Threats go way beyond simple theft of client information — Can you fend off a big heist?
Recently, the government identified hedge funds as a “weak link in the U.S. financial system’s defense against hackers and terrorists.” The messenger was no less than John Carlin, head of the Justice Department’s National Security Division, speaking at this year’s annual SALT hedge fund conference in Las Vegas. Since then, there have been reports that some of the biggest names in asset management and banking were affected by cyber-attacks. It is, in fact, a Who’s Who of asset managers, banks, and brokers.
This February, the SEC’s summary of its cybersecurity sweep has revealed that over three-quarters of the 100 brokers and advisers examined were subject to cyber-attacks, directly or through third-party service providers, even though upward of 80% of broker and adviser firms have implemented cybersecurity policies. The SEC followed up with guidance in April, making it clear that it intends to conduct more exams of advisers. These exams will be “more substantial,” with longer onsite visits and sit-down meetings with senior management.
Yet for all the heartburn caused by these SEC examinations, they seem to be only scratching the surface when it comes to the types of cyber-threats confronting hedge funds.
The SEC notes that it is focusing on protecting “client assets” by reviewing security measures such as password storage and the vetting of third parties. Those kinds of questions and exam goals indicate that the SEC is mostly interested in protecting against the theft of client data and information. But those are by no means the only potentially damaging threats faced by investment advisers nor are they the only ones that can impact investor assets.
As Carlin pointed out in his comments, hedge funds are a particularly desirable target for criminal cartels, foreign governments, and militaries around the world, basically anyone seeking profit, disruption in financial systems, or both. Hedge funds have valuable and vast assets, including their trading strategies and trades, as well as algorithms, in addition to those the SEC is worried about. Hedge funds are also easier to hack than banks, which have recently reinforced their cybersecurity defenses and, unlike most hedge funds, have teams available to handle the threats.
All hedge fund managers and investment advisers should therefore question how effective their cybersecurity controls are in light of the following real threats posed by cyber-criminals:
- Hacking and stealing your strategy and algorithms. They will use your own and your employees’ handheld and portable devices, social media posts, and blogs, for phishing and otherwise hacking your internal systems. They will use high-frequency trading algorithms to steal your proprietary trade information in order to front-run you or otherwise engage in manipulative trading. They will steal and use your algorithms to replicate your strategy.
- Blackmailing and extortion. They will hack and encrypt your data, and blackmail you for payment in return for your data. The Department of Justice is reportedly working with several hedge funds on just such cyber-extortion cases, as Carlin remarked.
- Corrupting your data and crippling your trading process: They will use a form of malware that will intentionally distort or change data, making information unreliable at best or useless at worst. Perhaps even worse, the corruption of proprietary algorithms used to make investment decisions could go unnoticed for some time. In that event, advisers and their clients face losses, regulatory action, and reputational damage following the disclosure – likely mandatory — of such an incident.
- Wiping your data: Perhaps the most dreaded of all attacks: hackers have repeatedly demonstrated their ability to literally wipe servers clean of data. Victims are left scrambling to reconstruct files either from scattered data backups or even paper records. This process is extremely laborious and time- consuming, and is not guaranteed in any way to completely restore records. In fact, this type of event is virtually guaranteed to put a broker/dealer or investment adviser out of business, as the reputational damage alone will likely be catastrophic.
- Disrupting your operations: Too many companies take for granted the availability of their information technology systems. And, when those systems fail, managers tend to assume a technical fault that can be resolved quickly. As the cyber-attack on Sony Pictures proved, however, any company can be paralyzed by the deliberate introduction of malware, which also happened in 2013 to a large hedge fund. A well-crafted attack can render a company unable to do business for months at a time. Unfortunately, the tools and skills needed to conduct such an attack against you are readily available across the globe.
The key takeaway is this: just focusing on making sure hackers don’t break into accounts to steal investor information is not enough. There are many other ways hackers can wreak havoc, and the financial industry has to be prepared to respond to that wide variety of scenarios.
Stay tuned for our article on tips to prevent, detect and respond to cyber-attacks.
Ildiko Duckor is a partner and co-head of Pillsbury Winthrop Shaw Pittman LLP’s Investment Funds and Investment Management Practice. She specializes in hedge funds. She can be reached at firstname.lastname@example.org or 415-983-1035.
Brian Finch (@BrianEFinch) is a partner in Pillsbury Winthrop Shaw Pittman LLP’s Public Policy Practice. He specializes in cybersecurity. He can be reached at email@example.com or 202-663-8062.