I was recently asked to join a Hedge Fund Association panel to discuss the unique Cyber Security challenges that keep Hedge Fund managers up at night. Although the Citrin Cooperman event had to be postponed, I put together the following article based on my research leading-up to my appearance at the event.
"Hedge Funds...they're so risky!" Have you ever heard that said? I sure have, but it was strictly meant in terms of ROI, like “Two and Twenty”, but not cyber security. In terms of cyber security, what is the risk for a hedge fund, and what does that threat landscape look like?
While I find myself every day at the coalface of real-time cyber security threats toward financial institutions, hedge funds are sort of their own unique snowflake. Similar to a wealth management firm, they don't have brick and mortar tellers, debit cards, ATMs, or even physical vaults. That being said, they still face the standard cyber related threats that a major financial institution has to mitigate, but what I believe is quite different, is the vector.
For example, Regulatory Compliance is super important to the financial sector, but for a Hedge Fund it’s arguably hard to track. Think about MNPI for a second, let’s say you run a small hedge fund and you overhear a conversation at a bar that Broadcom is planning to buy VMWare. The next day, you throw a ton of money into VMWare, but if you are questioned by FINRA or the SEC, you probably won’t have any background research or recent published reports about the two companies, and if you were to take a selfie at that point, you just might have some egg on your face. Which is a great segue into Regulatory Tech and monitoring traders.
Monitored trading at a hedge fund is important for a lot of reasons, such as the threat of intellectual property theft like trading algorithms or M&A information being stolen, however one of the misnomers around monitoring is the term “Insider Threat”. Often in cyber security that term is meant to refer to a trusted insider with a very high level of access whom has become disgruntled, however with regards to a hedge fund, it is equally important to monitor for reasons like an honest mistake such as forgetting about a political contribution. In Real Estate, it is often said, “Location, Location, Location” but in terms of a hedge fund, it’s “Monitor, Monitor, Monitor”.
BEC is everywhere, just ask Ronnie Tokazowski, but the stakes are much higher for a hedge fund. Hedge funds are often known for their rock-star leader(s), and so the risk against disruption or extortion is far greater, and VIP protection is likely top of mind. These leaders are highly targeted due to the perception that they’d pay to reduce any downtime. Spearfishing is very high on the list of threats against hedge funds.
Wire Fraud is another biggie - Account Takeover where stolen PII might be used to impersonate and commit fraud is much riskier for a hedge fund because the stakes are higher.
Hedge funds are also in a much higher risk category for supply chain attacks. Aside from the handful of exceptions, an average hedge fund’s technical staff is made up of a CTO and 1-3 sys-admins, max. So, let’s say at one of these smaller funds, you have a trader who relies on open-source software. They might have some knowledge of “R” or Python, but they aren’t necessarily trained in security. For example, do they understand what all of their libraries are doing within the code they’re writing? Are they aware which ones might be external-facing? And are they making sure their S3 buckets aren’t open?
In some of those smaller shops, who’s monitoring for patches and updates? It can sometimes be three months before a CVE gets published, but the delta on patch management can even be greater than that when you have just one person managing all of that. And what about Vulnerability management. Large financial firms have entire departments of people dedicated to mitigating their vulnerabilities, but again, many hedge funds don’t have that luxury. They also don’t always have enough staff to build-out a follow-the-sun model of 24/7 coverage, so who’s keeping watch while the lights are out? Often, they are operating in reactive mode and not able to be proactive.
So, what can we do to improve the cyber security landscape around hedge funds? I believe that Change Management can play a huge role in creating a more secure and resilient environment, one that is built upon a strong foundation of compliance, code of ethics, and cyber security awareness training. Also, know your assets (hardware and software - see the CIS Top 18 Critical Controls), make sure your network architecture diagrams are more up-to-date than the attacker’s architecture layout of your infrastructure (you’d be surprised how often this is not the case). In addition, start encrypting your back-ups (if you haven’t already), and run routine exercises to test the recovery from those back-ups. Make sure you have full EDR coverage across all flavors of your endpoints (Linux, Mac, Windows, other), and don’t forget your servers. Consider cyber security insurance, but keep those contracts hidden so that the contents cannot be used against you by the threat actors during negotiation. Lastly, know who to call. If you’re a larger sized organization, consider keeping a ransomware/extortion brokering-service on retainer.
I hope this information has been helpful. In closing, I would like to state that I could not have written this post without several friends who generously spent collective hours with me on the phone, entertaining my often-elementary questions. Each of them has asked to remain anonymous, as many of them are experts at their craft and spend their entire workday negotiating with ransomware criminals, or closely following them and aiding in bringing them down. I don’t pretend to be an expert on hedge funds by any means, I simply talked to several people who were much smarter than me, and I’ve tried to put together what I learned, in case it’s useful to anyone.