Security

08:30 PM
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

Hedge Funds Raise the Urgency Level on Cyber Security

Hedge funds are bracing for SEC exams on cyber security preparedness in 2014, but do they need a chief information security officer?

Hedge funds are paying more attention to cyber security as a result of recent guidance from the Securities and Exchange Commission.

An April risk alert has raised the urgency level for alternative funds registered with the US regulatory body to assess information security and test for any vulnerabilities. The SEC's Office of Compliance Inspections and Examinations (OCIE) notified hedge funds and more than 50 registered broker dealers and investment advisers that the agency's 2014 examinations would focus on cyber security preparedness. The OCIE has given the funds a questionnaire to fill out.

Yigal Behar, head of business development at 2Secure, which provides computer network and Internet vulnerability assessments from its offices in the Wall Street area, said it is seeing growing demand among small and midsized hedge funds to meet their information security needs.

"It's a war going on outside, especially when you see breaches on a daily basis," Behar said. "Often companies don't see that they were breached until only months or years [after] they were breached."

From a personnel standpoint, the SEC is asking firms to indicate if they have a chief information security officer (CISO) or equivalent position and to identify that person and title. Firms that don't have such a position are being asked, "Where does principal responsibility for overseeing cybersecurity reside within the firm?"

Hiring a CISO can be expensive
Some hedge funds have chief technology officers, but the CTO function is not focused on security. "People think that, if they have a CTO function, that would be sufficient," Behar said. "But the CTO would be a person whose function is to use existing and future technologies to improve their business."

Hedge funds won't be able to escape the need for a CISO, but many small funds cannot afford to hire a full-time CISO. To address this need, 2Secure has developed HF-CISO On-Demand, a service designed to help small firms with the growing threats landscape while achieving regulatory compliance. "They will need a solution so that the cost and investment will be reasonable for them because of their size, and also that is compliant with regulatory requirements and that keeps them secure, because all of a sudden clients will ask them, 'What do you do for security?'"

In turn, funds will ask their website designer what it has done to ensure security. And clients with security awareness will say to their hedge funds, "I am giving you my precious information. How do you make sure it's safe?," Behar said. "It's pressure from different directions, directly and indirectly."

The financial industry is increasingly viewed as a target of cyberattacks. Yesterday, news outlets reported that computer hackers stole gigabytes of data from JPMorgan Chase and four other banks over the past month. But it's the SEC alert that has convinced firms they can no longer neglect security. Behar spoke with a hedge fund from Connecticut months before the alert came out. The fund said it could meet with him in June or July. When he followed up in June, after the hedge fund saw the alert, it wanted to meet the next week.

Hedge funds that lack a CISO are starting to consider alternatives that can cover this function. For instance, 2Secure offers various services, including penetration testing, risk assessment, policy and incident preparedness, incident response, and recovery planning. Those services are geared specifically to information security that an organization needs to "stay alive if something happens." The firm will package up different services, depending on each fund's needs.

Most funds will implement security to comply with regulations, but Behar said testing once a year is not enough. Firms need to see if they have been penetrated, and they need to patch holes in their software that leave them vulnerable to hackers. For example, funds may change or update systems, which then require testing. Systems can become outdated, and many firms neglect patch management, he said, even though manufacturers like Microsoft issue patches all the time. "You need to have some tools that do automatic scanning to detect the low-hanging fruit, and then you need the human to interact with those systems and do some more testing." Firms cannot deploy patches without testing, because it can cause instability.

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
9/2/2014 | 11:28:11 AM
Re: are hedge funds easy targets?
It's true that hedge funds have been less regulated then traditional asset managers though that has changed post crisis and as a reaction to the Madoff fraud. There are a host of regulations reigning down on hedge funds including the SEC's Form PF and the UK's AIFMD. Cyber criminals could be targeting smaller hedge funds that may not have the tightest security on their systems. Hedge funds that outsource their operations to managed service providers could benefit from the security and monitoring of their systems.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
9/2/2014 | 9:09:43 AM
are hedge funds easy targets?
It's well known that cyber criminals go for the low-hanging fruit. In this case, hedge funds might be the most vulnerable of all players in the financial markets, since they are the newest to the scene and have the least amount of oversight (to date).

Hopefully, hedge fund leaders are paying attention to the increasingly aggresive cyber attacks in the financial services space.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
9/2/2014 | 8:01:59 AM
Re: Security Regulation
I am not sure of how the industry feels toward compliance with state and federal security/privacy laws. I assume they would want fewer laws. But that's not going to happen. I don't think the states are going to give up their laws given all the DDoS attacks, malware and identity theft. In fact I can see an attorney general like Eric Schneiderman of New York pursuing a financial services firm that didn't adequately protect its customers from computer hackers and cyber incidents.
Becca L
50%
50%
Becca L,
User Rank: Author
8/31/2014 | 1:24:34 PM
Re: Security Regulation
Ivy, strong point about the potential proliferation of regs. Standard reporting rules seems like a no-brainer, as customer information (for example) and succssful DDOS attacks are to my knowledge as concerning to a small institution in Ohio as a mid-sized one in California.

I wonder, Does the industry feel okay with different rules or are they asking for standardization?
Becca L
50%
50%
Becca L,
User Rank: Author
8/31/2014 | 1:14:41 PM
Re: Security Regulation
Thanks Jon, interesting info about state and federal level regs. I'm surprised it isn't all federal. Especially beause many banks span over state lines, they may choose their home state as the one with the least regulatory burdens. (It's like tax evasion!) It causes an unclear picture of the state of cyber security.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/29/2014 | 10:11:59 AM
Re: Security Regulation
A federal law would also set the standards for when an incident should be reported to a regulator.  I think that's probably a murky area right now. If customer data is involved in a data breach, that would obviously warrant reporting to a regulatory body, but if a firm's systems are hit with a distributed denial of service attack (DDoS) and are taken out of service for a few hours, does that warrant reporting?

I guess it depends on how this impacts customers? In the caes of a public company wiht shareholders, they probably have to report any material incident.


But from what you say about the existence of state laws, the danger is that regulations will proliferate and add to already overwhelming compliance burdens.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 10:00:54 AM
Re: Security Regulation
Not at the federal level. New York State regulators have started sending out similar questionnaires to banks in the state. The cyber security directive that the White House issued a couple of years ago does give agencies, including banking regulators, authority to do these kinds of assessments, and also requires greater information sharing among the industry. But I think it would take federal legislation to get a more clearly defined framework in place. Right now some security issues are left up to the states, like requirements for reporting a breach. A federal law would bring some more clarity there.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/29/2014 | 9:56:08 AM
Re: Security Regulation
Hedge fund watchers expect the SEC to formally propose a regulation. These cybersecurity exams are a first step in that direction. Firms need to fill out a cybsecurity questionnaire that will give the SEC information on the industry's security practices. This information can be used to figure out where the industry stands across the board.  In terms of banking, is there a cybersecurity regulation already on the books?
Jonathan_Camhi
100%
0%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 9:49:59 AM
Security Regulation
It would also be nice to see cyber security legislation passed at the federal level. It's good to see the SEC is being aggressive on this though. I think more regulators will be doing similar assessments after the news that broke this week.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video