Cybersecurity preparedness is a vital component of an organization's Cybersecurity Program that helps firms develop situational awareness, mitigate risk and improve their security posture. Additionally, it is a growing concern for regulators and investors, and thus, they are urging hedge funds to implement robust cybersecurity solutions and risk management procedures.
In this blog, we outline three main cybersecurity threats that fund managers need to be aware of, as well as, offer actionable recommendations to safeguard data and prevent hackers from getting into your network.
1. CEO Fraud and Business Email Compromise (BEC)
CEO Fraud, also known as Business Email Compromise, is a scam where cybercriminals spoof company email accounts and impersonate C-suite executives to get employees to wire money or provide confidential information. Attackers know whom to target based on researching a firm’s corporate hierarchy, staff and payment patterns, and tailor these attacks to a specific audience that handles company finances. A recent study by Barracuda Sentinel found that attackers impersonate CEOs 43% of the time, in comparison to CFOs, just 2% of the time.
Any emails that create a tremendous sense of urgency and request sensitive documents, confidential business information or money, should be considered suspicious. According to a recent report by KnowBe4, CEO Fraud is now a $12 billion scam which has been reported in 50 states and 150 countries.
To mitigate risk and help prevent financial fraud or a data leak, we recommend the following security best practices:
- Never reply to suspicious emails; instead, users should contact the person at a trusted phone number or speak to them face-to-face
- Use double verification for wire fund transfer
- Perform adequate due diligence when evaluating email communications, and ensure that the reply email address matches the signature's email address
Another social engineering attack that hedge funds need to be wary of is phishing, which comes in numerous forms. Spear-phishing, a subset of phishing, is a tactic that hackers use to acquire a victim’s personally identifiable information (PII) such as usernames, passwords and credit card details by disguising as an internal entity. KnowBe4 reports that 91% of successful data breaches started with a spear-phishing attack. Unlike CEO Fraud, these emails can mimic the look of a company newsletter, IT specialist, national bank and more.
With the stakes high, and attack vectors prevalent, investment firms need to be extremely cautious when reviewing inbound emails. Here are a few ways to stay ahead of risks:
- Stay up-to-date on the latest phishing techniques
- Don’t click on links, download files or open attachments in emails from unverified sources
- Notify your IT department if you believe you've received a spoofing email
- Never email personal or financial information
- When it comes to pop-up screens, never submit personal information
- Keep your browser security up-to-date
- Install an anti-phishing toolbar in your browser
- Mandate employee cybersecurity education
3. Malware and Ransomware
The third most significant threat to hedge funds is malware and ransomware, which come in various forms and can attack a firm’s system without any act performed by an end-user.
According to a recent report by CPO Magazine, the average cost to resolve malware attacks for financial organizations is $825,000. Hedge funds need to be aware of this growing threat and become familiar with the different types that are impacting businesses. Locker, Doxware, Popcorn Time ransomware, Crypto/Encryptor malware and Scareware are just a few examples of ransomware that can be injected into an individual’s computer and affect an entire organization’s network.
There are several proactive measures that hedge funds and alternative investment firms can take to protect themselves against malware and ransomware, including, but not limited to:
- Enroll in a cybersecurity awareness training program
- Employ a Cybersecurity Advisory Practice
- Ensure antivirus software is up-to-date
Cybercrime will continue to be the biggest threat to the investment industry. To prepare, we urge businesses to implement a comprehensive risk management solution with the help of cybersecurity experts.
Align CybersecurityTM offers tailored, comprehensive and enterprise-level cybersecurity solutions specifically for the investment management space. Our 100+ years of combined expertise in cybersecurity compliance and risk management allow us to handle all legal, compliance, IT, technology and security protocols. If you have any questions, please contact our specialists today.
- Cybersecurity 101 for Fund Managers
- Cybersecurity: An Existential Threat to The Practice Of Law and the Attorney-Client Privilege
- (Podcast) A Closer Look at Cybersecurity Practices