No hedge fund conference would be complete these days without at least three sessions on cyber security, GAIM Ops Cayman approached the topic from a novel angle this time, with a military style presentation which left delegates in no doubt that the industry is in the midst of a cyber war.
The time to prepare has already passed and hedge fund managers need to take cyber security strategies to an extreme departure from business as usual, taking confidentiality, integrity and availability beyond compliance, the presenter said. Each day that goes by, a critical breach occurs on your critical infrastructure, so you need to make yourself a smaller target he said, comparing hacking to a shooting attack.
Malware and bad data storage feature among the chief issues keeping security managers up at night, along with a lack of encryption, data leakage and unauthorized access. To illustrate the sheer scale of the cyber threat, the presentation then highlighted some of the most extreme breaches and hacks that have taken place, which in many cases resulted in huge costs and great embarrassment for the victims.
Thousands of Scottrade hacks took place over the past year and on many occasions the time the attack was discovered did not match the time the attack was going on. T-Mobile customers didn’t lose any payment card information when the telecom group was hacked but the bad guys go enough information to make credit cards in their name for life.
It’s no great surprise to learn that the financial sector saw the greatest increase in cyber attacks in 2015 with a rise of 85%, notably the Carbanak attack which netted $1 billion for the fraudsters. Other events worth mentioning were the Stagefright attacks targeting Android devices, the hack of CIA head John Brennan and even leading cybersecurity firm Kaspersky was not immune.
From a Cayman perspective, cyber security has become a standard item on most hedge fund board agendas and most boards are either very aware of the issues or are just starting to be aware, said Lisa Alexander, independent director at Cayman corporate governance firm 19 Degrees North, who was attending the conference. “We are encouraging clients to have this discussion and regulators want to know that there is a plan in place to keep client and confidential data secure,” she said. “It’s a huge trust issue as you are dealing with client money and data and once clients believe you can’t be trusted then it becomes a huge reputational problem.” Crucially, third parties and service providers must be part of the plan, she added.
“The larger firms are doing this through their CIOs, but smaller managers need to use third parties,” said Scott Lennon, principal and managing director at 19 Degrees North Fund Services, as he highlighted the increase in social engineering attacks. These occur when hackers use websites like Facebook and LinkedIn to try and build familiarity so the target is more likely to click on the link. Malware placed on USB devices sent directly to the target with labels like “confidential salary information” to encourage people to put them in the computer.
The big change in industry behaviour that Lennon has seen is the move towards pull data from push data, when dealing with service providers and clients. Instead of managers sending out documents to directors by email, instead the director can log onto a portal and securely download the information. “I’m also seeing a lot more offering documents watermarked with my name,” Lennon added.