Risk, reputation and regulation: keeping hedge fund IT systems secure

Hedge fund managers can no longer focus solely on performance; regulation is increasingly in their sights.

Since the 2008 financial crisis governments have focused on regulations in an attempt to rein in the “too-big-to-fail” banks, resulting in the likes of the Dodd-Frank Act and the Markets in Financial Instruments Directive (MIFID II). Fund managers must demonstrate to investors not only that they are achieving best execution through transaction cost analysis, but also that they are compliant and have processes in place to protect clients’ data.

Many of the regulations with which hedge fund managers must comply have their roots in good cyber security, which ultimately boils down to risk management.

Unfortunately, as both businesses and consumers have demanded technology to be omnipotent, omniscient and omnipresent, security has often been an afterthought. This has resulted in vulnerabilities in the current technology, which attackers are exploiting. Until there is security in design this will continue to be a risk; there is little sign of that changing.

Hedge fund managers stand or fall by their reputation. Investors need to be certain their money will be safe and the hedge fund will provide a healthy return on it. Any sense that this is not the case will lead clients to pull their investments, which could result in the manager having to unwind positions or even close the fund. A cyber incident could be the catalyst that triggers this reputational damage.

Such reputational damage is much more likely if a cyber attack results in investors’ data being stolen or an incident such as a ransomware attack shuts down trading systems, resulting in orders been executed too late or not at all. In either case, to limit reputational damage, hedge fund managers will have to explain to investors why this happened and what they are doing to prevent it from happening in the future.

What the regulators require

There is also intense pressure from regulators for hedge fund managers to have strong cyber-security practices. The UK Financial Conduct Authority covers this in its Principles for Businesses, notably Principle 3 (Management and Control), as well as in the Senior Management Arrangements, Systems and Controls (SYSC) Sourcebook. Areas covered include the regular review of systems and controls and risk-centric governance arrangements.

The U.S. Securities and Exchange Commission (SEC) offers guidance and advice through the Cyber Security Examination Sweep Summary, which provides a summary of areas on which to focus, as well as the Investment Management Cyber Security Guidance. The SEC’s Office of Compliance Inspections and Examinations, which looks into how financial institutions are adhering to regulations, highlights cyber security as one of its six pillars for 2019’s National Exam Program.

Generally speaking, those elements regulators are looking for include the proper configuration of network storage devices, information security governance, as well as policies and procedures related to trading information security.

There are a number of frameworks that hedge fund managers can use to show to both customers and regulators that they have excellent security credentials in place: ISO/IEC 27000 series, NIST, and SOC 2 to name just a few. All of these offer best practice guidelines to help manage cyber-security risk.

Overcoming the risks

The UK National Cyber Security Centre (NCSC) has previously highlighted the top five cyber-security risks for businesses:

Insider risk: Businesses face a significant cyber threat from their own employees, whether through accidental or malicious actions. For instance, an administrator could erase a company’s entire database and back-ups, for whatever reason. This can be addressed through tighter controls and monitoring.

Email attacks: Phishing, where an employee engages with a malicious email attachment or link, continues to be the source of many cyber attacks. Staff should be trained in what to look out for and how to respond.

Patching: Critical business systems need to be patched (updated) on a regular basis in line with the provider’s minimum recommendations. Any new applications need to be tested to ensure they are released “Secure by Design”.

Third-party risk: Keeping up with the changing threat landscape is critical for minimising risk. For instance, the focus on perimeter security will not defend an organisation in the age of mobile devices, cloud computing and software as a service. In our increasingly interconnected lives, the threat can now come from third parties. It is possible to manage this risk through onboarding procedures, risk identifications, peer and industry comparisons and continuous monitoring.

Improve authentication methods: Businesses need to improve their authentication methods, as many data breaches are the result of stolen credentials. This means more than just having a strong password; effective password management policies and multi-factor authentication are also essential.

Aside from these risks, what separates hedge funds from other sectors is that cyber criminals are specifically targeting them with highly sophisticated cyber attacks. These are more successful because cyber criminals carefully research the specific organisation, finding weaknesses to exploit based on how the business operates. They can then use this information to infiltrate the network more easily and find what they are looking for more quickly, and will be more effective at evading detection.

Hedge fund managers therefore need security precautions that are going to defend against targeted attacks, which is not feasible by simply relying on “one-and-done” endpoint and perimeter security solutions, where elements such as firewalls and anti-virus are installed and left to do what they do. Instead, they need integrated solutions that are regularly monitored and, if necessary, supported by a team of cyber-security experts to ensure nothing is missed.

Perhaps the best way to defend a network from a cyber attack is to have continuous visibility of, and understand, what is going on within at any particular point. This is very hard to do internally; many companies (including hedge funds) therefore outsource this capability to a third party which has a security operations centre delivering managed services. A successful security operations centre should carefully integrate security, network and performance management into one system, delivering managed services such as: vulnerability intelligence, log management, behavioural analytics, endpoint detection and response, third-party risk management and incident response. All of these will be fully monitored 24/7, 365 days a year by a team of highly skilled cyber experts.

Originally published by Thomson Reuters © Thomson Reuters.