The following article originally appeared in FundFire and was written by Lydia Tomkiw.
It’s late on a Friday afternoon and an email comes in from the CIO, who is about to board a plane, requesting an immediate money transfer for an important deal that will otherwise fall apart. The corporate finance team makes the transfer, but there’s one major problem: the request did not come from the hedge fund firm’s real CIO.
Hedge funds face multiple risks from these kinds of scams and system compromises and other cyberattacks, said panelists discussing how to protect businesses from cybersecurity threats at the SkyBridge Alternatives Conference (SALT) in Las Vegas last week.
Speaking in the wake of the widespread ransomware attack WannaCry that has hit organizations in over 100 countries, hedge funds are facing a changing threat environment and need to be on the lookout for business email compromises, among other threats, said Aristedes Mahairas, special agent in charge in the special operations/cyber division at the Federal Bureau of Investigation in New York.
“Hedge fund individuals or companies, big money, they’re coming after you in one way shape or form – they are going to come after you,” he said. “So the financial sector is certainly one sector that is at risk and we see it. Now I can also say, though, that the financial sector is recognizing, appreciating that risk, and is also in a really good position to thwart and defend against these attacks.”
Just last week, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert over the WannaCry ransomware attack, underscoring the need for systems penetration tests, vulnerability scans, and timely systems upgrades.
When recently examining 75 SEC registered broker-dealers, investment advisors, and investment companies, OCIE found 57% of the investment management firms examined were not conducting penetration tests or vulnerability scans on areas the firms described as critical.
But the WannaCry attack hasn’t had a dramatic effect on financial services because the message of preparing your infrastructure for these threats is starting to get across, said panelist John Bryant, chief technology officer at Options Information Technology. There is a “rising tide of vulnerabilities” in 2017 and chief technology officers remain constantly nervous and on watch, he said. (Read more about Vulnerability Management here.)
“We see a lot more governance around cybersecurity and a lot more visibility,” he said. “It’s no longer the Wild West compared to investment bank grade infrastructure, and we see a lot more informed professionals driving this in the hedge fund industry.”
While hedge funds are becoming more alert to risks, there are six main cyberattack actors and threats – nation state actors, insider threats from within a firm, criminal syndicates trying to steal information, ransomware purveyors, hacktivists usually pursuing ideological goals, and cyber terrorists – that are all pursuing information, access, and advantage, Mahairas said.
Insider threats from within organizations involve both intentional and unintentional actors, from an employee accidentally losing a device with critical information on it to a disgruntled employee who sets up a system rigged to delete the entire network if his or her name doesn’t appear on the payroll list, Mahairas said. “You don’t hear about it because they are very slow at reporting it, if at all, because of reputational reasons, but it’s a huge problem,” he said of insider threats.
Spearphishing, emails that appear to come from someone you know, continue to be one of the biggest incidents hitting hedge funds, and cyberthreats continue to evolve with vishing – phishing by phone or voicemail – also taking place, says Vinod Paul, COO of Align Cybersecurity, speaking in a separate interview. One of the biggest challenges hedge funds face is following through on written policies as simple as regular password changes, he says.
“It points to a lack of training and I think that’s the biggest gap in this space,” he says. “You can have great policy, great technology, but if you’re not following proper procedures and policies that’s going to be the greatest risk for a firm.”
While Align has seen an uptick in hedge funds conducting cyber tests and assessments over the last 18 months, spearphishing campaigns show no signs of slowing down, with hackers seeing a high rate of return on sending out hundreds of emails, says the firm’s managing director John Araneo.
“The reality in our industry is the amount of information fund managers have to put out there and make publicly availably has never been higher,” he says. “Managers are starting to show awareness and allocate resources… but they still have a bit of a ways to go.”
When asked how the panelists would advise hedge funds to spend $100,000 on cybersecurity, Bryant argued for looking at a firm’s processes through independent third party verification that checks to see if systems, processes, and security are working, including having a third party gather as much information from social media and other sources to see how a firm’s security could be exploited. Maharias argued for spending $100,000 on training and awareness at hedge funds, including educating a staff to identify spearphishing campaigns and what to post and what not to post online and on social media.
For hedge funds that have been hit by an attack, they should not be wary of coming to the FBI for help, Mahairas said.
“It’s much better for all of us to have a cup of coffee on a sunny day like here in Las Vegas than it is to get together for the first time when the event has taken place and the clouds are rolling in and it’s raining on us. We have to build that relationship of trust,” he said. “The bottom line is, if the FBI is ever called in to conduct and help in the investigation and the impact on your corporation, [we know] you are a victim. We are not in the business of revictimizing victims so we don’t go to the public to put it out there that your organization has been compromised.”
While the joke in the IT community has long been that businesses didn’t fully wake up to cyberthreats until the hack of the Ashley Madison website, businesses are now taking cyber threats seriously, said moderator Vivek Dhayagude, chief technology officer at SkyBridge Capital.
“It is a serious problem. Cybersecurity, as they say, it’s a matter of when you get compromised. It’s going to happen to each one of us that’s out here,” he said. “There’s a lot we can do, simple things I think are the most effective… It is something we have to be aware of and take it seriously.”
