Mitigating risk, whether it be financial, operational, or legislation and non-compliance risk, is at the top of most hedge funds’ priority lists. To help firms address these challenges and help brainstorm effective solutions, RFA hosted its second regulatory challenges lunch series focused on risk management in the alternative investment industry. Over the last week, RFA UK Managing Director George Ralph met with a group of hedge funds to discuss their top concerns over risk management and regulation over lunch at Claridge’s in Mayfair. Today on the blog, we recap the top takeaways from the event.
Cybersecurity remains at the top of most hedge funds’ priority lists when it comes to IT risk management. However, all the cybersecurity safeguards in the world will not protect a firm against a rogue, forgetful, naïve, or absent minded employee. Recent research from the Department of Business Innovation and Skills recently conducted a survey and found that 57% of the firms surveys had suffered a staff related breach. As a result, the importance of developing new and innovative ways to train employees on cybersecurity best practices is growing.
Educating hedge funds about cybersecurity policies in a way that is neither patronizing nor boring is incredibly challenging. Today’s cyber attack methods are so stealthy that they can trick even the most well educated employees. Many employees simply assume that they are too smart to fall prey to a cyber scam and as a result messages about cybersecurity best practices falls on deaf ears. For example, during the series, one guest mentioned a malware scam in which USB drives were “lost” in a firm’s carpark. This commonly used technique is known as “baiting” and despite widespread and repeated warnings about malware and cybersecurity threats, a number of staff admitted that they would insert the drive to see what was on there without hesitation. Coupled with this threat is BadUSB. Brought to the world’s attention last year, BadUSB is a cyber attack method that is virtually undetectable and unpatchable. In a BadUSB attack, the USB device’s firmware is injected with malware and will attempt to infect anything it comes into contact with. This malware could even impersonate a keyboard and run data stealing commands. So not only is the machine infected, it is also leaking potentially sensitive data.
Friday afternoon “fraud” is growing. Friday afternoon “fraud” is a type of attack where employees, typically senior executives, are targeted by email and even phone calls. These communications appear extremely genuine by providing lots of background information and asking for details which will enable the fraudsters to access bank accounts, or even to con the employee into transferring the money themselves. While hedge funds may balk at the thought of such an attack happening to them, in the context of a long and stressful week paired with a credible sounding person on the other end of the phone, the likeliness of a major security breach occurring becomes more likely. Earlier in the year, the CFO of London based Fortelus Capital Management was targeted in a highly targeted spear phishing attack and lost over a million US dollars in addition to his job.
There are many ways hedge funds can mitigate some of this cyber risk. Throughout the series, the idea of random testing was discussed. In this type of exercise, a hedge fund’s employees are targeted by someone on the inside with commonly used spear phishing emails, phone calls or baiting techniques. This exercise helps gauge how prepared a hedge fund’s employees are in the case of a potential cybersecurity breach. Employees that mistakenly click on the suspicious test link can receive an on-screen warning to help prevent them from making the same mistake in the future.