Hedge funds face increasingly detailed questions regarding operational due diligence from potential investors who are concerned not only about the fund’s own operations, but the security of their personal information.
“If somebody takes the investor roster with all the information, name, phone numbers and so forth, that would most likely mean the end of the hedge fund no matter how well it performs,” said Grigoriy Milis, chief technology officer at Richard Fleischman & Associates, an outsourced technology provider to hedge funds.
“Obviously, the investors are now looking at due diligence not just as a means of kind of verifying the hedge fund is worth investing, in terms of how well it kind of protects its own security, but for investors it became to a degree a self-preservation type of mechanism,” said Milis. “They’ve expanded their definition of risk to include the protection of their own information.”
The U.S. Securities and Exchange Commission earlier this year began conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cyber security, according to a risk alert issued on April 15.
“People do realize what kind of impact a security breach can have on the hedge fund, and it could be pretty much devastating to the hedge fund if information about the investors or privately identifiable information about the investors is taken from them,” said Milis.
The SEC examinations will focus on each entity’s cyber security governance, identification and assessment of cyber security risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber security threats.
“If you look at the SEC security guidelines, it's really an assembly of virtually all the best practices that exist in the IT space,” Milis said. “Now, when we're looking at operational due diligence questionnaires, we see virtually same questions that we see on the SEC security guidelines.”
The evolution of operational due diligence actually very closely follows the trends and developments as far as IT technologies are concerned in the hedge fund industry in general.
“If you look broadly over the years, the operational due diligence became substantially deeper in the IT portion than it used to be,” said Milis. “As technology has evolved operational due diligence became somewhat more detailed, so people have started asking about things like disaster recovery and business continuity planning.”
A typical hedge fund, with perhaps two billion dollars assets under management, will not have the same massive security defenses in place as a large investment bank would have. “They are actually substantially much easier targets for the cyber criminals, but at the same time, the ratio of risk to rewards for cyber criminals is extremely high with the hedge funds,” Milis said.
For larger hedge funds, a security breach could represent a systemic risk to the economy. “If a very big trading system is breached, it could create massive chaos on the market,” Milis said. “There are some serious systemic risks that SEC sees, and this is why they expect those guidelines at some point to become more than just mandatory requirements for the hedge fund.”