Many hedge fund managers have spent a significant amount of time and resources improving their cyber-security measures in the last few years, and the results have impressed peers and investors alike. Larger managers in the US have been at the forefront of this trend. It would appear, at first, that their efforts have been driven by the guidance and actions of the country’s vigilant regulators. Certainly, the defensive tech of firms in jurisdictions where regulators have been vocal is superior to those in jurisdictions where regulatory expectations appear lower, such as China and mainland Europe. Ultimately, though, the biggest driver of spending has been the cyber-risks themselves; the evolving threats and ongoing vulnerabilities.
Human error remains a key concern. Larger managers have spent big on state-of-the-art firewalls and firewall vendors, but their CTOs are conscious that such measures only go so far in the face of increasingly sophisticated ‘spear phishing’ scams. Most larger managers do not expect to increase their spending on cyber-security going forward having already increased it significantly in recent years. However, our research suggests that more could be done – by managers of all sizes – in terms of educating and testing staff. Many smaller and emerging managers, for whom sophisticated attacks are less of a concern, plan to increase their spending on cyber-security. They would do well to ensure educational initiatives are given equal credence.
In fact, there is room for improvement in cyber-security themed testing more generally. Not just of staff, but systems, processes and protocols. To be fair, the bar is now high. Many emerging managers and quantitative firms have already introduced evolving systems monitoring and deep-dive independent penetration testing. But others, including some established discretionary managers struggling with legacy technology issues, are yet to embrace the full benefits of independent tests. Fear of disruption lingers. Some managers are worried that deep-dive testing is itself a risk, many others are keeping data on attacks and testing in-house to avoid the ire of investors and regulators. Progress on cyber-security has been impressive, but at a time of fierce competition for clients, fear of failure is preventing the industry from achieving the gold standard.
Exhibits and Citations
Section 1 – Cyber threats
Exhibit 1.1: Frequency at which hedge fund firms’ cyber-defences register an anomaly, 2017, HFM Insights (Page 8)
Exhibit 1.2: Most common forms of cyber-attack suffered by hedge fund firms, 2017, HFM Insights (Page 9)
Citation: Statisticacharts.com, using G Data/AV-Test data, 2017 (Page 9)
Exhibit 1.3: Average cost of each record stolen during a cyber-breach in selected industries, 2017, Ponemon Institute/IBM Security (Page 10)
Citation: 2017 Cost of data breach study, Ponemon Institution/IBM Security, 2017 (Page 10)
Exhibit 1.4: Sources of cyber-attacks against financial services firms, 2016, IBM Security (Page 11)
Exhibit 1.5: Proportion of ‘billion-dollar club’ hedge fund firms with staff biographies on their websites, 2017, HFM Insights (Page 12)
Exhibit 1.6: Combined AuM of ‘billion-dollar club’ hedge fund firms by level of website detail, 2017, HFM Insights (Page 13)
Section 2 – Protection measures
Exhibit 2.1: Manager opinions of their own cyber-security measures compared to hedge funds generally, 2017, HFM Insights (Page 15)
Exhibit 2.2: Hedge fund manager plans for cyber-spending over the next five years, 2016, KPMG/AIMA/MFA Global Hedge Fund Survey (Page 16)
Exhibit 2.3: How hedge fund firms promote knowledge and awareness of cyber-security internally, 2017, HFM Insights (Page 17)
Exhibit 2.4: Frequency of penetration tests at hedge fund firms, 2017, HFM Insights (Page 18)
Exhibit 2.5: Providers of independent penetration tests at hedge fund firms, 2017, HFM Insights (Page 19)
Exhibit 2.6: Cyber-protections and processes at SEC-registered financial services firms, 2017, SEC National Exam Program Risk Alert May 2017 (Page 20)
Section 3 – Passing the assessment
Exhibit 3.1: New cyber-security questions asked during investor operational due diligence, 2017, HFM Insights (Page 22)
Exhibit 3.2: Hedge fund operational issues revealed during investor due diligence process, 2017 Institutional investor survey, JP Morgan Capital Advisory Group (Page 23)
Exhibit 3.3: Hedge fund managers submitted to a cyber-security exam by their financial regulator(s), 2017, HFM Insights (Page 24)
Exhibit 3.4: Latest cyber-security guidance from and selected activity of regulatory bodies, 2015-2017, HFM Insights (Page 25)
Exhibit 3.5: Hedge fund firms with a written cyber-security policy and designated board member, 2017, HFM Insights (Page 26)
Exhibit 3.6: Frequency that cyber-security is raised at hedge fund board level, 2016, KPMG/AIMA/MFA Global Hedge Fund Survey (Page 26)
About HFM Insights
HFM Insights is the new research and analysis service from Pageant Media, sitting within the company’s hedge fund intelligence network, HFM. The division produces research reports and analytical articles on a variety of topics in the global hedge fund industry, including business operations, investor relations, technology and regulation. Leveraging Pageant’s wealth of data and news sources, and with access to the HFM network’s vast membership, HFM Insights is uniquely positioned, offering exclusive surveys and expert commentary.
Head of Research
+44 (0) 20 7832 6649
Stuart M. Kinnaird
+44 (0) 20 7832 6605