Cyber security for hedge funds
By Matthew Martindale, Director, KPMG
Published: 15 December 2014
According to the latest KPMG Business Instincts survey, under-investment in technology over the past six years has left many C-suites fearful that they are vulnerable to some form of cyber attack. Proactively managing cyber risk has become a key consideration for C-level executives with as many as one in three senior executives saying that investing in cyber skills to protect their business is now their major concern. Little wonder when the front pages of newspapers scream headlines about Heartbleed or Shellshock vulnerabilities. Every day we hear of new vulnerabilities, attacks and incidents which undoubtedly leave leadership teams wondering what they really need to do, how much is really enough and who they can trust to help them get it right.
What is cyber security?
Cyber security is about understanding the risks of doing business in our modern world wherever a business is in its life cycle. As our economy becomes increasingly digital, so does crime. Attackers are using sophisticated means to achieve one of a number of very old objectives; theft, subversion, sabotage or espionage.
Take a moment to go back to the 1920s when John Dillinger and his fellow gangsters were ruling the streets of Chicago. They simply marched through banks’ front doors with guns in hand, stole thousands of dollars and then walked out. Now fast forward to the early twenty-first century. Something very similar is happening today in cyber space, but now the weapon of choice isn’t a physical gun and it isn’t just banks that are being targeted. All financial services organisations - irrespective of size - are exposed to cyber risk.
What does this mean for hedge funds?
Cyber risk for hedge funds could range from fraud to stolen intellectual property such as investment strategies and trading platform algorithms, or data relating to investors, trading, portfolios, funds or finances. In addition, there is also a risk that an attacker could launch a denial of service attack to prevent organisations from doing business, slow down the ability to complete trades or to take out important connections to other parties such as market data feed providers, prime brokers and fund administrators. Any kind of cyber breach could result in significant reputational damage for a hedge fund, which in turn could result in a loss of investor confidence.
The threat to data and systems is multi-faceted and constantly evolving. External threats come from organised criminals operating a sophisticated business on a profit and loss basis, competitors using aggressive tactics to gain insights and hactivists utilising political motivation to strike. In addition there is a significant insider threat posed by careless, disgruntled or malicious employees.
But taking action through fear is not the answer. As organisations become increasingly aware of the value of cyber security, those who adopt a positive approach to managing it will be viewed as more attractive and likely to retain clients and investors. They will be the ones who ‘feel free’ to act and are in a better position to anticipate and prevent wide-scale attacks.
What regulation do I need to be aware of?
Recent security incidents have led to litigation, regulatory action, reputational damage and even resignations. The Data Protection Act 1998 requires data controllers who are processing customer and staff personal information electronically to register with the Information Commissioners Officer (ICO). The ICO can issue fines of up to £500,000 and “names and shames” companies that suffer a serious breach of the act. In the US the Securities Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) is concerned with the integrity of the market system and customer data protection1. OCIE’s cyber security initiative is designed to assess cyber security preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.
Overlaying this is the draft European Union data protection regulation expected to be finalised in 2015 which will penalise businesses for information failures or breaches involving customer or other personal data. Those fines are likely to be up to 5% of global turnover depending on the outcome of the debate between the European Parliament and Council of Ministers2.
Where do I start?
With the global cost of cyber crime reaching $575 billion3 and the World Economic Forum Global Risks 2014 Insight Report4 ranking cyber attack in the top three technological risks, the UK government is shining a spotlight on the cyber security issue.
A great starting place for organisations is to use the UK Government’s Cyber Essentials Scheme5; a set of basic technical controls for organisations to protect them from a cyber attack which is supplemented by the 10 Steps to Cyber Security6.
Hedge funds should think about the protection of their business in three interconnected ways:
- People – implementing regular security awareness training and developing easy to understand security policies of what is acceptable on corporate equipment and when working remotely, will position your employees as your first line of defence. Better security doesn’t necessarily mean acquiring the latest technological solution. The most important component of a cyber-security model is that it must be understood by all employees.
- Process – developing an adaptive approach that focuses on speed and agility in response to an attack can prevent downtime, avoid expensive disruptive responses and maintain business operations, whilst appeasing regulators, investors and industry partners. Ensuring security requirements are built into key processes such as application management, change management, user access management and patch management will ensure you have some of the fundamental security components in place. Establishing security requirements in contracts and exercising the right to audit with third parties (such as IT managed services, cloud service providers and payroll providers) will provide assurance to you that your data and systems are being protected effectively.
- Technology – focusing on monitoring and detection of security breaches is where technology can add real benefit. Implementing fundamental security controls, such as firewalls, anti-malicious software, secure configurations and security logging and monitoring will enable you to stay ahead of the curve.
Hedge funds that accept cyber attacks as an inevitable part of today’s business landscape and who put the right level of protection in place to defend themselves from the bad guys, like the banks had to with John Dillinger, will secure the future of their business.
[1] National Exam Program Risk Alert – OCIE Cyber Security (Volume IV, Issue 2 – 15 April 2014) http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf
[2] European Commission - MEMO/14/186 (12/03/2014) - http://europa.eu/rapid/press-release_MEMO-14-186_en.htm
[3] Net Losses: Estimating the Global Cost of Cybercrime, June 2014 - http://www.mcafee.com/uk/resources/reports/rp-economic-impact-cybercrime2.pdf