Which cyber-threats carry the most risk?
The definition of ‘cyber-attack’ is an apt place to start. Like the clear majority of businesses, hedge funds operate in an interconnected, digital world. As a cyber-security expert at one large professional services firm interviewed by the Insights team said, “everyone is infected, it is just a case of whether it is worth fixing or not”. For our survey of hedge fund technology and operations professionals, we defined an attack as an event that a hedge fund firm’s cyberdefences registered as an “anomaly” against the backdrop of constant cyber-bombardment from automated agents. Our definition, therefore, attempts to cut out the noise and focus on the real dangers.
Frequency and types of cyber-attacks
The number and types of attack that a hedge fund business suffers will depend on a host of factors, but perhaps the two most significant are firm visibility and trading strategy. Most of the hedge fund managers the Insights team surveyed encountered less than ten attacks – or anomalies – a week (Exhibit 1.1). Those firms that encountered more than ten tended to be those that feature regularly in the press or trade frequently across a range of financial markets. The industry’s largest firms are repelling sophisticated, targeted attacks regularly. Several smaller quantitative hedge funds, also, said they encountered hundreds of attacks every month.
Cyber-attack top three
#1) Phishing – affects all firms
Close to nine in ten survey respondents said phishing was among the most common forms of cyber-attack their firms faced (Exhibit 1.2). Managers with more than $100m in AuM can expect to receive at least five malicious phishing emails every week. One interviewee at a London-based hedge fund firm said that, in respect to cyber-crime, phishing was the firm’s “only real fear,” and many peers displayed similar sentiment. Why? The firewalls at most hedge fund firms and/or their security vendors are robust enough now to withstand almost all outside attacks, but even the most capable human beings can suffer a lapse in concentration when faced with convincing phishing emails.
And because the ‘entry point’ is human error, larger firms are just as susceptible as smaller firms. The CEO of one London-based ‘billion-dollar club’ (BDC) manager gave one such example where a member of staff had entered their details into a phishing email. The attack had been caught by the firm’s security provider and when questioned the employee admitted that it had been “weird,” but not weird enough for them to report it. This was a common refrain throughout our research. One hedge fund CTO the Insights team interviewed said his firm was making good use of a button on their internal email system that allows staff to report suspicious emails instantly and directly to the relevant parties.
#2) Spear phishing – affects larger firms
This is the type of attack giving the CTOs of multi-billion dollar managers sleepless nights. The bigger and more visible the hedge fund, the more likely they will receive targeted ‘spear’ phishing emails. These attacks are often meticulously researched from the wealth of information available via online data resources, media outlets and, perhaps most significantly, social media, maximising their chance of success. Almost 70% of survey respondents from firms with more than $2bn in AuM said spear phishing was among the three most common forms of cyber-attack they suffered compared to 55% of respondents with more than $1bn in AuM and less than one third of respondents with under $1bn in AuM.
The fears surrounding spear phishing and phishing generally have led to a change in mindsets and processes at many hedge fund managers. One London-based firm has increased the number of people overseeing each wire transfer to three: one to set up the transaction and two to verify it through call backs. Several firms the Insights team interviewed had updated or were reviewing their internal policy on personal email and personal devices, with outright bans a common reaction. The fears surrounding internal actors – malicious or otherwise – will be explored further later in this section and in the report’s second section.
#3) Malware – affects all firms
Malware manifests itself in a wide variety of forms. According to online statistics company Statista, viruses were the most common form of new malware on Windows devices in the first half of 2017 (49%), followed by Trojans (30%), worms (12%), scripts (4%), password Trojans (2%) and ransomware (1%). The CTO of one BDC manager said that their firewall provider rarely suffered targeted attacks but did report hundreds of instances of malware every month. Overall, 40% of our survey respondents said malware was among their most common types of cyber-attack suffered. Scripts were reported by several BDC managers, but not by any managers outside the BDC.
The type of malware will determine how to deal with the threat. While a phishing or direct attack on one computer can be fast in both execution and remedy (the computer can be wiped and the elements compromised since the threat occurred identified and isolated), an attack from malware that sits on the computer, watches and slowly spreads can be over six months in the making. The cyber-security expert at the large professional services firm interviewed said a firm will need to take out the whole malware in one hit before the entity can respond to a firm’s defence.
Other types – DDoS, credential reuse, port scanning
Distributed Denial of Service (DDoS) attacks, where a website’s bandwidth is maliciously flooded by traffic, and credential re-use, where hackers steal a password from one service and reuse it on others, were also reported by survey respondents. Also noted was port scanning, probably the most common form of ‘attack’ there is; constant and agnostic to firm size, but too random and disparate to be considered a threat. These automated scans tend to originate from China and countries from the former Soviet Union. Some COOs interviewed were concerned that firewall vendors were including port scanning in their numbers to make the danger – and thus their value – appear greater than the reality. Managers, be wary.
The cost of cyber-attacks
The average total cost of a data breach for all types of company during the 2017 financial year fell to $3.62m from $4m the year previous, according to the 2017 study from Ponemon Institute and IBM Security. Companies are also getting faster at addressing data breaches, with the average time to identify a breach falling to 191 days from 201 days, and the average time to address the breach falling to 66 days from 70 days. This is good news. The longer the data breach goes unaddressed, the more expensive it becomes.
However, in the financial services sector, the cost per stolen record last year was greater than the four-year average, $245 versus $222, while the grand average for all sectors last year was less than the four-year average, $141 versus $150 (Exhibit 1.3). Of the 17 sectors IBM/Ponemon Institute tracked (five were selected for this report) only healthcare had a greater cost per stolen record last year ($380) than financial services. Still, the real cost of a cyber-attack to hedge fund managers is not always measured in dollars, and some of the more obvious injuries are not the ones managers fear.
Biggest concerns – in ascending order
i) Insider trading information – minimal risk
Minimal concern to most hedge fund firms. Only distinct agents carrying out a pre-meditated attack would benefit from such specific intel. In such cases, the concern would be on a whole new level.
ii) Theft of intellectual property – limited risk
Again, not a major worry. There is little benefit to be gained from a manager accessing a rival’s intellectual property and no serious business would entertain the opportunity to receive/use it.
iii) Theft of client information – mixed risk
Many managers avoid holding lots of client information on their systems, but this is certainly a concern, especially for smaller and mid-sized managers for whom each investor is that much more valuable.
iv) Wire transfer interception – smaller firm risk
Of most concern to smaller and mid-sized discretionary hedge fund firms who do not have treasured intellectual property or brands but are small enough for losses in capital to be grossly damaging.
v) Damage to firm reputation – larger firm risk
A key concern. Larger managers are loath to be linked to a high profile cyber-attack. Competition for tickets is intense, and firms cannot afford to give investors an easy reason to narrow their shortlists.
vi) General disruption – significant risk
This is the big one. The most significant danger – with malware in particular, managers said – is that the primary function of the firm – performance – could be halted with no timetable for restoration.
Where is the threat?
Closer than you might think. Exhibit 1.4 shows what many hedge fund CTOs know already – most cyber-attacks are launched from the inside by agents that are unaware of their actions. According to IBM Security, 58% of attacks against financial services firms last year were conducted by ‘insiders’ and yet only 5% were conducted by ‘malicious insiders’. The other 53%, the ‘inadvertent actors’, are the members of staff who click on the phishing email or introduce malware from a personal device they have connected to the system or an update they have downloaded.
Certainly, the hedge fund COOs and CTOs the Insights team interviewed were aware of insider danger. As noted, it has prompted a sea-change in recent years in the way firms approach, among other delivery methods, personal devices, USB sticks and personal email accounts. At the very least, firms have restricted their use. Many others have introduced outright bans. “There’s a balance to be struck between security and personal freedoms,” admitted the COO of one sub-$500m UK-based manager. “And I think over the last three years, firms have been erring more on the side of security.”
The aforementioned COO said his firm was considering banning staff from using Gmail at work and connecting personal laptops to the work systems, guest wifi only. Elsewhere, traders have been frustrated by firm-wide bans on software updates. But other managers are saving money by encouraging the use of personal devices. Cost savings will likely trump security for smaller firms.
The CTO of one US-based BDC hedge fund firm said his firm monitored the use of USB sticks and reviewed everything that was taken on and off them. This is not untypical. Another manager the Insights team interviewed had gone as far as disabling the USB ports on all the firm’s computers.
A more drastic step has been to cut off direct internet access altogether. The CTO of another US-based BDC hedge fund firm has introduced virtual desktop infrastructure with restricted access to outside networks. Clicking on links in emails has no effect, nullifying the threat of phishing attacks.
An initial step for vendors conducting a firm-wide security check will be to review staff social media activity. Facebook and the like is already banned at many firms, with some imposing limits on the types and amount of information employees can display on professional networking sites such as Linkedin.
Hidden dangers – company websites
If one of the most dangerous attacks a firm can suffer is a well-researched phishing campaign, then reducing the amount of information available to the public is a logical response. The primary source of authentic information on any business is its own website. One cyber-security specialist the Insights team interviewed suggested that firms with detailed information online about senior members of staff were particularly vulnerable to phishing scams. For example, senior staff biographies that give away too many details can help an attacker lay the foundations for convincing communication.
The Insights team undertook an exercise with this in mind. We analysed the websites – or lack thereof – of the 360 BDC managers we classified as hedge funds, finding that 45% of firms and $1trn in combined AuM offered websites with biographies of senior staff (Exhibits 1.5 and 1.6). Are these firms more vulnerable to attack? Again, a balance must be struck. Having some information available online ensures that professional investors and pension trustees can conduct informal due diligence and that a digital footprint is not dominated by unpalatable information. It is also unrealistic to think determined journalists and researchers can be prevented from posting any accurate intel online.
Ultimately, it depends on what a firm aspires to be. Hedge fund managers looking to build a brand must offer something. Small, secretive strategies can shut up shop, more cautious but safer. One small UK-based firm interviewed resisted a poorly constructed phishing campaign that scraped the details of a senior member of staff from Companies House filings online. The executive targeted was immediately suspicious of the emails because the details requested related to a process undertaken by a different department. HFM recommends posting enough basic information to convey sincerity but without unnecessary detail: job titles and focus are beneficial; job duties and reporting lines are not.