PARTNER CONTENT
By Anand Mohabir, Founder & CEO, Elteni
Cybersecurity in the hedge fund industry has passed a tipping point in 2025. What was once considered an IT issue, handled behind the scenes, is now a boardroom issue with a direct impact on investor confidence, day-to-day operations and reputation.
Ten years ago, it was acceptable to secure the perimeter with strong firewalls and train staff to identify a phishing email. The landscape has changed so dramatically that this is not even the starting point for protecting a fund’s systems. Attackers are using AI technology to clone voices to impersonate colleagues and investors and penetrate the networks of vendors who provide the fund’s back-office and infrastructure. The distinction between privacy, cybersecurity and operational risk is dissolving, with very real consequences.
Earlier this year, a group called ShinyHunters performed a highly sophisticated, multistage attack using voice phishing and malicious data-loader tools to target Salesforce environments. Instead of using brute force, the group used AI-generated voices that simulated legitimate support staff. This fooled employees into providing access to sensitive systems to the bad actors. Ultimately, financial and client data from numerous firms began to appear on the dark-web.
While no hedge funds were directly attacked, the breach of Salesforce is an example of something hedge funds can realistically expect. Hedge Funds rely on third-party platforms for various functions, such as investor relations to portfolio analytics and trade reconciliation. Each service adds efficiency but also presents an open door for attackers. A single compromised vendor account could reveal investor records, trading strategies or counterparty data.
The artificial line between privacy and cybersecurity is also dissolving. When personal information or investor data is stolen, it’s both a security failure and a privacy violation. Regulators, investors and the public will not make such fine distinctions. An example of this is the SEC’s recently updated Regulation S-P that started as a rule about protecting customer information but has evolved into a rule about incident response plans, breach notifications and ongoing oversight.
Hedge funds operate in one of the most interconnected ecosystems in finance. Between prime brokers, administrators, custodians, data providers, and trading platforms, a fund’s operation depends on dozens of external partners, each of which increases the attack surface.
The LockBit ransomware attack on ION Group in 2023 illustrated just how fragile that system can be. When ION’s derivatives clearing systems went offline many hedge funds had to process trades manually. Even though they weren’t the direct targets, they still suffered the consequences, delayed operations, frustrated investors, and increased scrutiny from regulators.
While your firm may have strong controls, if a vendor or service provider is compromised, your operations can grind to a halt. Due to this, vendor oversight is not a box checking exercise, it’s a continuous process that sits at the heart of enterprise risk management.
Artificial intelligence is reshaping how cyberattacks are planned and executed. Malicious actors are using AI to create convincing phishing messages, replicate executives’ voices, and even produce fake video messages. Over the past year, several hedge fund executives have been targeted by deepfake phone calls. Some of those calls came during critical financial transactions.
Traditional awareness training isn’t enough anymore. Firms need to implement AI-aware defenses, systems that look for unusual patterns, not just suspicious emails. Verification protocols for wire transfers, trading activity, and data access must evolve. In a world where you can’t always trust what you see or hear, internal validation becomes the new perimeter.
Even though the SEC recently pulled back some of its proposed cybersecurity rules, that shouldn’t be seen as a step back. Regulators are simply rethinking how best to apply them, not whether they’re necessary. In the meantime, expectations from investors and other oversight bodies are only getting higher. Firms are still expected to show they have a strong handle on cybersecurity, regardless of whether a formal rule is in place. For hedge funds, the merging of privacy and cybersecurity has become part of the same fiduciary responsibility, protecting investor trust.
That uncertainty leaves hedge funds in a tough spot. Executives face greater personal accountability under existing fiduciary standards, even as the broader system for sharing cyber threat information continues to weaken. It’s an uneven landscape, but investors aren’t waiting for regulators to catch up. Many are already pressing funds to prove they’re ready, asking deeper and more detailed questions during due diligence to see how seriously they take cybersecurity and data protection.
Leading hedge funds are treating cybersecurity as more than just a compliance task. Institutional investors have increasingly included cyber maturity into their due diligence, and regulators are reviewing how firms structure their programs.
The most resilient hedge funds are embracing a modern approach built around six key elements:
- Zero trust architecture – Every device or user must prove their identity
- Active vendor oversight – Performing continuous monitoring of key service providers
- AI-resilient controls – Build in defenses that can detect AI-driven deception, including voice verification and behavior-based authentication.
- Integrated privacy and incident response – Combine cyber and privacy functions to streamline response and notification.
- Board-level accountability – Treat cyber risk like investment or liquidity risk, with ownership at the top.
- Testing and aimulation – Run phishing tests, tabletop exercises, and recovery drills to ensure readiness.
Firms that implement these practices aren’t just protecting information, they’re protecting business continuity, reputation, and investor confidence.
This year may prove to be a defining one for hedge funds and cybersecurity. The rise of AI-driven attacks, the growing complexity of vendor ecosystems, and shifting regulatory expectations all points in the same direction, that standing still is not an option.
Cybersecurity and privacy have become essential parts of how funds operate and uphold their responsibilities. The firms that take them seriously and treat them as business priorities, not just compliance requirements, will be the ones that stand out.
Trust is the new alpha, and resilience is how you earn it.
Anand Mohabir, CISSP, CISM, OSCP, CREST-CRT, CMMC-RP, CEH, Founder & CEO, Elteni – Anand Mohabir is the Founder and CEO of Elteni, a cybersecurity consulting and advisory firm focused on helping organizations strengthen their security posture, manage risk, and achieve meaningful compliance. With close to three decades of experience across technology, cybersecurity, and financial services, Anand brings both strategic insight and deep technical expertise to his leadership at Elteni. Before founding Elteni, Anand served as Managing Director of ACA Aponix (the cybersecurity division of ACA Compliance Group). His prior experience includes senior technology and security roles at Adams Hill Partners, Massif, Labranche Structured Products, and JAT Capital, among others. Anand holds multiple advanced cybersecurity credentials, including CISSP, CISM, OSCP, CREST-CRT, CMMC-RP, and CEH, and is actively involved in the cybersecurity community. He is recognized for his pragmatic approach to cybersecurity leadership, commitment to education, and dedication to helping clients build resilient, secure environments.
