The State of Cybersecurity in the Hedge Fund Industry
Banks, investment firms, and other financial services institutions aren’t new to the scourge of cybercrime. However, in recent years, cyberattacks targeting this sector have become more frequent, sophisticated, and destructive.
In 2017, the G20 warned that cyberattacks could “undermine security and confidence and endanger financial stability.”
In 2021, Chase Bank, Morgan Stanley, Robinhood, and several other financial institutions fell victim to devastating data breaches or experienced phishing attempts.
In November last year, the FBI issued a warning that ransomware actors were using significant financial events and stock market data, specifically publicly available information such as upcoming mergers, to inform their targeting and extortion of victims.
Current geo-political tensions have only amplified the risks and heightened the probability of targeted attacks on such institutions. Right now, many U.S. hedge fund firms are preparing for the possibility of Russian cyberattacks.
Finally, in Agio’s 2022 Hedge Fund Cybersecurity Trends Report which surveyed over 100 hedge fund practitioners concerning their cybersecurity readiness and strategy. The survey found that while the frequency of cyber-attacks during the last two years rose for just under a quarter of respondents (22%), the time and resources required to resolve successful attacks jumped for more than half of the firms that responded (51%).
And while 78 percent of respondents reported that attack frequency stayed about the same or decreased in the last two years, a much higher percentage of firms that manage cyber programs internally reported attack increases (39%) compared to those who outsourced some or all their programs (19%).
In this article, we’ll consider the forces in play that require hedge fund firms to bolster their cybersecurity posture and look at some strategies they can adopt to build their resilience.
A Ripple Effect
The investment industry is deeply intertwined with the rest of the financial services sector and the wider economy. This means that if one part breaks or fails, the repercussions can negatively impact other players and the citizens they serve.
For example, should payment processors be taken offline by a cyberattack, stock exchange transactions would grind to a halt. If clients’ sensitive payment and user data fall into the wrong hands, it could be used to spy on their private transactions and even steal their money.
For hedge fund firms, any breach could result in days or weeks of downtime, unquantifiable future revenue lost due to reputational damage and client attrition, not to mention the lawsuits and fines that might follow.
The Long Arm of the Law
Staying on the topic of legalities, regulators are taking a strong interest in understanding and assessing investment firms’ resilience to cyberattacks.
Until recently, they’ve stopped short of adopting a highly prescriptive approach to regulating cybersecurity in this sector, given the pace of technological innovation (both in terms of the types of threats and available protections).
Historically, regulators have taken different approaches to address cybersecurity concerns. Some have focused on management strategies to address cyber-threats, such as information security policies, risk assessments, employee awareness/training interventions, and business continuity planning. Others have taken a more principle-based approach, covering cybersecurity as part of firms’ broader conduct requirements and obligations.
But all this looks to be changing. In an interesting recent development, the Securities and Exchange Commission (SEC) proposed new cybersecurity rules to oversee how private equity funds and private capital firms manage risk.
In a statement, SEC Chair Gary Gensler noted that “Cyber-risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets. The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
So, what will the proposed compliance measures mean for this sector when passed into law? Essentially, they’ll require registered investment advisors (RIAs) and funds to develop and implement Written Information Security Programs (WISPs) and adhere to timely and confidential reporting to the SEC should a cybersecurity breach or suspected breach occur. Advisers will also be required to include disclosures in marketing materials and registration statements about specific cyber-incidents.
Strategies for Building Cyber-resilience
Given the severity of both the threat posed by cyberattacks and the consequences of falling foul of regulations, hedge fund management companies and other investment institutions need to put cybersecurity firmly on the boardroom agenda.
The first step in such a strategy should focus on identifying the firm’s most mission-critical assets. In a recent paper, The Hedge Fund Journal referred to these as the company’s “crown jewels.”
The Hedge Fund Journal lists some of the “critical” assets such firms will typically hold:
Of course, what is deemed “most valuable” will vary significantly depending on the type of business the firm is engaged in. For instance, the performance and availability of a customer mobile banking app will be critical to a retail bank. An institutional asset manager would be more likely to place a premium on protecting their proprietary trading algorithm, trading book, or the personal details of their high-net-worth clients.
Once investment firms have pinpointed where they need to focus their cybersecurity efforts, there are several levers at their disposal to build their defenses. Our recommendations include:
- Develop, implement, communicate, and enforce cybersecurity policies and procedures.
- Create a communications plan to ensure you abide by the 48-hour breach notice deadline to notify the SEC, your clients, and any other required regulatory firm/advisory bodies of a breach or suspected breach.
- Review, test, and, if necessary, update your incident response, business continuity, and disaster recovery plans.
- Engage a reputable cybersecurity consulting partner to undertake a risk assessment aligned to industry frameworks – all hedge fund managers need to ensure they have a trusted adviser in this space.
- Implement employee cybersecurity awareness training.
- Undertake regular Dark Web scanning and penetration testing.
- Invest in cybersecurity software designed specifically with financial services industry operations in mind.
In order to start building a quality cyber-defense capability firms should start with the following 3 steps:
- Periodic assessment of sensitivity/location of information, technology systems, internal and external threats, security controls, impact of breaches, effectiveness of governance arrangements
- Development of a strategy to prevent/detect cyber security threats
- Written policies and procedures, training
Cybersecurity is a multi-factorial challenge that requires a multi-pronged approach. As is the case in any industry, cybersecurity in the realm of investment banking and hedge fund management isn’t a one-off exercise. It requires thought, focus, and ongoing effort to stay on top of evolving threats (and the regulatory landscape) and adapt your cybersecurity strategy accordingly.
RyanEyes – a Second Set of Eyes for Your Financial Services Organization
RyanEyes provides software solutions to the asset management industry, including hedge funds, private equity funds, and buy-side firms, to provide transparency, automation, and actionable insights.
Hedge fund managers trust our software and consulting services to help them meet the new requirements of regulators and investors and give their IT teams the ability to streamline their operations.
Our software ties to clients’ core asset management software to deliver a new level of information across the front, middle, and back offices, including research, trading, accounting, and compliance solutions.
With us, you can:
Improve Risk Management
We integrate with your accounting and trading systems to deliver up-to-date risk exposure reporting. In addition, to provide a “single pane of glass” business intelligence (BI), RyanEyes integrates with R, Power (BI), SQL Server, PostgreSQL, and Hadoop. This allows fund managers to evaluate risk and positions quickly and easily.
Enhance Portfolio Management and Trading Insights
RyanEyes provides the crucial position, risk, and other data critical to every fund’s operation and risk management strategy. Our software captures, records, and applies activity to produce an accurate portfolio valuation instantly and accurately.
Monitor Activity and Transactions for Accounting
RyanEyes will generate an independent, auditable, and accessible book of records from the Geneva source data. The software delivers complete, accurate, and timely information and visualization to support accounting, trading, compliance, and overall fiduciary oversight, as well as other critical investment management functions.
Schedule Tasks and Streamline Jobs
RyanEyes tracks any workflow that an asset manager performs. Schedule tasks and workflows that integrate with automated jobs and outside third parties. The solution monitors operation workflows and tasks across all systems of your firm, including email, reconciliation, trading, and accounting systems. Whether monitoring emails, transmitting files to counterparties or integrating with data providers, including Bloomberg, RyanEyes employs a workflow to track them all.
Create Checklists to Manage Critical Tasks
RyanEyes not only monitors operations workflows and tasks across all systems of your firm, including email, reconciliation, trading, and accounting systems but also generates checklists to manage critical “to-do” items and prioritize activities.
Meet Compliance Requirements
The RyanEyes compliance solution works with your accounting solutions, including Geneva, your portfolio management systems, and other external data sources. The rules are customizable so that you monitor and collect relevant data. The reports for specific regulations are configurable to provide you with the insight you need in a timely manner. We can also generate customizable dashboards to monitor your organization’s compliance in real time.
To Learn More About Choosing a Data Protection or Compliance Solution for Your Organization – Contact Us, We Are Happy to Help – 1 (347) 759 0105.
You Can Also Fill Out Our Contact Us Form to Talk with a RyanEyes Consultant – https://www.Ryan Eyes.com/contact-us/