System integration has created cyber threat
Today's world has never been more interwoven. Cybersecurity risks have grown exponentially as global businesses have become more integrated with counterparties and system architectures have grown in complexity. In the opinion of Gerhard Grueter, co-founder of Lawson Conner, a market leader in compliance solutions for the investment fund industry, the topic is only going to get bigger.
"Today, cybersecurity has become a genuine commercial issue that can bring down entire firms because of reputation risk and regulatory risk. The threat today is nothing like what it was five years ago. It is now an active market of cyber criminals deliberately going after data and attacking firms that have become much more integrated," says Grueter.
One of the problems unique to hedge funds is that they are perpetually engaged in data sharing and have multi level "access" points across numerous jurisdictions – be it with their prime broker(s), their fund administrator, other critical data and software providers. This flow of "Big Data" across multiple nodes means that hedge funds have a potentially higher number of weak points for cyber hackers to target.
"A fund manager ten years ago was an island in terms of technology," says Grueter."They used a few disparate systems and all of the solutions were quite singular in nature. Now, these solutions have become completely integrated. This means that if one system goes down, it could bring down the entire platform. Moreover, managers are not only dealing with one counterparty, but multiple counterparties who themselves delegate responsibilities to counterparties that the manager doesn't even know of.
"The industry has created some kind of a monster and nobody has said, `Hang on, let's look at this and see if we can't make things more secure.'"
Those most vulnerable to cyber threats are smaller managers who do not have the budgets to afford full-time IT specialists. Even for those who do, there aren't enough internal resources to allow IT teams to plan for non-standard situations.
"This is putting demands on IT teams to not only administrate the network but to become cybersecurity specialists. Managers need to give IT a bigger focus and allocate more budget to deal with the unseen threat of cybersecurity risk – just the same as the COO has to deal with operational risk," suggests Grueter.
To overcome the burden of acquiring in-house cybersecurity expertise, firms like Lawson Conner are able to manage the threat as part of a wider outsourced compliance function; welding together a hedge fund's internal expertise with external specialist cybersecurity expertise.
There are two areas in which Lawson Conner helps clients. "One is for clients on our investment manager platform who benefit from a standardised approach to cybersecurity: testing, monitoring, risk assessment and finding gaps. Managers can outsource a large proportion of their cybersecurity risk and compliance to our specialists who are not only doing this on behalf of one client, but multiple clients.
"The second area is for new funds who aren't on our platform, yet don't have the ability to hire a specialist IT person full-time. In this context, cybersecurity forms part of our outsourced compliance service. This is an ongoing service requirement as opposed to being a consultancy service, which is finite. And that's critical given the fact that the cybersecurity threat is constantly evolving," concludes Grueter.