Hedge Fund Cybersecurity – What’s Changed?

The SEC Cybersecurity Initiative and the Shift in the Arms Race

When it comes to hedge fund cybersecurity there’s change in the air. For some it’s the mild scent of panic, for others a distinct whiff of paranoia, but for most the air is thick with action.

A risk study by the DTCC (Depository Trust & Clearing Corporation) last year, revealed that more than 46% of senior executives at major financial institutions named cybersecurity as the leading concern when it comes to systemic risk factors.

I’ve worked with IT security companies for over a decade; followed the evolution of increasingly sophisticated techniques from phishing attacks and ransomware, through to social engineering and advanced persistent threats, but perhaps the biggest shift in the arms race is that the fight back is now prioritized. By everyone.

Cybersecurity is now a mainstay of modern business. Beyond IT professionals, hedge fund cybersecurity is now a board level discussion, investors – understandably – care about a firm’s security posture, and Government agencies are taking action.

The actions of the Securities and Exchange Commission (SEC) over the last 12 months clearly demonstrate how important the cybersecurity issue is for funds and advisers, not least with the OCIE Risk Alert in September 2015 stating that funds will be increasingly monitored and tested to demonstrate appropriate readiness. A statement of intent just re-enforced in the SEC 2016 Examination priorities.

Funds have been tasked with (and are diligently working towards) creating a strategy that is designed to prevent, detect and respond to cybersecurity threats, document it, implement it, and – following the latest OCIE examination guidance – proactively monitor it and produce evidence on its effectiveness.

This marks a significant turning point for how funds must approach data management, access and controls. What was once considered best practice is now explicit; your ability to monitor and record all access to sensitive information is no longer optional. ​

Hedge funds may not be super-sized in terms of enterprise scale IT infrastructure and personnel, but the amount of sensitive data held and the value of their IP is; high-net worth investor information, proprietary research, investment strategies and trading algorithms, all make hedge funds a target for hackers. 2016 is no time to be under-prepared, the time for informal approaches to data repositories, research management, mobile apps and non-compliant consumer tools has come to the end.

In reality, the major financial institutions to publicly suffer high profile cybersecurity attacks (and the accompanying media attention, reputation damage, financial consequences and legal fees) to date, have largely been big commercial and retail banks, not investment management firms. But no-one is immune.

Last November children’s toy maker VTech became the latest to fall prey to a high-profile cyberattack; adding to the growing list that already includes JP Morgan, Evernote, Home Depot, Sony and Target. It’s attacks like these, and their global media reporting, that have served to change the conversation for everyone. Cybercriminal fraud, data theft, insider attacks, cyber-espionage and even cyber terrorism are part of our everyday lexicon; the threat is familiar, the risks are very real and the importance of being prepared is well understood.

So perhaps if 2014 is known as the year of the data breach, 2015 will get to be remembered as the year we, with a little push from the SEC, planned a response. And 2016? Well, 2016 looks set to be the year of action.