Ahead of the curve?
Cyber-security has become a ‘hot topic’ within the hedge fund industry during the past three years, filling column inches and panel discussions since the first significant wave of themed SEC inspections in 2014. Awareness has increased, and, in turn, so has spending.
But are managers pleased with their progress? The Insights team asked CTOs and COOs where their firm stood with regards cyber-security infrastructure and protocols compared to their peers, finding few who believe they are ‘behind the curve’ (Exhibit 2.1). Roughly 60% of respondents with less than $1bn in AuM believe they are on trend and a similar proportion of ‘billion-dollar club’ (BDC) managers believe they are ahead of the curve. This is perhaps unsurprising given the latter group’s greater resources and IT specific staffing.
This also helps explain findings from a 2016 KPMG survey in which more smaller managers said they would increase spending on cyber-security than larger managers (Exhibit 2.2). At the top end of the industry, managers with more than $5bn AuM are split almost 50/50 between those who plan to keep their cyber-security spending the same and those who plan to increase it. Almost 75% of managers with less than $500m in AuM, meanwhile, expect to increase their cyber-security spending going forward. This is likely an indication that many larger managers have already invested heavily in, what they consider, market leading cyber-security solutions, while smaller managers have underspent. It should also be noted that no manager of any size said they would decrease their spending.
The cost of being protected
So how are hedge fund managers spending their cyber-budgets? If the scale of firms’ cyber-security infrastructure has increased exponentially in the past five years, then so too have the number of related services and the vendors providing them. The most sophisticated security solutions use a fully automated, AI system that learns as it monitors. They move as fast as any malware and have the capability to neutralise certain threats and slow down those it is unable to defuse itself. The more common form of system is an anomaly indicator. This informs a human analyst that something new or unusual is occurring, requiring staff to determine whether or not it is a threat.
i) Network monitoring
All-encompassing security systems look to secure the network, the endpoints (devices and hardware) and storage systems. Larger managers looking for an ongoing system monitoring solution without endpoint monitoring should expect to pay $80-100k at the top end of the market. A smaller business with few access points and limited IP addresses will likely benefit from a system costing $24-60k.
ii) Endpoint monitoring
The cost of monitoring network devices and hardware will range from $10-25 per user, depending on the number of users. These top-end providers deliver information about where threats have come from, the type of threat and which areas they have affected. This creates easy visualisation of areas which may need additional protection and how attacks have manifested themselves within a network.
iii) Email security
Regularly referred to as the biggest threat, emails are a particularly important consideration. One major provider of email protection tiers their service at $30-95 per user. For this, the client firm has phishing reporting infrastructure and total control over the service, emails are sandboxed to determine safety, and historical emails held for a chosen period in case they are lost during a back-up.
iv) Tests and scanning
Testing the system for vulnerabilities and flaws should be ongoing, and not a place to scrimp. The providers of a basic penetration test will charge about $3k, with top providers seeking closer to $5k for a three-day test, which is considered the minimum. Vulnerability scanners and programs which can be run at any time are likely to cost $20k, the same price as a quality firewall.
Education, education, education
When it comes to being protected against cyber threats, a firm’s biggest asset is also its biggest weakness. Staff and their actions can make or break a cyber-attack. As noted in Section 1, almost half of all cyber-attacks at financial services firms are initiated inadvertently by staff. Several hedge fund technology executives HFM Insights interviewed said their only real fear is that employees will click one link and cause serious damage. This danger cannot be eliminated altogether, but it can be mitigated through best practice education.
Internal lectures – Common
The most common and most easily implemented form of education is the in-house lecture. Almost 75% of respondents to our survey use internal lectures and one-to-ones to help keep staff up-to-date and aware of internal and external cyber-security developments (Exhibit 2.3). Several lecturers the Insights team spoke with said that staff sentiment has changed in recent years from seeing these talks as an annoyance to being accepted as necessary. Costs, covering old material, disagreeing with procedures and a lack of tailoring were cited as reasons by interviewees for preferring to keep lectures in-house. Almost a third of managers surveyed hire third-party lecturers.
Simulated attacks – Underused
More firms could benefit from this. Less than half of survey respondents said they conducted simulated tests. If phishing emails are the most common form of threat and among the most likely attacks to succeed, simulation testing is imperative. One cyber-security consultant declared that all the problems with cyber-security derive from someone clicking a link in an email. One of the biggest providers of simulated testing services charges roughly $40 per user annually with a set minimum fee linked to over 120 users. Identifying who understands and who may need more training is also easily determined. The key is to make people aware that this could happen at any time; one IT executive who set up a phishing test fell into his own trap and clicked the link himself.
Are passwords enough?
No. They are an outdated technology easily bettered by determined hackers. Dual authentication is a common example of next level security often required by certain regulators including the SFC. The use of email security password safes and/or sender authentication is also prevalent. The latter is simply a means of confirming that an email has come from the sender: many spear phishing and whaling emails come from exact match or close to email addresses. Password safes stop links and attachments from being opened directly, rerouting via a protected, secondary resource. In some cases, all links are disabled or appear as text.
Culture is key
An employee’s willingness to report an attack is just as important as their knowledge of the subject. Staff need to be able to raise issues instantly and feel comfortable doing so, whatever the size of the firm. Concerning email, many providers, as mentioned, have flagging icons which can instantly report the email to the correct person. A strong cyber-culture means that vigilance is also heightened outside of the office – a vitally important consideration. Many threats get in via home networks and remote devices where company firewalls are not used. A common entry point for hackers to company data is through a work email account left active on unsecured networks. One UK-based manager HFM Insights interviewed said their primary focus during educational lectures was a hacker’s ability to steal an identity through Facebook or LinkedIn and access a firm’s network through public wifi.
But not everyone is convinced by the need for formal education, with 6% of managers surveyed having no such initiatives in place. The COO of one sub-$1bn AuM quantitative manager said, the nature of the firm’s investment strategy, meant he expected staff to be suitably vigilant and up-to-date on cyber-issues without formal training. One fund of hedge funds manager HFM Insights interviewed said that a hedge fund manager having no formal education policy would be an amber flag – something they would make recommendations on, but not something that would stop them investing.
Testing for flaws
One US-based cyber-security expert the Insights team interviewed said one of his biggest frustrations was that many hedge fund industry professionals still use the terms vulnerability scanning and penetration testing interchangeably. Vulnerability scanning and penetration testing differ in who conducts them, how they are conducted and, most significantly, their level of intrusion. Vulnerability assessments tend to be internal programs that look for routine holes and flaws that can typically be corrected through patches and updates. Such scans will only flag flaws, not determine what should be done, how dangerous said flaws are or the urgency with which the firm should act. Penetration testing is the litmus test for a firm’s cyber-defences. Or at least it should be.
Undercooking your pen test
Almost one quarter of hedge fund managers HFM Insights surveyed said they had yet to undertake an independent penetration test, with almost 60% doing so at least once a year (Exhibit 2.4). Our research also suggests that there are many firms conducting their penetration tests in-house or through their current security providers: almost a quarter use service providers who know or manage these systems themselves (Exhibit 2.5). HFM advises against this. Using someone who knows the system to conduct the test is flawed for obvious reasons, as well as providing potential conflicts of interest (for work could be created and for flaws to be deliberately overlooked). Just over half of managers surveyed complete these tests through recommended providers: freelance hackers, independent specialists and/or multiple third parties.
Nor are managers embracing the full potential of penetration testing. A tester should not only be given the green light to attack from outside the network, but also ‘handed the keys to the castle’ and asked to act as a staff member with malicious intent in the name of uncovering flaws. The most thorough penetration testers will not just look for flaws online, but conduct physical security tests, like seeking to surreptitiously enter company property to gain access to systems. Testers have been known to pose as repair men and enter offices to hack from a connected device, such as an unattended laptop or printer, or simply oversee a password being typed.
Freelance hackers, nervous managers
One of the biggest providers of penetrations tests globally requires a prospective tester to have at least five years ‘hacking experience’ before joining the team. The term ‘advanced tests’ is often used for penetration tests conducted by professional hackers. These tests are the closest to a real hack, undertaken by someone most likely to have their ear to the ground and up-to-date with the latest hacking trends. The only issue here is that due diligence may be more difficult and managers must be aware of who they are allowing to touch their data and enter their systems.
Are nerves preventing managers from opening themselves up to ‘advanced tests’? Potentially. Operating in an industry built on proprietary trading strategies and critical systems, hedge fund managers have good reason to be cautious about a ‘deep dive’ test or opening up to outsiders. During its most recent cyber-themed examinations of financial entities, the SEC found that only 43% of investment managers performed penetration tests and vulnerability scans on systems the managers deemed ‘critical’ compared to 95% of broker-dealers (Exhibit 2.6). One might suggest that this is because investment managers are more aware of how critical their systems are to the everyday activities of the firm. They also lagged broker-dealers on periodic cyber-risk assessments. The only area where investment managers outperform broker-dealers is on patch updates, simple solutions to potentially significant problems.
The new ‘gold standard’
The pinnacle in testing, as far as regulators are concerned, is a vulnerability management system or vulnerability suite. This is a program that tests the system, flags what is to be fixed, and then repeats; constantly. The top performing managers tend to scan for vulnerabilities on a weekly to monthly basis. For a program that runs systematically and creates solutions automatically, this is relatively simple. New managers are well placed to consider vulnerability suites, but should still be tested using an externally. Older managers with larger, legacy systems in place, may struggle to introduce such changes, and keep to the current system of vulnerability and penetration tests.
Emerging manager recommendations
• Vulnerability management system
• External test at least once a year
Established manager recommendations
• One full test annually (duration 3-12 days)
• Two or three ad hoc scans each year
• Multiple vendors used each year
• New testers used each year
Managers should establish their networks in silos to minimise the threat of exposure. Virtual desktop technology and/or virtual windows advances this idea by preventing attacks from spreading past an infected device. Managers can also limit the number of devices on their network, as fewer terminals equals fewer access points, while guest wifi and protocols on separating personal and work devices and programs will help guard against less secure access points.