Today on the blog, learn ten reasons why cybersecurity should be at the top of every hedge fund’s priority list.
Research undertaken by PricewaterhouseCoopers for their 2015 “Global State of Information Security Survey” found that only 25% of directors are actively involved in reviewing security and privacy risks and the Ponemon Institute found that only 24% of respondents say that their security leader briefs the board on cybersecurity strategy. Cybersecurity is shifting from a CTO and IT problem, to an enterprise-wide concern which, if not already on the agenda, should be making it onto the board meeting agenda of every hedge fund and alternative investment firm. Here’s why:
One: Hedge funds are privy to highly sensitive client data.
Hedge funds and other alternative investment firms hold large amounts of data about their clients; sensitive financial information and personal details which make them a prime target for cyber attacks. Whilst the sector stays tight lipped about cyber breaches, for obvious reasons, there have been many reports in the press about unnamed firms being targeted by hackers from the Ukraine, Russia, Estonia and Bulgaria, primarily. These hackers understand how valuable personal information about high net worth individuals and corporate investors can be, when used in spear phishing and extortion attacks.
Two: Intellectual property gives hedge funds a competitive edge.
Hedge funds are reliant on data to plan and execute trades. A fund’s intellectual property, trading strategies, market intelligence and trading algorithms give them a critical edge over the competition. Hackers can hold firms to ransom over this information or can profiteer by selling intelligence to competitors.
Three: Distributed Denial of Service (DDoS) attacks can cost millions.
DDoS attacks are becoming more prevalent, with unexpected outages occurring regularly in the financial sector. BT research from 2014 suggested that DDoS related outages had been experienced by over 41% of businesses globally, causing major disruptions for firms. BAE Systems reported an attack on a large hedge fund last year, which disrupted trading by several hundred microseconds. It sounds insignificant but it can make a big difference to the profitability of a trade.
Four: Fraudulent trading activity
Some funds have been unlucky enough to be the victim of cyber attacks where systems are compromised and fraudulent trades or transfers are made. In a recent blog post I mentioned Fortelus Capital, whose unfortunate Chief Finance Officer was caught by a highly target spear phishing attack which ended with some fraudulent bank transfers that cost the firm almost three quarters of a million pounds, and cost the CFO his job. It is important to remember that cybersecurity attacks do not just come from outside the organisation. Many happen from within, so the vigilant firm is one which guards against both external and internal attack.
Five: There could be financial penalties for not meeting cybersecurity and data protection regulations.
The choice of whether to do anything about the growing cyber threat has been taken away from most firms, with the arrival of new and powerful regulations, such as the Data Protection Act, Network and Information Security and General Data Protection Regulation in Europe, penalise firms for non compliance, and for risking the security of personal data. The US does not have such clear legislation around cybersecurity and data protection, but the Gramm-Leach-Bailey Act of 1999 encompasses data protection and is applicable today from a cybersecurity perspective. With governments getting wise to the very real threat to industry that cybersecurity poses, firms could face significant financial penalties for non-compliance.
Six: Loss of reputation could be catastrophic.
A more terrifying prospect to most hedge funds than losing money in a one off event, or fine, would be the potentially devastating damage to the firm’s reputation, should a data breach occur. The industry is notoriously opaque where cybersecurity breaches are concerned, but word does get out and a data breach or system infiltration would put off many potential investors. If news spread, a firm’s reputation could be irreparably damaged.
Seven: Cybersecurity is an ongoing and continually moving landscape.
For the board that believes they can implement a cybersecurity strategy, tick it off the list and forget about it, I have some news; the landscape is continually changing, new threats are emerging on an almost daily basis and all businesses are at risk. CYREN’s 2015 Cyberthreat Yearbook report found that successful cyber attacks on businesses of all sizes increased by 144% over a four-year period.
Eight: Understand the threats.
Segueing nicely from my last point, I would advise that firms keep abreast of the latest threats and adapt their cybersecurity strategy accordingly. Threats come in all manner of guises, from user focused social media based threats, mobile device malware, phishing and ransomware, to attacks which strike deep in the heart of a firm’s infrastructure, such as the critical Xen Hypervisor bug, identified by the Xen Security Team as one of the worst hypervisor bugs ever. Defences need to be multi-layered and encompass the perimeter, end points and make modifications to user behaviour in order to have a chance of success against the sophistication of cyber criminals.
Nine: Understand the vendor landscape.
Hedge fund boards need to be aware of the vendor landscape out there to know what layers of protection are available and whether services are protected to the level that is required, both to meet legislative requirements, but also to adhere to best practice for the investment sector. Some cloud providers for example, are not providing services which meet cybersecurity regulations, and this could be flagged if it was reviewed by C Level board members who are not just from the technology team. The Chief Compliance Officer will have an eye for different details to the Chief Finance Officer, and to that of the Chief Executive.
Ten: Give your firm a competitive edge.
The flip side of investors avoiding firms where data security has been compromised is that firms which demonstrate a robust cybersecurity strategy that goes over and above the usual market standard, will gain a critical competitive edge over the rest of the market. In a fiercely competitive sector, where every advantage helps, and it is more and more difficult to attract investment, cybersecurity ticks many boxes.