Background Overlay

Focus on Funds
Newsletter

Cybersecurity for Hedge Funds: What’s Your Plan?

Hedge funds can’t afford to take a reactive approach to cybersecurity. Data breaches and frauds at financial institutions, investment firms and other financial services providers continue to make headlines at unprecedented rates. So all funds should have a plan for addressing cyber risks.

 

Understand the Problem

In April 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert announcing a cybersecurity initiative. In follow up, in April 2015, recognizing that cybersecurity was fast becoming an increasingly important issue for Registered Investment Companies and Registered Investment Advisors, the SEC’s Division of Investment Management issued a cybersecurity Guidance Update geared specifically for those falling into these categories (http://www.sec.gov/investment/im-guidance-2015-02.pdf).

Since April 2014, OCIE’s staff has examined 57 registered broker-dealers and 49 Registered Investment Advisors. Among other things, it found that the vast majority of broker-dealers (88%) and advisors (74%) had experienced cyberattacks — either directly or through a vendor. Many of these attacks (54% for broker dealers; 43% for advisors) involved fraudulent e-mails seeking to transfer client funds.

Assess Your Risk

The first step in protecting your fund is to identify your specific risks. For example, do you know where your data is? Restricted to your in-house network or private cloud server? You might be surprised how much of your data resides on vendors’ and business partners’ networks. And the more points of entry, the greater the risk. So it’s important to map network, data flows and connection points and take inventory of hardware and software.

Also consider the risk of human error. Most data breaches result from “social engineering” that takes advantage of weak passwords or that tricks employees into clicking on a malicious link in a fraudulent e-mail. Hackers often use a technique called “spear phishing.” The perpetrator sends an e-mail to a fund employee, purporting to be from the fund’s CEO or another person in a position of authority, and ask the employee to click on a link or wire funds to an offshore account.  

Another common technique is “water-holing,” where a perpetrator identifies websites frequented by employees — such as online food delivery or social media sites — and infects them with malware.

Hackers are constantly developing new, more sophisticated techniques, so it’s important to conduct periodic risk assessments.

Establish Policies and Controls

You also should develop a written information security policy (WISP) that outlines your fund’s risks and the security measures it will require — both technical and administrative. Among other things, a WISP should provide for:

• Strong password and other user authentication policies

• Encryption of sensitive data

• Use of firewalls and secure wi-fi

• Segregation of duties

• Controls on physical access to hardware

• An incident response plan in the event of a breach

Training is critical to ensure that employees understand your policies and know the signs of fraudulent activity. To mitigate breaches that inevitably occur, continuously monitor your information systems and consider using intrusion prevention and detection systems that automatically block network traffic from suspected malicious sources.

Finally, take steps to ensure that brokers and other third parties are protecting your data. For example, ask brokers to review WISPs and service organization control (SOC) reports.

Invest in Insurance

Even with the best laid plans in place, data breaches can still occur. Many companies are adding an extra level of protection by way of securing cyberinsurance policies. This type of insurance policy is designed to help you effectively and efficiently contend with the fallout of a cyber data breach. 

At a minimum, look for insurance that:

• Protects you in terms of your liability for data breaches that occur

• Minimizes regulatory actions and financial penalties against your organization that may result from a breach

• Covers the cost of investigation and forensic experts who may need to be brought in to determine the cause of the breach

• Covers the cost of crisis management initiatives

• Alleviates any burden realized by way of lost income or added expenses due to hardware damage and/or extortion

• Gives you broad regulatory coverage at both the Federal and State levels

Be Proactive

In today’s high-risk environment, the SEC is almost certain to include cybersecurity preparedness in its examinations and investors are likely to scrutinize cybersecurity measures as part of their due diligence. To be best prepared, managers should seek guidance from legal and compliance experts as well as security and cybersecurity experts who can assist with tasks such as penetration testing and vulnerability analyses. Funds that take a proactive approach not only will be safer, they’ll also have a leg up on the competition.

PLEASE READ THESE TERMS AND CONDITIONS OF USE CAREFULLY. THIS IS A LEGAL CONTRACT.

Acceptance of Terms of Use

The Untracht Early LLC (UE) client portal is offered to you on the condition of your acceptance of the terms, conditions and notices contained herein. By using the portal you agree to these terms and conditions. If you are not a client or authorized employee of UE, any use by you of the portal is prohibited.

Description of Service

The portal provides UE’s clients with access to information displayed on the portal for inquiries and deliveries of documents and communications for their account only. The information, documents and communications on the portal are provided as a convenient resource to clients, their attorneys, agents and other designated representatives (collectively, “Agents”) and may be used for informational purposes only for their account. To the extent you wish to authorize any Agents to access your account, you must sign and return the form of Authorization set forth below.

User Password and Security

Using the portal and its related services requires the use of a password and a user name. The confidentiality of your password and account is your responsibility. Any activities that occur under your account either by you or your Agents are your responsibility. You agree to notify us immediately of any unauthorized use of your account or any other breach of security. It is prohibited to use anyone else’s account without the express permission of that account holder.

Accuracy of Content and Liability Disclaimer

UE will strive to use reasonable efforts to include accurate and updated information on the portal; HOWEVER, YOU UNDERSTAND AND AGREE THAT UE IS UNDER NO OBLIGATION TO DO SO AND NEITHER UE NOR ITS SUPPLIERS, AGENTS OR REPRESENTATIVES MAKE ANY REPRESENTATION OR WARRANTY ABOUT THE SUSTAINABILITY, RELIABILITY, AVAILABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, SOFTWARE, DOCUMENTS AND COMMUNICATIONS CONTAINED ON THE PORTAL FOR ANY PURPOSE TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. ALL SUCH INFORMATION, SOFTWARE, DOCUMENTS AND COMMUNICATIONS ARE PROVIDED “AS IS” WITHOUT WARRANTY OR CONDITION OF ANY KIND. UE, AND ITS SUPPLIERS, AGENTS AND REPRESENTATIVES HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO SUCH INFORMATION, SOFTWARE, DOCUMENTS AND COMMUNICATIONS, INCLUDING WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL UE, OR ITS SUPPLIERS, AGENTS OR REPRESENTATIVES BE LIABILE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OR ANY OTHER DAMAGES WHATSOEVER, INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH YOUR OR YOUR AGENTS’ USE OR THE PERFORMANCE OF THE PORTAL, WITH THE DELAY OR INABILITY TO USE THE PORTAL OR RELATED SERVICES, WHETHER BASED IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF UE OR ITS SUPPLIERS, AGENTS AND REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. CERTAIN STATES DO NOT PERMIT TYPES OF THESE LIMITATIONS, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE PORTAL INFORMATION, DOCUMENTS OR COMMUNICATIONS ON THE PORTAL, OR WITH ANY OF THESE TERMS AND CONDITIONS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO CEASE USING THE PORTAL AND THE INFORMATION, DOCUMENTS OR COMMUNICATIONS YOU OBTAINED FROM THE PORTAL.

Icons, Logos and Other Proprietary Material

The trademarks, logos, and service marks (collectively the “Trademarks”) displayed on the portal are registered and common law trademarks of this firm. Nothing contained on the portal should be construed as granting, by implication, or otherwise, any license or right to use any of the Trademarks displayed on the portal without the written permission of this firm. Your use of any of the Trademarks displayed on the portal or displayed on any content on the portal is strictly prohibited. You should assume that everything you see or read on the portal is copyrighted and is a trade secret and may not be used except as provided in these terms and conditions of use or in the text on the portal without the written permission of this firm or its suppliers.

Changes to Terms and Conditions of Use

UE may at any time modify the terms, conditions and notices under which the portal is offered by updating this posting. You are bound to any such modifications and should therefore periodically visit this page to review the then-current terms and conditions to which you are bound.

Confidentiality, Information Protection, and Protection Data

Notwithstanding any existing legal or contractual obligations regarding confidentiality between you and UE, you undertake to treat all knowledge relating to business secrets, which come into your possession, as confidential. You shall assure that any protected data, which comes into your possession through the use of the portal, is not transmitted to any unauthorized person. In partial consideration of the opportunity to access the resources of the portal concerning your account, you agree to maintain the strict confidentiality of access of the portal and its data to you and your authorized Agents and to indemnify and hold harmless UE and its officers, shareholders and employees and their heirs, successors and assigns from and against any and all claims, actions, demands, losses, damages, judgments, costs and expenses, including without limitation, reasonable attorneys’ fees and liabilities of every kind which may arise from your or your employees’ or agents’ use of the portal or because of violation of these terms and conditions of use.

No Unlawful or Prohibited Use

You are prohibited from using the portal to damage, disable, or overburden UE’s servers or network or impair the portal or interfere with any other party’s use of the portal. Hacking, password mining or any other means to gain unauthorized access to the portal, portal accounts, computers or network is prohibited. Posting or transmitting any unlawful, threatening, libelous, defamatory, obscene, scandalous, inflammatory, pornographic, or profane material or any material that could constitute or encourage conduct that would be considered a criminal offense, give rise to a civil liability, or otherwise violate any law is also prohibited. UE will fully cooperate with any law enforcement authorities or court order requesting or directing this firm to disclose the identity of anyone posting any such information and materials. This firm is an equal opportunity employer and values the diversity of its people.

RELEASE AND INDEMNITY. IN AGREEING TO USE, AND BY USING, THE UNTRACHT EARLY PORTAL, YOU ALSO AGREE TO, AND HEREBY DO, RELEASE AND DISCHARGE UNTRACHT EARLY FROM ANY AND ALL CLAIMS OF EVERY NATURE AND DESCRIPTION ARISING OUT OF OR RELATING TO THE POSTING OF INFORMATION ON THE PORTAL, YOUR OR YOUR AGENTS’ USE OF THE PORTAL, AND/OR ANY BREACH OF SECURITY INVOLVING THE PORTAL. YOU HEREBY AGREE TO INDEMNIFY AND DEFEND UNTRACHT EARLY, ITS AGENTS, REPRESENTATIVES AND EMPLOYEES AGAINST ANY CLAIMS, DEMANDS, LAWSUITS AND OTHER PROCEEDINGS MADE ABOUT YOU, MADE BY THOSE IN PRIVITY WITH YOU OR MADE BY THOSE ACTING IN CONCERT WITH YOU, IN ANY WAY, WITH REFERENCE TO YOU OR YOUR INFORMATION OR BY ANY THIRD PARTIES ON YOUR BEHALF (INCLUDING AGENTS) RELATING IN ANY WAY TO THE UNTRACHT EARLY PORTAL.