Hedge funds can’t afford to take a reactive approach to cybersecurity. Data breaches and frauds at financial institutions, investment firms and other financial services providers continue to make headlines at unprecedented rates. So all funds should have a plan for addressing cyber risks.
Understand the Problem
In April 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert announcing a cybersecurity initiative. In follow up, in April 2015, recognizing that cybersecurity was fast becoming an increasingly important issue for Registered Investment Companies and Registered Investment Advisors, the SEC’s Division of Investment Management issued a cybersecurity Guidance Update geared specifically for those falling into these categories (http://www.sec.gov/investment/im-guidance-2015-02.pdf).
Since April 2014, OCIE’s staff has examined 57 registered broker-dealers and 49 Registered Investment Advisors. Among other things, it found that the vast majority of broker-dealers (88%) and advisors (74%) had experienced cyberattacks — either directly or through a vendor. Many of these attacks (54% for broker dealers; 43% for advisors) involved fraudulent e-mails seeking to transfer client funds.
Assess Your Risk
The first step in protecting your fund is to identify your specific risks. For example, do you know where your data is? Restricted to your in-house network or private cloud server? You might be surprised how much of your data resides on vendors’ and business partners’ networks. And the more points of entry, the greater the risk. So it’s important to map network, data flows and connection points and take inventory of hardware and software.
Also consider the risk of human error. Most data breaches result from “social engineering” that takes advantage of weak passwords or that tricks employees into clicking on a malicious link in a fraudulent e-mail. Hackers often use a technique called “spear phishing.” The perpetrator sends an e-mail to a fund employee, purporting to be from the fund’s CEO or another person in a position of authority, and ask the employee to click on a link or wire funds to an offshore account.
Another common technique is “water-holing,” where a perpetrator identifies websites frequented by employees — such as online food delivery or social media sites — and infects them with malware.
Hackers are constantly developing new, more sophisticated techniques, so it’s important to conduct periodic risk assessments.
Establish Policies and Controls
You also should develop a written information security policy (WISP) that outlines your fund’s risks and the security measures it will require — both technical and administrative. Among other things, a WISP should provide for:
• Strong password and other user authentication policies
• Encryption of sensitive data
• Use of firewalls and secure wi-fi
• Segregation of duties
• Controls on physical access to hardware
• An incident response plan in the event of a breach
Training is critical to ensure that employees understand your policies and know the signs of fraudulent activity. To mitigate breaches that inevitably occur, continuously monitor your information systems and consider using intrusion prevention and detection systems that automatically block network traffic from suspected malicious sources.
Finally, take steps to ensure that brokers and other third parties are protecting your data. For example, ask brokers to review WISPs and service organization control (SOC) reports.
Invest in Insurance
Even with the best laid plans in place, data breaches can still occur. Many companies are adding an extra level of protection by way of securing cyberinsurance policies. This type of insurance policy is designed to help you effectively and efficiently contend with the fallout of a cyber data breach.
At a minimum, look for insurance that:
• Protects you in terms of your liability for data breaches that occur
• Minimizes regulatory actions and financial penalties against your organization that may result from a breach
• Covers the cost of investigation and forensic experts who may need to be brought in to determine the cause of the breach
• Covers the cost of crisis management initiatives
• Alleviates any burden realized by way of lost income or added expenses due to hardware damage and/or extortion
• Gives you broad regulatory coverage at both the Federal and State levels
In today’s high-risk environment, the SEC is almost certain to include cybersecurity preparedness in its examinations and investors are likely to scrutinize cybersecurity measures as part of their due diligence. To be best prepared, managers should seek guidance from legal and compliance experts as well as security and cybersecurity experts who can assist with tasks such as penetration testing and vulnerability analyses. Funds that take a proactive approach not only will be safer, they’ll also have a leg up on the competition.