The following article originally appeared in FundFire and was written by Lydia Tomkiw.
In this exclusive interview with FundFire, Vinod Paul, COO of Align, discusses the 2018 cybersecurity landscape for hedge funds. Key topics covered include third-party vendor management, cybersecurity awareness training, the SEC’s new cyber unit, phishing and malware attacks
Supercharged Phishing Attacks, Vendor Risk Top Cyber Woes
A year of headline grabbing cyberattacks from WannaCry to a hack of the Securities and Exchange Commission’s Edgar system is pushing hedge funds to focus on cybersecurity risks from outsourced operations and third-party vendors, and to anticipate increasingly savvier phishing and malware attacks, industry watchers say.
Hedge funds also will have to redouble their training efforts to prepare staff to handle the heightened risks.
The level of sophistication in today’s attacks has skyrocketed, with cyberhackers socially engineering their ploys to ensure a higher success rate, says Timothy Blank, a partner and head of Dechert’s data privacy and cybersecurity practice.
“This is no longer the prince from Nigeria phishing attacks… The successful ones are coming from emails of the CFO,” he says.
Hedge funds need to continue their focus on cyber training and education for their staffers, with attackers relying on human curiosity to lead to compromises through phishing and vishing – ruses conducted by phone or voicemail – says Aristedes Mahairas, special agent in charge in the special operations/cyber division at the Federal Bureau of Investigation in New York. The FBI conducted over 150 events and presentations in 2017 and has seen a few hedge funds reach out on the topic, he says.
Hedge funds also need to focus on conducting internal reviews of their cyber posture as well as parts of their operations that are being outsourced to third party vendors, Mahairas says. “They should really pause, conduct a thorough internal review surrounding their networks, and then have that validated by a trusted third-party vendor.”
To that end, hedge funds should be gathering information on whether vendors line up with a firm’s risk appetite and if third parties have a response plan if they are compromised, says Askari Foy, managing director at ACA Aponix and former associate director of the SEC’s national technology controls program. Additionally, hedge funds need to have an understanding of the outsourcing their third-party partners may conduct with “fourth parties” that hedge funds might not have any contracts with.
“Vendor management is critical and has to be an evolving practice. It’s critical because most of the hedge funds rely on third parties to conduct their back and middle office, their record keeping, their fund administration,” he says.
Another area firms are becoming more attuned to is ensuring that their coding practices are secure and don’t create vulnerabilities, says Doron Goldstein, a partner at Katten Muchin Rosenman and co-head of the law firm’s privacy, data and cybersecurity practice.
Even as firms continue refining their processes, cyber criminals are also becoming smarter, looking at federal Form ADVs and social media to understand firm structures, says Vinod Paul, COO of Align Cybersecurity. “It is a big misconception that some funds think ‘We are too small, no one is going to attack us,’” he says.
Firms can also expect to see more scrutiny from regulators, including the SEC’s new cyber unit, he adds.
Hedge funds have been responding in other ways, including many that are taking out cyber insurance policies, Blank says.
“If you’re a hedge fund, your risk management committee has either purchased a policy or is looking at it now,” he says.
Other challenges remain, including hiring for cybersecurity talent, where demand has remained steady at the C-suite level, with many firms still assigning duties to COOs or other executives. Competition for top talent remains one of the biggest challenges for hedge funds looking
to fill cyber roles, says David Richardson, a principal and member of the financial services practice at Heidrick & Struggles.
“Cybersecurity executives that are considered top talent are typically fielding numerous potential opportunities. As such, reporting line, firm size and technical sophistication are key factors in an executive’s decision,” he said in an email to FundFire.
Ultimately, hedge funds confronting the cybersecurity challenge are worried about “the cost and impact to their reputation [and] what’s the type of data being exposed,” Foy says. That means firms need to discuss reimbursement loss policies for client accounts and think about how they will react if compromised.
Cybersecurity entered everyday consciousness and risk analysis over the past few years, and that mindset should continue, Goldstein says.
“Cybersecurity is a process. It’s not a state of being – you are never secure.”
Do you want to design a cybersecurity program that will satisfy regulators, empower employees and encourage investors?
Check out our whitepaper below for download.