Digital Assets Report

Newsletter

Like this article?

Sign up to our free newsletter

Cybersecurity trends in an ever-changing landscape

Related Topics

Hedge funds are an integral part of the financial fabric, and, whilst they may not have the same capital profile as large investment banks, the Bank of England is advising that they strengthen their resilience in order to recover quickly from attacks.

In the Bank of England's July 2015 Financial Stability Report, they write: "A successful attack on a systemic institution or vital infrastructure (including non-financial infrastructure that the financial sector relies on, such as utilities) could cascade throughout the financial system." 

In May 2014, the BoE established a vulnerability testing framework – CBEST. Although this is aimed primarily at banking groups, the largest hedge funds that could present a systemic risk to the UK economy should be adopting similar defensive measures.

"We are seeing new advances in the way these attacks are being carried out and determining their origin is becoming increasingly difficult," says Matthew Martindale, director, KPMG's cybersecurity team. "Cyber is another vector for the kinds of attacks that have been happening for many years – hactivists will launch physical attacks on buildings but the internet gives them anonymity."

Sophistication of attacks

One of the clearest cybersecurity trends is the sophistication of attacks. In December 2013, the CFO of hedge fund group Fortelus Capital Management LLP received a phone call late Friday afternoon, just as he was leaving the office. The caller pretended to be from Coutts, the hedge fund's bank, and the net result was that USD1.2 million of fund assets were misappropriated. It was, unfortunately, a classic case of social engineering. 

"There are attacks every day and you don't have to be big; in fact, hackers prefer smaller, less defended groups," says Eldon Sprickerhoff, founder and chief security strategist for the Canadian network-security company eSentire Inc. "We are seeing a doubling of cyber attacks year after year across our client base. The Fortelus attack wasn't random. It was properly researched and executed according to plan. I'm sure it wasn't the only RIA that was probed and targeted in this manner."

Aside from social engineering, cyber groups are taking a more strategic, long-term approach to infiltrating networks and gathering sensitive information. The industry term is an "Advanced Persistent Threat" and it underscores just how careful fund managers must be at protecting their businesses. One cyber group that was identified by Kaspersky Labs in February 2015 was Carbanak. 

"The basic idea of an APT is to infiltrate the system, disable antivirus, and quietly stay connected below the radar, gather keystrokes (conceivably including bank account details, SecureID details, and passwords) and use that information to pivot across different systems within the network. Over the long term, the cyber group essentially has remote control over the network and work out how best to extract value from the target organisation – and normally, that value is cash from either trading accounts or from working capital accounts," explains Sprickerhoff. 

By using signals intelligence, eSentire looks for "indicators of compromise" to determine if malicious attacks are occurring. "I try to describe what we do as providing an embedded incident response. If we see an attack on one client we step in to block them from all other eSentire clients. We're constantly looking for new IOCs. We let clients know when traffic is being blocked to put them on a higher level of alert and we also send out regular advisories when broad cybersecurity attacks or issues arise," says Sprickerhoff.

The two main modules it uses are EXEcutioner and Asset Manager Protect (AMP). The former provides white listing to prevent the download of malicious payloads; executables are one of the most common ways of downloading malware. If an executable is not on the white list, EXEcutioner shoots it down. The latter, AMP, is a black listing module whereby eSentire continuously scans the environment to block unwanted traffic. 

Carl Chapman is the COO of Capital Support, a leading managed IT services provider. He says that if one looks at the lowest common denominator with cyber attacks, what cyber criminals are looking for is:

• A process that doesn't have sufficient checks and balances

• An individual that is more trusting than they perhaps should be. 

"If you can infiltrate a hedge fund with a cryptolocker-type virus and identify a vulnerability within the organisation then you can target it with a more sophisticated attack," says Chapman, adding that the solution is to reduce the likelihood as much as possible. 

"There are lots of different things managers can do to mitigate the risk of someone stealing valuable data from their network. But there's no point locking the front door and leaving the windows open. This is risk management 101, it's a straightforward business issue, and the only way to resolve it is by having an organisation's people, processes and technology working in harmony." 

Social media

The parabolic rise of using social media in recent years has created a potential Pandora's Box for hedge fund managers. On the one hand, developing a strong social media presence is necessary for managers to build their brand. But on the other hand, if Facebook and Twitter are misused, they could expose the manager to even greater cyber risks moving forward.

"Personally, one trend I think we'll see more of is spear phishing attacks. If I wanted to send a clever phishing email I could go to LinkedIn, see who you work with, find out a bit about yourself, and I'd send you a nice email pretending to be one of your work colleagues to ask if you want to go VIP to a concert. They'd click on the link and that would initiate a virus. It's that easy," warns Chapman.

KPMG's Martindale suggests that those managers who don't embrace social media are potentially at risk from impersonations – something that could be catastrophic if investors receive inappropriate content. 

"We run a series of simulated cyber exercises to help our clients prepare for a potential cyber breach and one of those often used is where we say that the Manager's Twitter account has been compromised," says Martindale. It's an important point. After all, a portfolio manager – or someone pretending to be them – who shares thoughts on certain stock could potentially move its price. 

Understanding the data framework

One trend that is likely to gain momentum, is managers focusing on prevention by understanding data within funds. For too long, CTOs haven't necessarily kept tabs on what the finance side has been doing regarding strategies and data domiciled. "The end goal is to understand what data you have in order to defend it properly. There's no tech solution to that," comments Sprickerhoff. 

It's important for CTOs to be aware of the pockets of data they have both in their enterprise and outside (e.g. within a cloud environment) in order to defend it properly, according to Sprickerhoff, who says: "Often data is shipped offsite to a public cloud that requires higher rigor than it's given.  It's critical that this kind of "Shadow IT" needs to be controlled so as to not run afoul of regulations."

Managers who can demonstrate that they have a robust cyber risk programme will also likely stand out from those who do not; in other words, just as operational risk and compliance are key issues for institutional investors, cyber risk will likely also become a criteria in manager selection.

"We did a survey recently and around 79 per cent of institutional investors said they would be concerned with their investments if any of the managers suffered a cyber breach," confirms Martindale. "Those managers who can embrace the opportunity will be well positioned – and it's not about rolling out the red carpet and waving your certification to say `we've done this', it's about truly getting a grip of your risk position. Be proactive; don't just wait for regulation."

Outsourcing to cyber specialists 

Of course, not all managers have the IT budgets to shore up their technology network. Given that cyber risk has become a threat seemingly overnight, smaller managers face a challenge striking the right balance between budget and risk. 

"It's not about implementing security measures; you then need to maintain them," says Gerhard Grueter, co-founder of Lawson Conner, a market leader in compliance solutions for the investment fund industry. "It needs to become part of the business fabric. Policies need to be tested, updated periodically, to see whether they really are as secure as they think they are. We can provide cyber risk expertise to managers as and when they need it as a trusted outsourced partner." 

For those who have robust cybersecurity policies and procedures in place they will have a competitive advantage, "not just in terms of attracting new capital but maintaining their existing investor capital", adds Grueter. 

Regulators will be pragmatic not prescriptive

Anything that threatens the infrastructure within which fund managers conduct regulated activities is going to be firmly on the agenda of global regulators. That is why the SEC has made cyber risk assessment a key focus over the last 18 months, culminating this April in the release of guidance by the SEC's Division of Investment Management. In Europe, Grueter notes that under the AIFM Directive there are guidelines on how risk is perceived and how it should be measured and monitored.

"I think we'll see a similar kind of action list from the regulator at some point, outlining what needs to be done in respect to cyber risk. People will need to become accountable for it. If you are a senior manager it will become part of your personal risk if you don't look after that aspect," opines Grueter. 

Sprikerhoff does not believe that the SEC will get any more prescriptive than the four bullet points of guidance that it issued. When asked whether the hedge fund industry might see a trend of managers hiring Chief Information Security Officers (CISOs) he responds by drawing attention to the fourth bullet point – compliance obligation – which is the most important for managers to be aware of (the other three are cyber assessment, strategy and implementation)

"I'd estimate that at most three out of 100 RIAs have hired a CISO. These firms typically have more than USD15 billion in AUM. One point that came out of our meetings with the SEC in the last year is that it's not their intention to mandate that every fund must have a separate CISO designated.

"For funds under USD20 billion AUM, it's more likely that the CTO and CCO will collaborate to cover the responsibilities usually given to a CISO, and will outsource the technical aspect to meet any remaining requirements. Why? Because the SEC compliance obligation for cybersecurity requires a new level of appreciation for cybersecurity rather than a new position. This is not wholly a technology fix. The SEC has specified that a fund's General Counsel and CCO will need to understand their cybersecurity compliance legal obligations. It will be their duty to work with the CTO to ensure that adequate protection that is appropriate to the firm's data, domicile, and strategy is implemented," says Sprickerhoff. 

To help managers assess what cyber risk measures to employ, eSentire has created a cybersecurity guidance matrix, released in their June 2015 cybersecurity advisory: www2.esentire.com/SECMatrix

Detect and respond

Going forward, Martindale thinks hedge funds will increasingly look to improve their detection and response capabilities; something that is already seen in other parts of the financial industry: "In the detection space I use the analogy of alarming one's house. If someone breaks in through the bathroom window, the right alarm needs to go off in the right room as quick as possible and the right level of response needs to be taken to contain that breach and recover promptly. 

"However, this requires understanding where the threats are coming from. Managers should run simulated exercises to practice what they would do and what decisions they would make. Those who can respond and recover in a positive way from a cyber breach will come out in a positive light by mitigating the impact on stakeholders and investors." 

Like this article? Sign up to our free newsletter

Most Popular

Further Reading

Featured