Cybersecurity is a critical business issue for hedge funds and other investment management firms. The financial consequences of a cyber attack can be significant and could result in a serious impact to a firm’s reputation. Not surprisingly, cybersecurity is also a growing concern for regulators, and an area where fund managers are increasing their focus.
A number of cybersecurity issues are of particular concern for investment managers, including protection of investor information, intellectual property, trade execution, fraudulent activity, cybersecurity compliance, and loss of reputation.
Hedge funds maintain sensitive data (e.g., names, social security and bank account numbers) of high net-worth individuals and institutional investors. Given the profile of these clients, this sensitive information can be particularly enticing to hackers.
Hedge funds also must carefully safeguard proprietary trading algorithms, investment strategies, and other forms of intellectual property (IP). Hackers understand how valuable this information is to funds and a cyber attack may focus on stealing an algorithm, source code, or other information asset to hold for ransom.
In a related threat, hackers could potentially disrupt systems that execute trades. In one recent attack, hackers broke into a high frequency trading system of a fund and were successful in slowing down trade executions by a few milliseconds. Even this seemingly small disruption can inflict significant damage on fund operations in this competitive industry.
Fraudulent trading activity and electronic transfers of funds are also key concerns. In another recent attack, hackers broke into a hedge fund system and gained access to execute wire transfers. They executed a series of transfers of just under $500,000, the “flag” level for the firm, such that they were able to complete several transfers before the activity was eventually detected. Firms must secure access to all trading and treasury functions, guarding against potential external and internal fraudulent activity.
Further, hedge funds managers face cybersecurity and privacy compliance concerns. Regulators require managers to sufficiently protect investor information, and to have preventative plans in place. Given the impact a cyber attack could have on fund investors and the attention that regulators are currently paying to cybersecurity, it is likely that we will see additional regulation in this space in the near future and existing regulations are being enforced more strictly. The Securities and Exchange Commission (SEC) recently charged a St. Louis-based investment adviser with failure to adopt required cybersecurity policies and procedures prior to a breach that compromised personally identifiable information (PII) of thousands of the firm’s clients. As we have seen in recent years in the broader financial sector, new regulations come at a cost to those required to comply. New funds and smaller existing funds may struggle to manage the cost of compliance while still taking adequate action to stay within regulations.
Finally, potential loss of reputation adds another dimension to cyber risk. Strong reputations are hard-won and easily lost in the hedge fund world, and being the victim of a cyber attack can prove fatal for businesses. Indeed, investors have increased their due diligence on the issue. Hedge funds are seeing a higher level of focus on cybersecurity within Requests for Proposal (RFPs), a sure sign that it’s a priority for their high net worth and institutional clients.
In response to these increased risks, the regulatory landscape for cybersecurity is evolving rapidly. For instance, the Securities and Exchange Commission (SEC) issued a Risk Alert in early 2014, signaling their intention to increase oversight of cyber issues. The results of the 2014 SEC inquiries, as well as high-level cybersecurity guidance, were published in early 2015. Key among the recommendations: investment firms should identify who in the organization is responsible for cybersecurity, whether there is a dedicated Chief Information Security Officer (CISO), or if the function belongs to the CIO or another role.
In a related action, the Office of Compliance Inspections and Examinations (OCIE), who conducts the SEC’s National Examination Program, issued an alert on September 15, 2015 indicating it plans to continue its focus on cybersecurity by conducting examinations of registered broker-dealers and investment advisers. The examinations will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
On the legislative front, many hedge fund managers are carefully watching the fate of the proposed Cyber Information Security Act (CISA). CISA concerns the practice of sharing information about cyber attacks with the government, including the Federal Bureau of Investigation (FBI) and National Security Agency (NSA). The government wishes to encourage investment firms to voluntarily disclose data about attacks in a secure process, but it’s a tough sell for the closely guarded investment world. CISA passed the Senate in early 2015, but is still pending a vote in Congress sometime in the fall of 2015.
In light of the varied risks, regulatory concerns, and legal issues around cybersecurity, there are a number of proactive steps that hedge funds can take to implement best practices in their cybersecurity environment.
Organizations must make cybersecurity initiatives a part of their top-down governance and enterprise risk management (ERM) policy. Cyber threats are not limited to technology issues; they are part of strategic business initiatives as well. For instance, business managers may plan to launch a new service or acquire another firm which may inadvertently introduce a new cybersecurity risk to the organization. Strategy discussions must involve IT leadership early on, thereby fostering an environment of collaboration within the firm.
Investment firms need a comprehensive cybersecurity framework to inform policies and procedures. Many in the industry have adopted the frameworks put forth by National Institute for Standards and Technology (NIST) and International Organization for Standardization (ISO). In fact, the White House issued an executive order in 2013 explicitly naming NIST as a preferred (but not mandatory) template for financial firms. Whatever framework the firm chooses, it must be robust and include key cybersecurity process and control areas, from incident response management to cybersecurity countermeasures and monitoring.
Because hedge funds operate in a highly competitive industry, managers may be reluctant to go public when a cyber attack has occurred. As a result, there may be little information available to help those in the industry gain insights into pending attacks and attack methods. Such lack of information may eventually hamper the fund’s ability to fend off attacks.
In the guarded world of hedge funds, it’s crucial to be part of an anonymous information-sharing network of peers and law enforcement. Hackers often deploy sophisticated attacks on several firms in short succession. They have the element of surprise on their side, and leverage the fact that firms in the competitive investment community are not likely to exchange information.
The Financial Services Information Sharing & Analysis Center (FS-ISAC) is perhaps the preeminent information sharing network for the financial services industry today. For a membership fee, participating organizations have access to a community where they can safely disclose information about recent attacks and stay current on the latest cyber threat analysis.
As lean organizations, hedge funds often outsource key business functions to third-party vendors through the use of cloud services. When entrusting the so-called “crown jewels” to third-party vendors, hedge funds may be inadvertently opening new avenues for cyber attacks. Accordingly, they must vet such third-parties to ensure that they maintain strong and robust cybersecurity processes and controls.
This is where many hedge funds rely on third-party assessments (or attestations) of their vendors’ control environment. For instance, a Service Organization Control (SOC) report requires the assistance of an outside public accounting firm to test the vendors’ internal controls around security, privacy, confidentiality, availability, and/or processing integrity. The firm then issues a formal opinion on the state of internal controls. For investment firms, these reports may be the best way to ensure that their vendors have strong cybersecurity processes and controls in place.
Implementing a robust cybersecurity framework like NIST is necessary, but fund managers must also ensure that periodic reviews are conducted to assess the strength of the control environment over time. Sometimes organizations choose to bring in outside experts to perform these assessments. An outside expert can provide standardized and objective feedback about control weaknesses, while also keeping management informed of industry best practices.
Hedge funds and other investment managers face a unique set of challenges in planning for and protecting against cyber attacks. As profit centers and keepers of valuable investor and trading information, hedge funds represent an especially attractive target. Cyber attackers are constantly becoming more sophisticated and better organized. The fallout can be highly damaging to money managers in the competitive and reputation-driven world of financial investing. Firms must be proactive in implementing best practices to safeguard against attacks, while preparing themselves to respond quickly and effectively should a breach occur.
For more information on cybersecurity program management and risk assessments, or to learn how Baker Tilly risk specialists can help, contact our team.
This article was also published on HedgeConnection.