Hedge funds are coming under increasingly heavy fire from attackers and regulators alike. A 2015 report issued by the SEC that examined more than 100 financial companies found that 88 per cent of broker-dealers and 74 per cent of investment advisers have experienced a cyberattack directly or through one or more of their vendors.
Not surprisingly, regulators are turning up the demands on cybersecurity safeguards. Every six months, for the last two years, additional cybersecurity regulations are released. These include COBIT (Control Objectives for Information and Related Technologies), a best-practice framework created by ISACA. It provides an implementable "set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers. In other words for the majority of funds it means continuous monitoring, detection and response.
In a panel discussion on this topic, Stuart Levi, partner at Skadden and co-head of their Intellectual Property and Technology Group noted that when an Alternative Asset Manager (“AAM”) suffers a cyber-attack, unlike most other victims, regulators might hold the AAM liable if they failed to implement appropriate security measures that could have prevented the attack. For example, the SEC recently brought enforcement action against a capital equities firm that “did not have the required cybersecurity policies and procedures reasonably designed to protect customer records and information in advance of a breach, thus violating the safeguards rule.”
Discussing the matter with a UK-based hedge fund CISO, the Morphisec team confirmed that hedge fund managers are feeling the heat. The Financial Conduct Authority (FCA), a conduct regulator for 56,000 financial services firms and financial markets in the UK, is currently performing a gap analysis to align the U.K. With the US-based COBIT framework. The FCA is matching 100 funds against each other, trying to create a Poster Child for "good cybersecurity" based on ISO 27001.
The CISO we spoke with also expressed that it is an evolving space and not particularly clear. It establishes guidelines, not stating specific technology but the requirement for monitoring and controls. It is a challenge for this CISO’s security team to interpret them, to perform gap analysis, and complete vendor due diligence. They must identify the crown jewels, the most critical cyber assets; assess cyber threats both from insiders and from organized criminals that develop ever-increasingly sophisticated attacks; and develop mitigation strategies. Within this complex system, traditional anti-malware certainly has its space, particularly against spray-type attacks, but for skilled, targeted attacks, whether by criminal or ideological hacktivists, traditional detection tools can’t keep up.
In addition, for small companies that are lean on resources and IT budgets, yet need to be compliant, what is the balance between simplicity, cost and threat coverage? In the case of our above hedge fund, the CISO singled out Morphisec’s Moving Target Defense security combined with AV and periodic patching as a set of controls that will meet regulatory requirements and keep her company and its clients safe while avoiding disruptions and the “usual” expected compatibility and false alarm issues.