How hedge funds need to address cybersecurity threats
The threat of cyberattacks is growing within the hedge fund community, requiring managers to put in place policies and procedures that address the cybersecurity risks unique to their firm. This goes beyond merely acquiring technology and hoping for the best.
“This year we see the emergence of Chief Information Security Officer (CISO) roles that will help hedge fund managers understand their risks and how the technology is aligned to mitigate those risks. It’s about making sure that network professionals are using the right tools applicable to the firm’s investment strategy,” explains Mike Asher (pictured), CIO at Richard Fleischman & Associates, a New York-headquartered technology firm that has been providing outsourced services to the hedge fund industry for more than twenty years.
The Sec’s Office of Compliance Inspections and Examinations (OCIE) issued a Cybersecurity Initiative Risk Alert highlighting the importance being placed on information and cybersecurity preparedness In February they released a summary of their findings, on the back of which the guidelines for 2015 will be updated over the coming weeks. Contained within these guidelines are a series of questions covering everything from monitoring cybersecurity, business continuity plans, WISP (Written Information Security Policy), physical security etc.
The SEC selected 50 firms, including broker-dealers and registered investment advisers, to see how they stack up in relation to these questions. The end objective is to prevent financial institutions from falling victim to cyber attacks. The fact that the SEC is now treating cybersecurity seriously shows the level of responsibility that technology providers have to their clients, especially those running billions of client assets.
“What the SEC exercise brought to light was that security is no longer just a checkmark on investor DDQs. There is now a new baseline standard for security, which alternative asset managers have to adhere to,” says Asher.
In response to the examinations, technology providers jumped to market with product offerings that were good but not, says Asher, “mature enough for enterprise-level consumption”. For example, providing penetration testing software, which has been around as long as network security. Problem being, many of these firms fail to define how their solution relates to financial firms. “The same sort of products and services that were being offered to the wider marketplace were simply being packaged and sold to the financial industry,” adds Asher.
The alternative asset management industry is unique and cannot be expected to use generic products of security configurations. Whilst everyone emphasised the need for security last year, nobody took a step back and said, ‘What is my current strategy and the potential risks associated with it? Once that has been analysed, risks highlighted and understood can we ask, Who’s the “right” person to guide me and help mitigate the risks of today, and tomorrow.?’
“This is where we see the evolution,” states Asher. “The initial package of service offerings –penetration testing, intrusion detection and prevention systems – that were implemented last year, as part of that initial push to bring alternative asset managers to the baseline level of security, did not answer the above question. That’s where providers like RFA come in. We can share our experience, not only when it comes to what technology, but also at the level of policies and procedures. We advise management firms on how they can create customised solutions that address their specific business needs.”
Rise of targeted attacks on hedge funds
Grigoriy Milis is chief technology officer at RFA and a 16-year IT veteran, holding various leadership positions covering all aspects of infrastructure design, R&D and evaluation and testing of new technologies.
The malware market has, over the years, focused on softer targets within global markets: namely stealing credit card information from individuals, which has, naturally, proved highly lucrative. Hedge funds, by contrast, were largely overlooked, much to the surprise of Milis. This could be because “hactivists” viewed them as secure tech-heavy institutions. As the sophistication of malware has improved, however, the number of targeted attacks on hedge funds has started to rise. Eldon Sprickerhoff, chief security strategist at cyber-protection firm eSentire, says he sees more than 10 phishing attacks every day on his 350 hedge fund clients.
“Hedge funds and Alternative Investment Funds control significant amounts of money, not to mention the sensitive personal information on the fund’s underlying investors, who are typically very wealthy individuals. The intellectual property of the fund is also highly vulnerable. It’s really a perfect place for a cyber hacker to focus their attention,” says Milis.
Protecting the network, and fund data, is a challenge for smaller managers who simply don’t have the budgets to put in place sophisticated protection mechanisms.
“The big change is that hedge funds are now coming under direct attacks, it is no longer just the banks and wire houses being targeted. Managers realize that they have, in fact, have got to improve their cybersecurity levels. These are not wide-ranging malware attacks, they have been specifically created to breach internal networks with the intention of stealing or manipulating data such as fraudulent wire transfers, stealing social security numbers or even just to create damage.
“These targeted attacks are the most difficult to guard against. They are custom-made. Typical NQR solutions and even some intrusion detection systems are not able to detect them. Outside of some emerging technologies, there is no silver bullet that can give hedge fund managers 100 per cent protection against a breach,” explains Milis.
Spear phishing attacks, as referred to above by Sprickerhoff, have existed for quite a while and are one of the most commonly used network attack mechanisms. A piece of customised malware is created to acquire information through an email, which is made to look like it has come from a trusted source.
But there are far more sophisticated hacking tools being used. A recent example is where a hacker breached a hedge fund’s network and sat, watching activity within the fund. The hacker watched a substantial amount of money coming in to the fund’s bank corporate and created a fake wire transfer.
“What makes this case interesting is that, at the same time, in order to divert attention from the wire transfer fraud, they initiated a huge DDOS (distributed denial of service) attack on the client’s network. This affected the entire operation and the wire transfer almost went through undetected,” says Milis.
This is where managers need to ensure that the right policies and procedures are in place, so that they are able to respond quickly by knowing what steps to take. Without these, it doesn’t matter how sophisticated the cybersecurity technology might be In the above example, the manager would have been fully compromised and the wire transfer would have gone through.
Employee education and training remain one of the core components to robust cybersecurity plan, and in this instance it paid off.
“It’s important to understand that people can do more damage than any piece of technology. To be as secure as possible requires a combination of policies and technology,” says Asher.
Of course technology is key. After all, a manager won’t know they’ve been breached unless they have a detection solution in place. In addition, people need to regularly audit their data access, and audit activity within their network. It is a system of checks and balances.
Auditing, monitoring and detection are becoming ‘must haves’ for any hedge fund manager, in Milis’ view.
“The second element to this is procedural. A manager needs to have policies and procedures in place in order to outline what they need to do if a breach occurs. As with any crime, the timeliness of the response is extremely important. The faster one can respond to a breach, the faster one can determine the extent of the breach and the better able one will be to mitigate the damage,” explains Milis.
Even more than the fast response, policies and procedures that are detailed, practiced and enforced can help mitigate breaches before they occur.
Certainly, WISPs are a big part of addressing these procedural issues. In addition, the manager’s compliance manual should include policies pertaining to technology, such as data usage, mobile devices, breach protocols, and disaster recovery. Each of these topics should be broken out as a separate set of policies and procedures as they relate to each area of business operations. Technology is part of the procedures and assists in enforcing the policy.
It’s a detailed process but that is exactly where RFA can step in, providing the specialist expertise to consult with managers, perform gap analysis on their existing cybersecurity policies and help them more clearly understand security risks. These procedures need to be written by industry professionals with experience in dealing with network breaches.
“It’s about tying together all critical components. If you look at security research firms, for example – eSentire, SecureWorks – they are big companies in this space. They look at security matrices, the latest threats, and are able to provide products and services on the infrastructure security front.
“In addition, managers need someone to analyse their environment, perform gap analysis, and create a cybersecurity breach policy. It’s not as simple as taking a cookie-cutter approach as one might with a disaster recovery policy. With cybersecurity it’s a specific protocol, it’s understanding what’s at risk and gathering information at the early stages; usually, smaller funds are not equipped to handle this. I don’t even know many large hedge funds who are equipped to handle this internally,” states Asher.
Each policy and procedure should be testable and quantifiable. To have a policy documented that can’t be enforced is worse than not having the policy.
Vulnerability is a function of hedge fund size
Within the hedge fund firmament there are many highly advanced, technologically superior managers that have built state-of-the-art infrastructures: firms like Citadel, Renaissance Technologies, and other quantitative hedge funds, have long been safeguarding their trading codes and intellectual property.
The same cannot be said for more traditional strategies, such as equity long/short, particularly as one moves further down the AuM scale. These managers have more to catch up on.
“Smaller funds certainly don’t have budgets to spend and historically have operated in a more relaxed environment. What I mean by that is if you look at large established hedge funds, they operate as you would expect a large company to operate: they have clear operational controls in place, user rights and so on. Smaller hedge funds tend to allow staff to have more freedom and senior management are less inclined to impose strict controls,” says Milis.
This is understandable in the sense that’s the reason many traders set up hedge funds is precisely to escape the confines of large-scale institutions and the myriad rules they have to abide by. That mindset however, when applied to network security and data access, is a potential danger in today’s environment.
“Now, it is clear there have to be technology-implemented rules in place that restrict freedom for all. It’s a slow change but I think managers across the board are starting to understand the importance of this and implementing change,” adds Asher.
Connecting to Prime Brokers – another area of vulnerability
Aside from the hedge fund itself being vulnerable to potential cyber attacks, another source of vulnerability that could be targeted is the trading connection that exists with a fund’s designated prime broker(s).
According to Asher, the way primes are responding to this can be split it into two camps. Some are focused on mitigating any bad publicity and providing their clients with best industry practices and standards that they are advising all their clients on – not just alternative managers but all asset managers.
“They are producing their own templates of recommendations to serve as a minimum standard,” says Asher, who continues: “Then there’s the second camp of prime brokers who are taking the stand that it is such a complicated situation that they are better suited recommending vendors, taking a step back and leaving it for individual clients to come up with their own solutions.”
When it comes to addressing security concerns, it would appear that for some prime brokers it is a reputational issue, whilst for others it is a liability issue.
“At the end of the day, it will be part of the product offering that all prime brokers will have to provide as part of their IT service. Goldman Sachs is now working closely with security vendors and looking at what everyone is doing; it’s just a matter of time before they all offer a solution,” suggests Asher.
To conclude, it’s worth referring to the fall-out that is building on the back of the recent Sony hacking. Whilst the incident, which targeted Sony’s Playstation network, involved personal details from thousands of individuals being stolen was a clear embarrassment to the firm, of greater import is the number of lawsuits that are now being filed by individuals who were affected.
This is a stark warning to hedge fund managers who remain blasé about security.
“If private information is taken off site and you don’t do your due diligence to understand the extent of the breach that can be a greater threat to the existence of the fund than the original cyberattack,” says Milis.
The real harm does not come from the cyberattack itself, it comes from the downstream effect of having to inform your investors. The reputational damage could be irreversible.
“If managers don’t do anything, you can guarantee it’ll be the end of their fund,” concludes Asher in no uncertain terms.