Andrew Borowiec
Executive Director at IMDDA
Cybersecurity threats are diverse, ranging from government sanctioned and well-resourced institutions, sophisticated criminal enterprises and disillusioned employees. Most breaches can be averted by following best practices. Others are wholly unavoidable irrespective of the systems or technology that fund managers have at their disposal. Institutional investors need to be cognizant of the threats facing their hedge funds, and scrutinizing them accordingly.
Core issues
The general approach among most hedge funds toward cybersecurity is following the guidance and risk alerts issued by the Securities and Exchange Commission (SEC) or other relevant regulators. The SEC guidance is useful and must be recognized, but it should simply be used as a starting point by managers and investors. The same applies to guidance issued by the Hedge Fund Standards Board (HFSB) and the Alternative Investment Management Association (AIMA).
Investors need to ensure they review and even test the policies, procedures and business continuity (BC) plans for cyber-incidents at their hedge funds on an initial and ongoing basis. Verifying that managers have powerful firewalls; permissioned access to sensitive/confidential data for employees; undertake due diligence on external contractors; have password protection on desktops and laptops; company policy on external Wifi usage; use of encryption/password protection when sensitive information is being emailed; and company policy on tablet and mobile phone use. All of these should be considered by investors.
Vulnerabilities at hedge funds have been exposed despite the commonly held belief among some fund managers that they are too inconsequential and small to attract the attentions of cyber-criminals. This is a fallacy. Many breaches are not reported. One hedge fund was cold called by an individual masquerading as the company’s bank and convinced the chief financial officer (CFO) that there had been a fraud attempt on the hedge fund’s bank account. The CFO duly handed over details on the bank account only to discover the following week that $1.2 million had been stolen from the fund.
Cyber-criminals have also stolen code from algorithmic traders to profit from the theft of intellectual property or blackmail affected organizations. Hackers could even gain access to portfolio trading systems and override risk controls that could have catastrophic consequences.
But it is not just hedge funds.
Cybersecurity at service providers is also underway and something that the SEC has flagged. Hedge funds and their clients must conduct due diligence on any service providers holding sensitive data and whether their cyber-protections are suitably robust. A provider offering third-party fund administration will possess investors’ data and they need to be assured it is safe and well protected.
Again, this may be an investor review to ensure that information supplied by administrators to managers is done through encrypted channels rather than an electronic PDF or unencrypted email. This should apply to any external provider hosting or in possession of sensitive client data, such as lawyers, auditors and directors. A number of hedge funds will work with individual directors who may not even possess virus protection or secure email systems. Investors must scrutinize these situations and insist on improvements being made if cybersecurity at external providers is wanting.
Getting the basics right will mitigate most threats. That being said, some threats are simply so sophisticated and powerful that not even the most well-protected institutions can prevent them. In this situation, damage limitation is crucial and one way this be achieved is through purchasing cyber-insurance, an increasingly lucrative market. Investors must check that their managers have some sort of insurance policy, otherwise the costs of any breach could be significant, not to mention the possible regulatory or civil penalties.
Having the right insurance is key, and investors need to take a deep dive into the coverage policies to make sure their fund managers buy the correct insurance. One U.S. lawyer acknowledged that cyber-insurance does not vary much by pricing although the devil is in the details of the policies, and that external counsel should be used to identify any potential shortcomings.
Insurance policies should cover all types of breaches and any subsequent regulatory action that may follow. Coverage should also enable managers to conduct forensic analysis on the origin of any hack and subsequent IT repairs. This is something investors should check.
Cyber-attacks are a growing threat, and institutional investors need to be vigilant and scrutinize their fund managers thoroughly about their safeguards against such breaches.
************************************************
About the IMDDA: Investment Management Due Diligence Association is an organization singularly focused on both investment management and operational due diligence. Started by investment industry professionals, the IMDDA’s mission is to work with the investment management community to set the standards for due diligence around the globe. The IMDDA provides a forum for interaction among peers to share ideas and learn from each other while developing extensive curriculum and standards for due diligence professionals. Learn more at www.imdda.org
You may also like:
Firms Must Detect Cyber-Attacks Faster
SWIFT Confirms Ongoing Cyber-Attacks Upon Clients
Need a Reprint?
Leave a Reply