Hackers are exploiting inherent weaknesses in mature hedge funds on a daily basis, say a security vendor and the chief technology officer of an established fund, leading to huge boosts in cybersecurity spending.
“Hedge funds are being targeted simply because of cash movements where frequent large transfers are normal at a small business that doesn’t necessarily have all the controls in place,” says Jason Elmer, managing partner at Drawbridge, the cybersecurity consultancy.
For smaller funds, cyber threats have become an ever more daunting prospect as hackers become more efficient and the reputational effects of a breach become more severe, believes Elmer.
“We’ve seen it both sides, investors being targeted via a fund that was spoofed – we saw a capital call of $7m that didn’t go out the door – and we’ve also seen the other side where a wire to an investor has gone out with fraudulent transfer requests,” says Elmer.
A CTO of a New York-based hedge fund, who agreed to speak on grounds of anonymity, says that the sector is well aware of breaches and close calls.
“Of course [there are close calls and breaches] and people will be private about those things. The sort of attempts we get on a daily basis are hackers scanning your IPs, trying to find holes and phishing.
“There have been situations where there has been a data breach, and there’s been a full incident response to the point of letting investors know, the SEC knows, the FBI knows – I’ve known two instances of that in the New York area and those are bad situations to be in.
“The worst-case scenario would be getting a call from my CEO or CFO telling me that we’d wired X amount of money to somewhere and someone got access to their email accounts.
“Phishing has always been a problem. Particularly when we see technologies coming out that are specifically looking at adding artificial intelligence; we’ll see a lot more of that over the next three to five years. And even with the amount of technologies we can put in, the end-user is always going to be the weakest link. How can we protect the user? Through education, mandatory training and due diligence,” says the fund’s CTO.
The CTO gives credit to the Securities and Exchange Commission (SEC).
“The SEC was slow to act initially but there were certainly folks like myself who saw the writing on the wall and realised, I don’t want to be the guy who comes into the office and has a breach and sees the fund closed down.
“In the last five years when we began to see things like cryptolockers [where files become encrypted for ransom] the industry woke up. It’s taken time and the SEC has woken up and put a lot of guidance out there and doing risk assessments and readiness programmes at funds and fining them,” they said.
However, Elmer suggests investors are driving a greater focus on cybersecurity.
“Regulators aren’t as much the driver as is the investor community. Frankly, the stepped-up efforts of due diligence teams are actually conducting much more thorough exercises when they’re about to invest in a funds. That’s the biggest driver of our business,” he says.
With both regulators and investors paying closer attention to the security function, the fund’s CTO believes that vendors should be placed under the same scrutiny as his own employees.
“I know many organisations that have VPN tunnels where the vendor of a trading platform, portfolio monitor, or an accounting package has straight VPN tunnels with access to their own application servers.
“We don’t have any VPN tunnels for any of our vendors and they are treated as I would treat an employee with no admin rights, they come in over Citrix and by two-factor authentication,” says the fund’s CTO.
The CTO believes that cyber security budgets have increased “perhaps even fivefold” over the past four years.
“I have to continually evolve in cyberspace and stay abreast. I have to educate myself, talk to peers, talk to new vendors and go to security conferences. I might not stay ahead but I might not fall too far behind what the bad guys are doing,” says the fund’s CTO.