In the summer of 2015 Fortelus, a British hedge fund, lost over £740,000 after its Chief Financial Officer, Thomas Meston, fell victim to an attack. The scammers posed as bankers from Coutts, the hedge fund’s banking partner, and told Meston that they detected fraudulent activity involving the hedge fund’s account. They prompted Meston into revealing sensitive information, which was later used to steal the funds from Meston’s firm. While a stark example, this case is by no means unique. With $395 billion in assets under management, London is home to the second largest accumulation of hedge fund wealth in the world. As a result, this hedge fund community has been a lucrative target for cyber criminals. In fact, recent reports state that the UK suffers from 120,000 cyberattacks each day.
Between proprietary trading algorithms, exclusive market research, and private investor information, hedge funds are the custodians of highly sensitive material. Maintaining the secrecy of this data is essential for maintaining a competitive edge in the market, and in so doing, investor confidence as well. Simon Rozario, Chief Information Security Officer at Capital Support Ltd. has warned:
“As a hedge fund, you are naturally responsible for storing data of highly sensitive and private nature, including the confidential financial information of clients. With access to this information, a cyber-criminal could earn his or herself a huge profit – thus making hedge funds an extremely likely target for cybercrime.”
Given such high stakes, hedge funds should be actively addressing their cyber vulnerabilities — and yet, most aren’t.
While cyberattacks on hedge funds have varied in their type and level of sophistication, most have fallen into a few general classes. The most common have been spear phishing emails. These cleverly written messages have lured senior executives and traders to inadvertently complete fraudulent financial transactions or divulge sensitive information. Many of these harmful emails contain malware that can infect computers and grant hackers a range of functions, including control over computers and access to sensitive information. BAE Systems Applied Intelligence recently disclosed that one of their clients, an unnamed American hedge fund, lost millions of dollars after hackers installed software designed to steal trading secrets.
Around 88 percent of broker-dealers and 74 percent of their advisors have stated that they have been subject to direct- or vendor-based cyberattacks, according to a study by the Securities and Exchange Commission. Malware and fraudulent emails can result in trading algorithm theft, denial-of-service attacks, research data breaches, and even a direct loss of money.
The cumulative effects of these attacks have started to add up. Between fines imposed by government regulators on firms with poor cybersecurity practices, incident response expenses, and time lost trading due to downed systems, hacks and breaches have cost the UK economy as much as £34 billion a year. A trend towards more regulation means that future costs may even increase, as large fines as high as £500,000 could begin to be imposed by the Information Commissioner’s Office on firms with inadequate cybersecurity practices.
A Way Forward
It is much wiser and more cost effective in the long-run for hedge funds to invest in preventative cybersecurity measures and to preempt attacks before they happen. But what does adequate cybersecurity look like, and how can hedge funds begin to close their security gaps?
The most basic step firms can take is to arm their employees with awareness. Funds should provide training that addresses common vulnerabilities, exploits, and bad practices so that everyone working there knows what to avoid doing, how to avoid it, and why. This is perhaps the single best defense against common exploits like spear phishing.
Next it is important to get technical. Make sure the structure and function of the funds’ network defenses are well planned. Know what devices are on the network, how they communicate, and who has access to them. Find out if security settings or company standard operating procedures have opened up any security gaps. Keep an eye on the kinds of traffic transiting the fund’s network to be able to identify for anomalous, and potentially malicious, behavior when it occurs. Running regular testing of the security features in place, and simulating attacks from would-be hackers can also help a lot.
There are, of course, many more measures that can be taken. Which are most appropriate is always a function of how serious a hedge fund takes their security and its unique risk profile. While the best-designed security strategies can involve complex procedures and protocols, they all start with simple common sense measures that are carefully built upon with tools and practices customized to specific needs.
It’s not difficult to address cyber vulnerabilities before they are exploited at a potentially high cost to the firm. All it takes is simply getting the whole team on board. With a well-thought out, comprehensive cyber plan in place, hedge funds can reclaim the peace-of-mind that lets them safely focus on doing what they do best.