logs by     default. Ensure you have access to the right logs for at least 12 months,     to support investigations, insurance claims or forensic reviews.
• Document     all cybersecurity activity: Log every patch cycle, incident and     decision, even those where you chose not to act. Regulators and insurers     may ask why.
• Track     cybersecurity in compliance meetings: Make cybersecurity a standing     item in your compliance reviews. Treat it like you would AML or market     abuse risk. Record discussions, decisions and follow-up actions.
• Keep     evidence, and keep it safe: Logs, decisions, actions, timelines and     communications related to incidents should be retained long term. When in     doubt, keep more, not less.
• Show     what changed: After an incident, be ready to show how you’ve     strengthened your controls, updated procedures or retrained staff.

Data encryption

• Understand     your data flows: Where is your sensitive data stored? How is it     transferred? What’s encrypted? You can’t protect what you can’t see. Start     with a simple map.
• Implement     encryption as standard: Ensure sensitive data is encrypted wherever     it’s stored or transferred, especially specially in cloud services, file     storage and email systems.

Access controls

• Use     the right license for your tools: One breach case involved a fund     using a basic Microsoft 365 license that didn’t trigger alerts when the     CFO’s account was hijacked. Higher-tier licenses (~US$54.75/user/month)     unlock critical protections and provide a wealth of tools across security     and compliance
• Conduct     simulations that reflect reality: Capiteq’s favourite test? Emails     from family offices interested in allocating capital –     almost guaranteed to get clicks, even from senior staff. Make simulations     realistic and track who fails.
• Train     regularly – and follow-up: Quarterly awareness training is ideal. If     someone repeatedly fails phishing simulations, provide 1:1 support to     reduce risk.
• Automate     alerting where possible: Enable automated risk detection in tools     like Microsoft 365. Ensure alerts are configured, monitored and linked to     action.

Third-party oversight

• Know     your weakest link: Some of the most damaging breaches originate with     third party providers. Ensure your IT, back office and cloud partners are     part of your cybersecurity plan, not a blind spot.
• Make     cybersecurity part of your SLA: Vendor due diligence and contracts     should include clear expectations around monitoring, patching, reporting     and incident response.

Bonus: governance and oversight

• Establish     clear accountability. The Manager in Charge (MIT) of IT (or     equivalent) must be clearly appointed, empowered and engaged. They must     understand the risks and demonstrate control.
• Know     your environment. Ask for a walkthrough even if you are not     technical. Have IT provide an up to date diagram of your systems: servers,     endpoints, cloud services. Ask “why” for each component. Why is it open,     who uses it, how is it protected? Even if you’re not technical, asking the     right questions builds control.
• Prepare     to respond, and report: You’re not just judged on whether an incident     occurs, but how you handle it. Who do you call? What evidence do you need?     What logs will you share? Keep checklists and response templates ready.

‍

Insurance is not a get-out-of-jail card

Cyber insurance is worth having, but it’s no substitute for good controls. Insurers are tightening pay out criteria and cross referencing your answers to their DDQs (due diligence questionnaires) to avoid claims. If your provider said patching was monthly but didn’t do it, you may be out of luck.

Also, don’t guess when filling out cyber insurance forms. Loop in your IT provider and ensure their answers are accurate and documented. One wrong answer can invalidate your cover.

Final thought

One of the most striking comments came from Marco:

“You wouldn’t go on holiday and leave your doors and windows open. Yet that’s exactly what some firms are doing with their IT systems.”

Cyber risk is real. It’s daily. It’s operational. It’sreputational. And while the threats are sophisticated, the fixes don’t have to be.

Much of what needs to be done is well within reach, even for smaller firms. But it takes structure, prioritisation and the humility to ask the so-called ‘foolish’ questions. Because in cybersecurity, the only real mistake is staying silent.

‍

‍References

SFC's recent Cyber Security Circular dated Feb 2025.

Below we have included a high level summary of the SFC’s 2023/24 ThematicCybersecurity Review of Licensed Corporations (LCs):

‍

🔍 Purpose of the Report

• Highlights key findings from a thematic cybersecurity review of selected internet brokers.
• Evaluates compliance with existing Cybersecurity Guidelines and Code of Conduct.
• Addresses recent cybersecurity incidents and sets out expected standards for improvement.

⚠️ Cybersecurity Incidents (2021–2024)

8 major incidents reported, including:

• Ransomware attacks that disrupted critical systems.    
• Vendor network compromise, with no adequate contingency planning.
 
• Security loopholes exploited for unauthorized access to trading systems and     client data.
• End-of-life (EOL) software contributed to vulnerabilities.

‍

📉 Common Deficiencies Identified

Despite improvements since 2020, several weaknesses persist:

• Weak authentication (e.g., inadequate 2FA).
• Poor patch management and outdated systems.
• Unsecured data transmission/storage.
• Excessive admin access rights and lack of audit trails.
• Insufficient monitoring of client account activity.

✅ Key Recommendations

Licensed Corporations must:

1. Strengthen Network Security
   
    
   • Disable unnecessary ports, enforce access controls.
    
   • Conduct annual technical reviews, endorsed by senior management.
 
2. Implement Timely Patch Management
   
    
   • Apply tested patches within 1 month of release.
 
3. Use Strong Data Encryption
   
    
   • Encrypt both data-at-rest and data-in-transit with strong algorithms.
 
4. Tighten User Access Control
   
    
   • Grant access on a need-to-have basis.
    
   • Limit admin access and monitor usage.
 
5. Maintain Audit Logs
   
    
   • Regularly review logs of all critical systems for anomalies.
 
6. Monitor Client Accounts Effectively
   
    
   • Detect unusual changes or access patterns (e.g., shared IPs, bulk edits).

🔄 Emerging Threats &Trends

• Increased use of EOL systems, unpatched VPNs, and phishing-based ransomware.
• More LCs now rely on:
   
  • Third-party IT providers
   
  • Cloud  services (raising new security management challenges)
• Emphasis on phishing detection, remote access controls, and cloud risk governance.

📱 Authentication Best Practices

• Concerns     raised over reliance on SMS OTPs due to malware interception risks.
• Encouragement     to adopt more secure methods like biometrics or software tokens.

🧑‍💼 Senior Management Responsibilities

• Appoint qualified staff/providers and allocate sufficient resources.
• Regularly review policies, approve cybersecurity plans, and oversee remediation.
• Maintain and test contingency plans tailored to cybersecurity threats.

• The circular takes immediate effect; LCs should review and upgrade their cybersecurity frameworks.
• The SFC plans to revamp and expand the cybersecurity framework in 2025 to cover all LCs, not just internet brokers.

Please find a check list for the recent the recent SFC circular here

‍

‍

‍

‍