How secure is your business? In the digital age, the question has taken on new meaning. Cyber-security has been scrutinised over the past three to five years as much as almost any topic in hedge fund management. In this report, our first ‘technology’ themed study, we set out to learn about the biggest cyber-threats managers face and the measures they are using to protect themselves. More than that though, we wanted to establish how regulators, investors and managers themselves are assessing the industry’s progress, and identify the types of firm most at risk. As always, this meant surveying professionals at hedge fund managers – technology and operations specialists chiefly – but also interviewing security experts and analysing third-party data.
The report’s opening section covers the threats themselves, by form, source and cost. Phishing is the most common type of cyber-
threat hedge fund managers face, with the number of attacks and associated risks increasing in line with assets under management. Bigger and more visible managers are the target of more sophisticated ‘spear phishing’ attacks, but they can be more vulnerable depending on the amount and type of information they make available online. The Insights team looks at company websites – or lack thereof – to get a sense of just how much managers are giving away. Not all the free details, we conclude, are necessary.
State-of-the-art cyber-defences are not cheap. But neither is a quality firewall a panacea. Firms can spend considerable sums on cyber-security technology – and the largest managers already have – but remain vulnerable if their staff are not vigilant to the dangers of phishing emails and related scams. In section two, we focus on the ways managers are educating their staff, as well as testing their security systems. Even the savviest analyst can be caught off guard by a chance email, something which is keeping the CTOs of the industry’s biggest hedge fund firms up at night. Others are showing signs of complacency by not yet embracing the benefits of independent penetration tests.
However, by and large investors are impressed with progress. And in many ways managers have been quicker off the mark than regulators, some of which only started to publish guidance in the last 12-18 months. Section three explores how third parties are assessing manager protocols, as well as the improvements in manager governance, from more detailed written policies to the additional time being dedicated during board meetings. Investor DDQs are also more sophisticated, even if the investors themselves still have knowledge gaps. Managers’ reluctance to report cyber-breaches to investors and regulators hasn’t helped. Still, one inference is clear: there may be room for improvement, but the necessary strides have already been made.
Some managers are offering too much information via their company websites
Firms vulnerable to phishing scams can include those with detailed information online about senior staff members, such as biographies that include job duties and reporting lines. This can help an attacker lay the foundations for convincing communication and a successful spear phishing attack. The Insights team found that almost half of ‘billion-dollar club’ hedge fund managers have some form of staff biographies online. Managers aspiring to branded status must find a balance, ensuring there is enough information online for a positive digital footprint allowing investors to conduct informal due diligence, but not enough to give scammers an easy win.
Phishing attacks are particularly common and risks increase in line with assets under management
The vast majority of hedge fund managers responding to the technology survey said phishing was among the most common forms of cyber-attack they faced. One interviewee said that, with respect to cybercrime, phishing was the firm’s “only real fear,” and many peers displayed similar sentiment, concerned that human error was difficult to mitigate. And the risk increases dramatically with AuM. Our research suggests firms with more than $100m in AuM can expect to receive at least five malicious phishing emails every week, but once managers start managing $1bn and more, they become the target of more dangerous, spear phishing scams.
Not enough hedge fund firms are embracing the full potential of penetration testing
One fifth of hedge fund managers are yet to undertake an independent penetration test. More significantly though, many of the managers that are conducting tests either use service providers who know or manage the systems themselves or are reluctant to allow testers full access. Using someone who knows the system is flawed for obvious reasons, as well as providing potential conflicts of interest. The most thorough testers will be independent parties given not only the green light to attack from outside the network, but also insider access so to expose the opportunities available to staff members with malicious intent.
Educational initiatives such as simulated tests could be used to improve staff awareness
Less than half of survey respondents said they conducted simulated tests, despite phishing emails being the most common form of threat and among the most likely attacks to succeed. One cyber-security consultant declared that all the problems with cyber-security derive from someone clicking a link in an email, and so it proved; the Insights team heard many examples of top analysts going through the motions and handing over their usernames and passwords to a scammer. Simulated testing allows people to stay up-to-date with the latest threats as well as increasing awareness that any email could potentially be a threat.
The risks posed from members of staff being duped by scammers is changing firm cultures
More than half of cyber-attacks at financial services firms are initiated by unknowing members of staff, perhaps duped by a phishing email, and the issue has prompted a sea change in the way hedge fund managers approach personal freedoms. Some firms have changed their policies on personal devices, USB sticks and personal email accounts, among other delivery methods, to manage the risks, while others have implemented outright bans. As the COO of one sub-$500m UK-based manager put it: “There’s a balance to be struck between security and personal freedoms, and over the last three years firms have been erring more on the side of security.”
Managers are keeping quiet on cyber-breaches to the detriment of investors and regulators
Advances in hedge fund manager security measures are staving off many cyber-attacks, but those breaches that do take place tend to be kept under wraps. The incentives – or lack thereof – to report such cases to investors are clear: not only do managers fear telling investors about a breach, but they want to use the fact they have made no such reports a selling point. Even regulators are finding evidence of and information on breaches hard to come by, prompting SEC chair Jay Clayton to signal a softer line on cyber-security failings to encourage firms to report attacks. Managers can expect other regulators to follow suit.
Investors are evolving their cyber-security themed questions but are yet to master the subject
Like managers, investors have become more sophisticated in the way they approach cyber-security. What five years ago was a simple ‘tick box’ exercise lumped in with general IT matters is now a themed discussion covering, among other topics, penetration tests, phishing scams and data encryption. The questions, too, are evolving, with allocators keen for managers to demonstrate that they are monitoring and adapting their processes and protocols. However, it remains unclear whether investors are better at digesting the information they receive, or whether it is just the questions that are getting more sophisticated as a result of consultant and trade body input.
Larger managers have already done their ‘big cyber-spend’ and investors are impressed
Few managers think that they are ‘behind the curve’ when comparing their cyber-security measures to those of their peers, but spending patterns going forward will differ by firm size. More larger managers believe they are ‘ahead of the curve’ than smaller managers, while more smaller managers expect to increase spending than larger ones. In short, larger managers have done their main spending and are happy with it. Indeed, the allocators that the Insights team spoke with said they were impressed with improvements generally in recent years. Still, no-one is resting on their laurels: not one hedge fund manager believes that their cyber-security spending will decrease.
The quality of dedicated written policies has increased but there is room for improvement elsewhere
Manager governance on cyber-security has improved in line with infrastructure and technology, with the vast majority of firms having a written policy and many also having a designated board member. More than that, what used to be a paragraph in a larger piece of company literature is now a confidential, standalone document. This is thanks in no small part to the SEC’s requests for a dedicated Written Information Security Plan. However, there remains plenty of room for improvement; more than half of the boards of hedge fund managers discuss cyber-security once a year or only when it is an issue.
The findings in this report were based on three primary sources: research interviews conducted in person and over the telephone, a proprietary survey, and analysis of HFM and third-party data. Research was gathered between July and August 2017. In total, more than 60 firms operating in the hedge fund industry contributed to our research. These were mainly hedge fund and asset managers, as well as service providers, regulators and allocators.
Many of the data exhibits are based on the findings of the HFM Insights Technology Survey Q3 2017, a proprietary survey of senior hedge fund technology and operations staff. The 49 respondents to this survey were based largely in the US and the UK as well as mainland Europe and Asia, and included quantitative and discretionary managers. As a group, the firms represented more than $150bn in combined assets under management.