“All in this together”: How hedge funds are tackling cybersecurity challenges in the Covid-19 lockdown

Cybersecurity

With the closure of non-essential workplaces during the Covid-19 pandemic shaking up the way financial services companies do business, the remote working environment is raising an assortment of operational challenges for hedge fund firms, spanning communication technology, data and information security, and infrastructure vulnerability. 

When the UK lockdown was announced last month and the hedge fund industry exited its Mayfair enclave, firms of all sizes and strategies implemented extensive contingency plans for home working in order to continue operations.

Man Group, the large London-headquartered publicly-traded hedge fund group which manages a range of discretionary, systematic and multi-manager strategies, had already set up a dedicated Covid-19 response team in January to implement its pandemic response plans.

The measures – which included extensive tests to ensure systems and processes could continue to operate with large numbers of staff working remotely, and additional hardware and software tools to strengthen connectivity and productivity – were reflective of the steps taken more widely within the industry. 

Hedge funds have generally been adapting well to the new working environment, according to Simon Eyre, managing director at cybersecurity software and professional services firm Drawbridge Partners. 

“However, what has perhaps caught a few managers out, is the additional preparedness that’s needed to be in place in order for people to work from home for a longer period of time,” explains Eyre, whose firm provides a range of data security and business infrastructure products for hedge funds, private equity and other alternative investment companies.

Securing resources

While most firms’ business continuity plans and disaster recovery scenarios are designed with a range of scenarios in which offices are inaccessible and home working is required, those plans tend to be centred around shorter-term challenges, such as city blackouts, terrorist attacks, or natural disasters.

“This lockdown is one of the first real instances of where long-term scenarios have kicked in. That’s meant some BCPs weren’t quite built to handle that,” he explains. 

With the lockdown now extended into May, Eyre – who has more than 20 years of IT governance, technology architecture, cybersecurity and corporate strategy experience – points to potential headaches around software capacity and hardware procurement.

“Certain remote access tools were originally built from a resource and licensing standpoint, with the expectation that maybe only 20-30 per cent of staff would be logging in within an evening or a weekend. Firms perhaps felt that in a short-term environment they needed essential staff like traders and portfolio managers to be able to access systems remotely, but many other colleagues could go two or three days without access,” he says. “That has definitely changed – they’ve needed a dramatic ramp-up in the resources and the licensing of the remote access portals.”

Demand for additional hardware, meanwhile, also become a focus of concern. “Working from a laptop and a single screen for a few days is fine but, longer term, firms need additional hardware – extra screens, Bloomberg access, and so on.  As it became clear the lockdown would happen, and everyone would be working from home, delivery times for things like display screens became longer, and other hardware to allow multiple screens to connect laptops went out of stock pretty quickly.”

Home networking

Managing multi-billion investment strategies is very much the lifeblood of any hedge fund, with software and tech at the heart of that process. Equally important, though, is the industry’s ability to connect with potential clients and keep investors up-to-date on portfolio performance.

But as the elegant Mayfair terraces – very much the UK hedge fund industry’s traditional nerve centre – remain silent, keeping external contacts in the loop is also proving testing for a business sector built on often-discrete networking and one-to-one meetings.

Suhail Shaikh, chief investment officer at London-based Fulcrum Asset Management, suggests there is an emerging gap between internal and external communications during the lockdown period. 

“We’ve been quite disciplined in maintaining our regular morning meetings so that staff and colleagues are constantly in touch. But where it’s been slightly more difficult for the industry is where you have to liaise with many other external parties,” explains Shaikh, whose firm manages a range of discretionary and systematic macro strategies. 

Expanding on this point, he says: “Many of the large investment banks had to split their offices and put their staff into two to three different locations. 

“So if you’re a hedge fund and you’re trading with these investment banks, and you need to deal with custodians and so on, the productivity and the speed of getting things done when working with external parties has definitely been affected somewhat. Even though you’ve always been remote from each other, people are definitely experiencing communication delays. It’s not just us – it’s been across the board.”

Elsewhere, communication tech has also proven to be fertile ground for phishing attempts, according to Eyre. 

“This includes domain name impersonation, as well as a lot of Covid-19-related messages – ‘Click this link for the latest data’, ‘Click this link for the latest maps’. It’s spreading beyond email, and coming through other collaboration tools – things like Slack, SMS,” he adds.

“People’s awareness has improved with email, and if you have a good information security awareness training within your business, people are getting good at catching the emails. But it’s much harder when it comes through on your mobile phone or via a chat message.”

The lockdown is also flagging up potential regulatory concerns for investment managers.

The growing use of chat tools and conferencing apps among firms raises questions over whether their rapid deployment has followed best practices when it comes to issues such as monitoring, recording, data loss prevention policies. There are also concerns that, with staff separated, the concept of the ‘Four Eyes’ principle – in which any financial transaction requires a second person to approve it – is being circumvented, says Eyre.  

“If some staff are unavailable, then their roles have to be covered by someone else. You also have a cybersecurity issue there, in making sure that once the roles separate again, you don’t continue to allow certain access to different environments or data within the platform that perhaps their role doesn’t require.”

“All in this together”

As the alternative investment industry has grown and evolved over the past two decades, it has frequently demonstrated an ability to thrive and innovate during testing times, to seize on technological advances, and reshape and reinvent its business models. As the Covid-19 lockdown in the UK is extended, there is a growing sense that the current climate of remote working is fostering a sense of community spirit and collective purpose within hedge fund firms.

“If this lockdown had happened in 2008, firms would be in a very different position,” says Suhail Shaikh.

“What we’ve found, partly because our performance has been good and partly because we’ve given people the resources and set them up at home with exactly what they need, that there’s a bit of a buzz, a sense that we’re all in this together, a feeling of ‘let’s get through this and let's do the best that we can’. 

“Technology and communication is so much better today that in many ways I’m finding my team are actually feeling more connected with each other, and with other people in the organisation.”