Cyber crime is building to tsunami-like proportions and hedge fund managers are not immune from the threat yet there still appears to be a degree of naivety.
According to Carl Chapman (pictured), COO of Capital Support, a leading managed IT services provider, C-level executives tend to overlook the importance of having a solid security risk programme. "They still think cybersecurity is an IT issue but it's not; it's a business issue.
"One of the approaches we've taken with some of our customers is to explain that cybersecurity is really just risk management and should be treated in the same way as trading risk and operational risk in the middle and back office," says Chapman.
"If you mirror the same process and call it "security risk management" rather than risk management, then effectively you are retaining the understanding of terminology, which the CEO can relate to," says Chapman.
"Our responsibility is to help fund managers with their choices. With any risk, you can choose to accept it or not. Allowing users access to their USB, for example, may be an acceptable risk but you can only accept that risk if you understand what the potential impact might be."
Hedge funds are unique in that many trade with a greater sophistication than investment banks yet they may only have a dozen employees, a modest amount of AUM, and a far smaller IT budget. This makes cybersecurity a tricky balancing act whereby managers need to assess the cost of protection; how much should they spend vis-à-vis the threat level?
As long as firms understand the risks, Chapman's point is that they can choose whether to mitigate them or not. One of the biggest risks that firms face is the inability to trade because of a virus entering their environment. Some, like the "Heartbleed" virus last year, enabled hackers to steal sensitive data and eavesdrop on users, as well as mimic them.
Then there's CryptoLocker, a ransomware Trojan that encrypts data and sends an email along the lines of "Pay USD500 and we'll give you the key to unencrypt the virus or else the data will be lost". This isn't exactly going to bring down a hedge fund, but as Heartbleed showed, the biggest threat to any firm is the ease with which they target the weakest link.
"Currently, there is no need for organisations to report such a breach to the regulator but in the same way that the US has disclosure rules, the FCA will soon require organisations to disclose any incidents that prevent them from trading – which could result in reputational damage to the manager," comments Chapman.
The solution, says Chapman, is to look at the footprint of what could cause the threat in the first place and then mitigate it. Indeed, Capital Support is able to provide its hedge fund clients with access to a security officer who can independently provide advice and guidance, identify risks and help prioritise those risks when the manager chooses to mitigate them.
"Treat security risk as you would any other risk in your business. Once you understand the potential risk and impact, only then can you make smart business decisions about what you should mitigate," concludes Chapman.
