The chief financial officer of a multibillion-dollar hedge fund firm logged into his computer early one morning and noticed that the company’s accounts included a large volume of transactions requiring money to be wired to a bank in Cyprus — not something the fund’s portfolio managers normally did. Thinking the activity looked suspicious, the CFO called the Cyprus bank and stopped the wire transfers. A bank manager called the U.S. Federal Bureau of Investigation, which found that hackers had infiltrated the firm’s computer system about six months earlier. The hackers had been logging keystrokes to see how the fund managers made transfers and how the approval process worked; they had even tested the system with a few small wire transfers that had gone undetected. They were working up to a big payday, and they might have siphoned a few million dollars out of the firm’s accounts if the CFO hadn’t observed something strange going on. That incident occurred in 2013, well before news of the cyberintrusion at . broke this September and sent the whole financial services industry into red-alert mode. The JPMorgan Chase attack was one of the worst computer breaches at a U.S. corporation, with hackers tapping into the names, addresses, phone numbers and e-mail addresses of more than 83 million customers. It turned out that nine other banks had also been hit, allegedly by the same group. And over the past several years, almost every hedge fund firm in the world has been hacked at some level, if only through the common practice of spear phishing, or sending links that can compromise an entire network via e-mail, says Eldon Sprickerhoff, founder and chief security strategist of Cambridge, Ontario–based cybersecurity company eSentire.
“These attempts take place every day, and we’ve seen about 120 percent more attacks this year over last year,” says Sprickerhoff, whose 13-year-old company has about 400 hedge fund clients.
Hedge funds can purchase insurance to cover monetary theft from cyberattacks, with such companies as ACE, American International Group, Hiscox and Ironshore making a push into this line of business. But the more imminent threats are ones that can’t be insured. Hedge funds have reams of data that hackers might access: trading activity, portfolio composition and investor information. Hackers could disrupt trading systems so that portfolio managers have to shut down operations temporarily. That could last an hour or a day, but in today’s fast-paced market, time lost can be money lost — and it can do serious damage to a fund’s reputation. Or hackers might want to know about a fund’s trading strategies or tap into its investor base as one step toward identity theft. “It’s now less a case of trying to defend yourself and more just preparing for when you are cyberattacked,” says Iain Anderson, chief technology officer at Cheyne Capital Management, a $6.6 billion multistrategy firm in London.
Thomas Kellerman, vice president of cybersecurity at Irving, Texas–based security company Trend Micro, estimates that about 50 percent of large hedge fund firms are well prepared for the risks of cybercrime. That leaves about half ill prepared.
The subject of cybersecurity itself produces a certain amount of fear. If a hedge fund discusses its safeguards, a hacker might figure out how to get around them, says one manager who requested anonymity. Among the largest hedge fund firms, Bridgewater Associates, Brevan Howard Asset Management, Man Group and D.E. Shaw & Co. all declined to comment for this article. Most of the firms that were willing to talk would only discuss the issue in general terms.
“Cyberrisk is monitored and assessed as part of our regular overall risk monitoring, with risk control collaborating with IT,” says Larissa Alghisi, a spokeswoman for Zurich-based GAM Holding, a $24.4 billion hedge fund and fund-of-funds firm. “We perform regular tests to ensure the security of our systems. We also benchmark our procedures and security settings against established standards of international and governmental organizations.”
“For firms like ours it’s a business-as-usual activity to manage risks around cybersecurity,” says Stephen White, a spokesman for New York–based asset management giant BlackRock.
If there is any good news, it’s that fund managers are now beginning to recognize the importance of having a system in place to detect breaches, even if they don’t want to talk about it publicly. Behind the scenes, experts say fund managers are increasingly realizing it is critical to use secure, remote data centers and hire security experts. That’s largely because the Securities and Exchange Commission has embarked on a rigorous campaign aimed at preventing cyberattacks against financial institutions and is making institutions responsible for having preventive mechanisms in place. In the year ahead fund managers who haven’t already hired SWAT teams to guard against cyberattacks will have to do so. “The SEC’s action was a wake-up call,” Kellerman says.
Increasingly, investors are asking hedge fund managers about the preventive measures they have in place. Fund managers themselves need to know how cyberrisk-savvy their third-party service providers and vendors are because hackers can access a large institution through backdoor channels. The cybercriminals who accessed retailer Target Corp. last year got in through an air-conditioner vendor, for example.
Kellerman says hedge fund managers are more and more willing to report problems to the Financial Services Information Sharing and Analysis Center, an industry forum for collaboration on security threats. Fund managers have typically shied away from doing so because they’ve feared that reporting a hacking incident might damage their reputation, says Steven King, director of collateral funding and trading at the prime brokerage division of Pershing in Jersey City, New Jersey. King once asked a group of hedge fund CTOs if they would report a hacking incident to the SEC; most said no. “I heard that in one instance the managers spent eight weeks just negotiating with a government agency about what information they would provide about a hacking,” he recalls.
The problem with not reporting breaches is that if hackers attack one hedge fund, they might go after others; sharing information can be a security measure for the whole industry. U.S. Treasury Secretary Jacob Lew has said that hedge fund managers and other financial firms need to share information — much like countries share military strategy when they are fighting the same enemy.
Speaking at July’s Delivering Alpha Conference in New York, cohosted by Institutional Investor and CNBC, Lew pointed out that an orchestrated attack disrupting institutions that trade in the markets could do serious damage, at least in the short term. As an example, the Treasury secretary pointed to an April 2013 incident in which hackers accessed the Associated Press’s Twitter account and issued a false news alert that there had been an attack on the White House. The rumors drove down the Dow Jones Industrial Average by more than 100 points in three minutes, temporarily erasing $130 billion of value from U.S. stocks. Lew said he was concerned that far too few hedge fund firms were doing enough to combat hackers.
To be clear, an attack against a single hedge fund firm is unlikely to cause systemic damage. “If a big bank or retailer is hacked, it’s a case of bad actors who know they have a ready market to sell the personal financial information of customers,” Pershing’s King says. That is not the case with hedge funds, at least in the sense that no single firm has millions of customers, as banks do. In fact, security experts say it would be difficult to steal client accounts from hedge funds like hackers did at retailers Home Depot, Neiman Marcus, Sears and Target; that’s more of a worry for the banks that act as custodians for the hedge funds’ accounts.
Still, government officials are alarmed enough about the threat that the SEC held a roundtable about cybersecurity in April 2014. SEC commissioner Luis Aguilar said there was “mounting evidence that the constant threat of cyberattack is real, lasting and cannot be ignored.” He added that there was a “substantial risk that a cyberattack could cause significant and wide-ranging market disruptions and investor harm.”
The roundtable led to a sort of pilot program for hedge funds. The SEC’s Office of Compliance Inspections and Examinations (OCIE) conducted a security examination of more than 50 registered broker-dealers and registered investment advisers this fall. The examination questioned how well the randomly selected firms answered 28 questions relating to such concerns as awareness of cyberrisks, the software the firm uses to detect problems, how clients are authenticated for online access, policies for addressing responsibility for losses associated with cyberintrusions affecting clients and whether the firm conducts risk assessments of vendors and business partners. Now the SEC is setting up conference calls with hedge fund managers, giving them just a few days’ notice, with inspectors asking questions about cyberpreparedness. Industry insiders say the commission is in the process of assigning cyberrisk ratings to individual hedge funds.
It is a timely move. There were 856 cybersecurity breaches in the global financial services industry in 2013, 465 of which involved confirmed data losses, according to Verizon Enterprise Solutions’ annual data breach investigations report. That was far more than the retail industry, which had 467 security incidents and 148 confirmed data losses. Verizon hasn’t completed its report for this year, but Bryan Sartin, director of the research, investigations, solutions, knowledge (RISK) team at Verizon Enterprise Solutions in Boston, says the financial industry cyberbreaches have increased so far in 2014.
The SEC’s stepped-up actions raise the question of whether regulators would hold managers liable if a hedge fund firm was hacked to the point of creating risk to its assets and wasn’t in full compliance with the agency’s checklist. Additional compliance comes with a cost. Indeed, cyberrisk management is yet another growing expense for hedge fund managers. According to Ernst & Young, a hedge fund firm with $8 billion or more in assets now spends an average of $1.5 million to $2 million a year on cybersecurity and will increase that spending by 25 to 40 percent in the next couple of years. EY’s 2014 hedge fund and investor survey found that 80 percent of hedge fund respondents were planning to increase their spending on cybersecurity in 2015. Much of the money will go to retaining the services of companies like Sprickerhoff’s eSentire. Other major providers of cybersecurity services for hedge funds include Abacus Group, Agio, Dell SecureWorks, Eze Castle Integration, Gravitas, IBM Corp., InfoHedge Technologies and Mandiant Corp.
Outsourcing cybersecurity to a company like eSentire is supposed to supplement the work of an in-house technology team, not replace it. In addition to taking basic workplace precautions — such as allowing only an information technology administrator to install new programs, setting up firewalls that can flag viruses and hacking, and deploying software that detects and prevents intrusions — technology officers say it’s necessary to have both human and electronic eyes and ears alert to suspicious traffic every minute of every day. Cybersecurity experts that specialize in the hedge fund industry will be able to provide that kind of continuous monitoring, will know when something fishy is happening and therefore will be able to put defensive technology in place.
Sprickerhoff steps in when something looks suspicious and does his best to catch the hackers. This past summer, for example, the CFO of a hedge fund firm with more than $5 billion in assets received an unusual request. It came at the end of an e-mail thread between two employees, discussing a particular need for cash and asking the CFO to transfer money out of the firm’s capital account to their division. The executive was suspicious for a couple of reasons. One, the wording in the messages seemed to come from people who spoke English as a second language. Two, the firm had a system for making money transfers, using a form on its internal website. The CFO asked the employees named in the e-mails about the wire transfer; they said they’d never seen those messages before. So he called eSentire.
“We engaged the e-mail scammers for a while and asked why they hadn’t used the online form on the Intranet,” Sprickerhoff says. “They claimed they didn’t have time and needed the money wired immediately.”
While Sprickerhoff wasn’t able to catch the e-mailers — who apparently had hacked into the hedge fund’s network and appropriated the names and e-mail addresses of employees — he at least scared them away. “After a number of attempts at baiting them, they stopped communicating,” he says.
The hackers that hedge fund managers are fighting are generally not teenagers making mischief after school, explains Shawn Henry, president of Irvine, California–based computer security company CrowdStrike. The former FBI executive assistant director says hacking today is organized crime. For his part, Henry tries to get inside the minds of cybercriminals, including those who have stolen millions of dollars from hedge funds. Working out of an office in Arlington, Virginia, he goes after terrorists and organized-crime groups that make a lot of money by successfully infiltrating financial systems.
Henry says the most successful hackers today come from one of three main groups. First are the criminal organizations that tap into financial industry networks strictly to make money. Many of these operate out of Russia and other former Soviet countries, although there are also networks in Asia, Latin America and Africa. Then there are far more shadowy, state-sponsored intelligence agencies looking for technology and intellectual property, such as proprietary trading algorithms. Last, Henry explains, there are the so-called hacktivists — ideological groups that typically are out to disrupt the operations of those with opposing views. “I’m talking about the digital equivalent of bomb throwers,” he says. “The concern, of course, is that there could be a major disruption of a whole market.”
Although there haven’t been any cases of hacktivists going after hedge funds, Henry says, he wouldn’t be surprised if someone tried, considering how many managers take very public positions in controversial trades. While at the FBI he caught a hacktivist trying to tap into high frequency trading algorithms to stop the trading.
In the course of a typical day, Sprickerhoff sees a few remote access attempts on hedge fund networks from Chinese and Eastern European Internet protocol addresses. Between late June and early August of this year, he observed about five times the usual number of active probes from externally identifiable Chinese IP addresses. The hackers tried to log in with credentials that looked like guesswork, and for the most part they were not successful. Later in the summer Sprickerhoff saw an influx of log-in attempts from IP addresses in Taiwan. He foiled those stabs at getting in, but he knows that hackers can continue to lurk about, looking for new ways into a network.
“Sometimes they use the more obvious attempts as a false flag,” Sprickerhoff says. “They could be making noise in one place while trying to get into the networks in other ways.”
Hackers can get into a hedge fund’s networks through clients’ online trading accounts, or they can set up fraudulent accounts and transfer money from a hedge fund. But the most effective method for remote users to gain access to a hedge fund’s network, says Sprickerhoff, is by spear phishing. The hackers will send an e-mail with a document attached to someone who works at the firm. The document contains malware that starts making changes to the entire network if the employee opens it. What has made spear phishing harder to detect, Sprickerhoff notes, is that hackers will often find employees of a firm through LinkedIn, set up a fake e-mail interchange between two employees and then forward those messages to a third employee, with an attachment that contains malicious code. Another, newer technique is to set up a so-called watering hole: The hacker designs a website that might appear to cater to a particular sector, such as financial services, and if someone working for the hedge fund so much as browses on the site, the entire network is compromised. Hackers also have been known to host malicious content on an open drop box, a cloud data source that looks safe.
In-house training is one of the most important ways for hedge fund firms to combat cybercrime — making sure that employees know not to open attachments from unknown parties, as well as having a cyber expert on staff who can identify watering holes and block access to them. One new technology to fight hacking is so-called sandboxing: software that encloses every browser, website and Internet application on a computer so that a malicious site can’t infect the rest of the network. Cupertino, California–based Bromium is at the forefront of developing sandboxing programs.
Fighting hackers has become an arms race, with each side engaged in a daily battle to get around the other’s technology. That’s why just buying a few security products is not going to keep a firm safe, says Bob Schwartz, CTO at SS&C Technologies in Windsor, Connecticut, and former CTO of SS&C GlobeOp, the company’s hedge fund administration business. “It’s more of a formal discipline that requires what we call defense in depth,” he adds. Part of this defense means identifying the data that is most sensitive to a business and setting up an iron fortress around it, allowing very limited access.
Yet it’s important for a hedge fund firm to have a technology team that can help the business function without impediments — and that can be a challenge when hackers try to infiltrate by pretending to be someone from the inside. “Our controls are designed in such a way that risks are managed but the business is able to function as necessary,” says Robin Eggar, spokesman for London-based hedge fund firm Winton Capital Management. “Restrictions must be appropriate and beneficial, not simply ‘Security says no.’?”
All of these controls are necessary now that the SEC — and investors — are demanding that a hedge fund be able to prove that it is one step ahead of the hackers. “If the SEC wants to review a hedge fund for cybersecurity, the fund managers will have to be prepared,” says Joshua Barlow, vice president of operational due diligence at Irvine-based fund-of-funds firm Pacific Alternative Asset Management Co. Barlow says Paamco has been implementing operational due diligence of all kinds, including cybersecurity, since 2005, but when he is evaluating a hedge fund today, there is an extra element to the questions.
“Now we ask if the managers are prepared for an SEC review of their cybersecurity,” he says. The due diligence includes a questionnaire that is very similar to the SEC’s OCIE checklist.
Cheyne Capital’s Anderson says cybersecurity has become important to both investors checking out funds and managers checking out their service providers. “In the past year it’s become part of all investor due diligence meetings,” he adds. “Every week there is a story about some company that has been hacked and lost client data. Some investors ask us in-depth questions, and we ask any third parties we’re dealing with similar questions.”
Even those in the business of hedge fund governance are worried about cybersecurity. “Hedge fund managers share sensitive data with us,” says Don Seymour, founder of DMS Offshore Investment Services, a 14-year-old fund governance firm in the Cayman Islands that provides board members to hedge funds around the world. “We could be targeted too, so we’re very careful. And we think the board should be aware of what could happen and how to prevent it.”
The overall level of preparedness in most parts of the industry has changed since the SEC began its campaign, Seymour says. Before, “hardly anyone gave a second thought to sending tons of information to a director in Cayman who might have been keeping the hedge fund data on his family computer,” he adds.
These increasing demands from the SEC and investors would seem to put the onus on the managers of a hedge fund to have security teams in place and constantly update their antihacking technology. Whether that responsibility will be legally mandated in the future is unknown territory.
Charging a fund manager with negligence in a hacking case is a possibility, says Thomas Brown, a former assistant U.S. attorney for the Southern District of New York, where he served as deputy chief for investigating and prosecuting cybercrimes. “The cyber-threat environment is constantly changing, and one security audit is not a done deal,” says Brown, who in May joined the New York office of business advisory firm FTI Consulting.
Steven Nadel, a partner at law firm Seward & Kissel in New York and co-head of the firm’s investment management group, has been concerned over the past several years about whether hedge fund firms are truly prepared for the risk of a cyberattack, but he has seen the awareness improve since the SEC began its monitoring. He notes, though, that with government agencies watching the situation, hedge fund managers will have to be sure their practices match those of their peers for stringency.
“What often happens in a situation like this is that the SEC will come up with a rule proposal,” says Nadel. “And even if the SEC doesn’t do that, industry groups will come up with a set of standards for best practices. Then big allocators will want to make sure hedge funds comply.”
