How to Prepare Your Hedge Fund for a Cyber Attack


By Hardeep Mehta • Risk Management • January, 2018


Cyberattacks are becoming more common place these days. 2017 saw an increase in cyber attack incidents all over the world. In the U.S., Equifax saw one of the largest cyber incidents with personal and financial information of over 143 million customers being stolen in one cyber attack. 

According to Bloomberg, “Extra spending on security and lawyers in the wake of the hacking helped push third-quarter operating expenses to the highest on record, the Atlanta-based company said Thursday in a statement. The company also said it’s facing more than 240 class-action lawsuits and more than 60 regulatory or governmental inquiries.” In addition to the costs, the loss of reputation and consumer confidence is huge and hard to measure in real dollar terms.

This makes it even more pivotal for hedge fund managers to make sure that their fund is well prepared against cyberattacks. In addition, even regulators are taking a stronger interest in understanding and assessing the resilience of regulated investment firms to cyberattacks. In this post, we will cover four topics; (a) What are a hedge fund’s key digital assets? (b) What are regulators looking for? (c) What areas should a hedge fund focus on? (d) What are simple steps to take to get started?

What are a hedge fund’s key digital assets?

The key vulnerable digital assets for a hedge fund include personal and financial information of clients, proprietary trading models and algorithms, portfolio positions, risk and trade execution details. All of these are highly critical pieces of data, and should be strictly guarded against a cyber attack. If a hedge fund loses confidential client data in a cyberattack, this will lead to a huge loss in reputation, legal problems from both regulators and clients, and possibly the inability to raise new capital in the future. 

As you can see, the consequences of losing personal and financial client data are paramount. This is especially important for hedge funds using multiple prime brokers, custodians, and other third-party firms to perform their operations. Although the hedge fund manager does not have direct control on the business function of another company, they should do their due diligence and ask for proof whether proper safeguards are in place before selecting a vendor. In addition, the hedge fund manager should ask for up-to-date documentation on how the third-party maintains strict cybersecurity standards. As a hedge fund manager, you should see whether the vendor you are considering is listed on FINRA’s website under the Compliance Vendor Directory.

What are regulators looking for?

What are U.S. regulators expecting from hedge funds as far as cybersecurity due diligence and compliance requirements are concerned? Let’s cover the various departments.

Securities & Exchange Commission

As a hedge fund manager, you should start by reviewing the information provided by the SEC at Cybersecurity, the SEC and You. This is an important place to start the cybersecurity readiness for your hedge fund. Here, you can find detailed information on Regulation S-P, Subpart C - Regulation S-ID: Identity Theft Red Flags, and other critical compliance information related to registered investment advisors and their companies. Two other documents that provide detailed requirements, standards, and best practices are (a) Cybersecurity Guidance for Investment Advisers and Registered Investment Companies, and (b) Guidance on Business Continuity Planning for Registered Investment Companies. We recommend that you make sure that your risk and operations departments are aware of and following these documents and compliance requirements.

FINRA

FINRAs cybersecurity website covers a lot of details related to cybersecurity and its approach to reviewing hedge funds and their ability to protect their client’s information. They also perform the review of a hedge fund adherence to the SEC regulation requirements. According to their website, “FINRA reviews firms' approaches to cybersecurity risk management, including: technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.” For smaller hedge funds, they provide a cybersecurity checklist. It also covers what a hedge fund manager should do in case of a cyberattack or data breach.

US-CERT - Critical Infrastructure Cyber Community Voluntary Program

US-CERT is the government agency created in the early 2000s by the Federal Government in response to increased cyber attacks. In addition to other activities, their mission includes “responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”. The US-CERT is part of the Department of Homeland Security (DHS) initiative to help business in the United States adopt the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (the Framework). Hedge funds can find more information about the NIST Cybersecurity framework; we recommend starting at their FAQ section.

What areas should a hedge fund focus on?

With cyberattacks, data breaches, and other cyber fraud getting increasingly sophisticated, there are some key areas that hedge funds should focus on to prevent the most common types of cybersecurity vulnerabilities. According to leading research, majority of cyber attacks can be linked to human carelessness and errors. These attacks are also the easiest to prevent by following simple, but important guidelines. It is highly critical for hedge funds and their employees to adhere to these guidelines thoroughly and consistently in order for them to be effective in preventing cyber thefts, cybersecurity breaches and attacks. Although these guidelines might seem strict, it is a lot easier to follow them and prevent a cyber threat, than to have to work on cleanup after the fact. To get started, you should focus on the following areas.

Username & Password Protection

Most users tend to use easy-to-remember passwords. This also makes the passwords more susceptible to cyberattacks. Hedge fund managers and their compliance and risk departments should ensure that, in order to mitigate risk, there is a password policy in place that requires complex passwords that incorporate numbers and special characters. It is also important that the password policies set forth by compliance are being followed. There should be regular checks to ensure this. 

In addition, the hedge fund should set a limit to the number of login attempts, and that the password is being changed at regular intervals to prevent hackers from guessing and logging into your systems. Most banks have now incorporated two-factor authentication, which requires a randomly generated number in addition to the password for the user to be authenticated and allowed into internal systems. Hedge funds should incorporate similar two-factor authentication. 

Use of remember password type features should be disabled within browsers and other places where applicable. Storing the login information using this feature completely defeats the purpose of having login protection.

User Access Privileges & Controls

Hedge funds should incorporate strict controls on who in the company has access to which systems. This access should be granted at various levels, for example, read-only access, or a more secure read-only access where sensitive information is scrubbed. Hedge fund managers should ensure that these user access privileges are reviewed on an ongoing basis.

Unattended Workstations

If a workstation is left unattended and unlocked, even for a few minutes, it is completely susceptible to someone using it. In most cases, the individual will be able to install malware and or spyware on the machine using a USB stick in the matter of seconds. We recommend locking your workstations every time you walk away from it. This practice should also be applied to mobile phones, tablets, and other devices that contain or can be used to access highly sensitive business information and data.

Email Attachments

Having the email user open an attachment is the most common way for hackers to install malicious code on to the computer. Most of these malicious codes have the ability to propagate within your hedge funds internal network, and infect other computers and servers. These types of software also email other contacts in the person’s email list, significantly increasing the risk of other workings in your hedge fund being affected by the same malicious spyware, malware or computer virus.

Phishing & Spear Phishing

Phishing is a type of online identity theft used by the hackers and other cyber criminals to trick the user into providing sensitive information. This is usually done via email. In a typical scenario, the hedge fund employee will get a seemingly harmless email from a familiar source that you trust, which will ask them to click on a link that takes them to a familiar looking, but fraudulent website. Once there, the user will be asked to confirm login credentials and or other highly critical personal or financial information, which will be sent to the hacker.

Spear phishing is a more complex type of email-spoofing attack. In a spear phishing attack, the email message will include details and other information that will make the user believe that it is coming from a highly trusted source, like other hedge fund employees or someone in a position of authority, like their manager. In these scenarios, the hacker has usually spent time targeting the employee, and has researched them on websites like LinkedIn or other online websites before sending highly targeted email.

In both scenarios, the hedge fund employees should be advised to not click on any links within the email and immediately inform their IT department or the compliance department. Hedge fund IT and compliance should share with their employees examples of real phishing email attempts.  Another clever way of ensuring that your employees do not fall for a phishing attack is to send them a phishing email yourself and gauge their response. This will help the hedge fund employee get more vigilant to real phishing emails, and help you identify which employees might need more education and training.

What are simple steps to take to get started?

The liability of securing the hedge fund’s “crown jewels” ultimately falls with the hedge fund manager and their risk and compliance departments. It is a lot easier to prevent a cyber attack than to clean up after your hedge fund has been a victim of a cyberattack. This makes cybersecurity a highly critical responsibility for a hedge fund manager, one that should not be ignored or put on the back burner. 

However, unlike other operational risks, this one requires involvement of all your employees and possibly third-party vendors. Hedge funds using third-party vendors should not simply rely on them to do their due diligence. In fact, they should be proactively asking questions and finding out as much detail about the vendor as possible. If a vendor is unwilling or unable to share critical information and facts, that is usually not a good sign. In addition, we recommend the following simple steps to get you started.

However, unlike other operational risks, this one requires involvement of all your employees and possibly third-party vendors. Hedge funds using third-party vendors should not simply rely on them to do their due diligence. In fact, they should be proactively asking questions and finding out as much detail about the vendor as possible. If a vendor is unwilling or unable to share critical information and facts, that is usually not a good sign. In addition, we recommend the following simple steps to get you started.

Cybersecurity Policy & Guidelines

If you don’t already have one, compile a cybersecurity policy or guidelines for your hedge fund. Even more importantly, make sure that everyone in your hedge fund understands the importance of cybersecurity and the risks involved due to an attack. This can usually be done by providing education and knowledge material, having regular information sessions where employees can ask questions, and sharing with them examples of current cyberattacks.

Wireless Network Security

Check the wired and wireless network security at your hedge fund. Is your hedge fund securing against a wireless cyber attack? Follow these tips and recommendations provided by US-CERT. For employees using any type of remote access, enable two-factor authentication. Make sure you or someone in compliance understands the risks associated with mobile devices. There is a comprehensive document by the US-CERT on mobile security, that covers portable storage media like USB sticks, and portable mobile devices like phones and tablets. 

Email & Communication

Most common cyber attacks use email to bypass network security and antivirus software installed within your internal network. It is highly important to secure your incoming and outgoing email messages. For starters, be wary of clicking links and opening attachments from anyone outside the hedge fund. Educate your team by sharing examples of real email phishing and other cyberattacks with them, and allow them to ask questions without reservation. Here is a detailed PDF by the US-CERT on Recognizing and Avoiding Email Scams that we recommend you share within your hedge fund.

Portable USB Sticks

As a rule of thumb, we recommend disabling USB support on your workstations. This not only prevents installation of malware and spyware, it also prevents an odd rouge employee from simply copying your business secrets and other data onto the USB stick, and simply walking out with them.

In this post, we shared with how you can better prepare your hedge fund against cyberattacks. The threat of cybersecurity is constantly increasing, and it is highly important for you to take a proactive approach, and not assume or hope that this will not happen to your firm. The consequences of loss of reputation and legal liabilities is almost irreparable and takes a long time to recover from.