Hedge funds are likely to find themselves engaged in a two-front war in cyber-security over the next several years, with threats emanating both from within and outside their organizations.
“The major shift that happened between five years ago and today is that people realized that the information stealing business became a very, very big business," said Grigoriy Milis, chief technology officer at Richard Fleischman Associates. “Information security resembles very much of the Cold War, when either side is trying to get the upper hand constantly. So it's a never ending fight between the good guys and the bad guys.”
The good news is that information security techniques are being developed to thwart, or at least blunt, the threats from organized data theft rings.
“Five years ago, everybody was pretty much resigned to the fact that if somebody wants to try to breach your network and steal your information, they could do it at will,” Milis said. “What will change is that the information security focus will shift to data protection.”
Hedge funds should take a phased approach: learning about what their peers are doing regarding information security, and then broadening the search to a wider group.
“If you’re a hedge fund, it would be useful for you to know what's happening in the broader sector,” said Richard Wilding, director of cyber products at BAE Systems Intelligence. “Are all of your peers, or competitors, being targeted? If they are and you haven't yet, then maybe you're next. What else is happening at one set removed? What is happening at broader financial services market? Is what happening the retail guys or investment guys the leading indicator of what might be coming to your sector?”
For many hedge funds, their biggest security threat is the risk that their intellectual property will walk out the door. “If you think about the algo traders, their crown jewel is the algorithm,” said Wilding. “There have been examples of employees taking that algorithm and leaving.”
There’s also the risk of the equivalent of industrial espionage, whereby rival firms try to get hold of a hedge fund’s investment strategy or trades. “There are entities out there who would like to know what your position is,” said Wilding. “Hedge funds need to be investing in defenses that help and protect against external threats.”According to the DTCC Risk Barometer, a survey conducted by Depository Trust & Clearing Corp. to assess trends in the financial industry’s resilience, cyber security was cited by 66 percent of respondents as a major systemic risk in 2014, up from 53 percent a year earlier.
“Part of the reason for the continued high level of industry concern is it is often relatively easy for the hacktivists to launch attacks,” said Mike Leibrock, DTCC’s chief systemic risk officer. “It is cheap for them to do so, but it is very expensive firms to defend against these attacks. It's not really a level playing field. Another reason is that the hacktivists are very creative, constantly coming up with new and sophisticated ways to attack firms. Another reason is that the hacktivists are very creative, constantly coming up with new and sophisticated ways to attack firms.”
Mike Leibrock, DTCC
Information security is only going to become more and more critical and complex. “With all of the stories around data theft from criminals, foreign governments and even our own government we are going to see a rise in technologies like encryption and identity assurance,” said James Russell, principal at the Information Technology Group at consultancy Rothstein Kass.
From a business standpoint it is critical that the legal and IT departments are communicating and working closely together. This will ensure that the business policies match the current legal landscape and enforcement of those policies in place.
“It is no longer sufficient to just have a written policy outlining security,” Russell said. “Now it is critical to have technologies in place that enforce those written policies as well.”
In the future, there will also be a broadening of security training within organizations. “With workforces becoming more mobile and less likely to be all under one roof it will be imperative that they understand how to work securely,” said Russell. “Information security is not the responsibility of any single department or person; it is the responsibility of anyone that handles sensitive data no matter where they are or what device they are working on.”
Feature image via DPC
