How Secure Is the Buyside?

Hedge funds are a new favorite target of cyber-attackers, and the funds very nature - risk-loving and publicity-shy - could aid the thieves they need to stop.

It was a ploy as brazen as it was ingenious. A team of rogue traders from the U.S. teamed up with clever hackers and traders in Ukraine to break into the servers of major media firms. The plan was to steal soon-to-be announced reports of earnings and other business dealings connected to HP, Boeing, Ford, Bank of America, Home Depot and others, and make trades ahead of the news.

Early one morning last month, the traders were arrested in their homes in the U.S. while arrest warrants were issued for hackers in Europe. U.S. authorities also seized $6.5 million in bank and brokerage accounts, and plan to charge 30 defendants with stealing information from two newswire services. According to the U.S. Securities and Exchange Commission, the hackers and traders stole $100 million in their insider trading scheme.

The hacked information? Press releases.

The traders are alleged to have used this nonpublic information in a short window of opportunity to place illicit trades in stocks, options and other securities, sometimes purportedly funneling a portion of their illegal profits to the hackers, said the SEC.

Once a source of agita mainly for commercial banks and credit card companies, hackers are now training their sights on investment firms, broker-dealers and hedge funds. News of hack attacks, dedicated denial of service (DDOS) attacks that take down a business servers, and cyber-threats by so-called white hat hacktivists have been gaining in urgency in the past year. According to industry observers, hedge funds are ripe for cyber-attacks. As a $2 trillion industry, U.S. hedge funds boast high-net-worth clients, have leaner operations that rely on vulnerable technology such as cloud computing, and must deal with broker-dealers and third-party IT and financial services providers.

In what ultimately might be their weakest link, hedge fund managers deal in a world of high risk and near anonymity. Even if they are hacked, many hedge funds would not come forward to admit that their servers have been breached and their client data compromised.

Hedge funds hold a tremendous amount of capital, incredibly sensitive proprietary information and valuable algorithms, but they are small shops and often have weak IT, Assistant Attorney General John Carlin told an audience of hedge fund professionals at a conference in Las Vegas in May.

Carlin urged hedge fund managers to share information about attempted hacks and phishing schemes. He called the managers traditional refusal to report these violations as payday for hackers. It means they can conduct their activities cost-free, they can keep getting better at stealing information, and no one is improving on our end by sharing information to prevent it from happening, he said.

A Wave of Hack Attacks

If you thought last year was a never-ending slog of racial strife in the U.S. and unrest in Ukraine and the Middle East, it was a banner year for hackers. In the summer of 2014, Bloomberg reported that hackers stole passwords from the CFO and treasurer of a major U.S. hedge fund. The hackers were able to siphon roughly $1.5 million in less than two minutes using three wire transfers – each just under $500,000, the amount that would have set off an alarm at the unnamed fund. (It is worth noting that Bloombergs source for the story was a leading cyber-security solutions firm.)

Also that year, hackers exploited vulnerabilities in the software code of Nasdaqs servers and allegedly stole 160 million credit cards from the market-maker as well as from Dow Jones, JetBlue, 7-Eleven, JCPenney and other corporations. The FBI, which alerted Nasdaq to the hackers presence on its network, noted that they had left a so-called digital bomb to wipe out the market-makers computers if they were detected. Vladimir Drinkman, 34, of Moscow has pleaded not guilty to the theft as he awaits trial.

Last year, JPMorgan Chase announced that the names, addresses and emails for an estimated 76 million households and 7 million small businesses may have been compromised in a wide-ranging data breach. Investigators believe the hackers responsible for this breach hailed from Russia and also targeted Citigroup, HSBC and E*Trade.

The Target on the Buysides Back

Why did famed bank robber Willie Sutton rob banks? Because thats where the money is, he allegedly told a reporter. (He denied saying this, but its still known as Suttons Law.). The same goes for hedge funds and client credit card information. Knowing that they have information from high-net-worth investors, hedge funds have bank account numbers, personally identifiable information and wire transfer information for these investors; they are a target, said Brian Lozada of Abacus, a financial security solutions provider.

Aite Group analyst Denise Valentine agrees. Credit cards may be the low-hanging fruit, but hackers cannot resist this lure despite the security that banls and investment firms put in place. Every firm has their own unique infrastructure like firewalls, but the culprits are as smart and have as much experience as you, she said. Its a quite a race to the finish to see who will come out on top.

According to Valentine, third-party vendors could be the weak link in the buysides chain of security. Further, hackers can break into a hedge funds network via the most mundane and least sexy of avenues: human resources or accounts payable services, for example. When employees travel, they use their own credit cards and submit expenses internally. Sometimes the employers are giving their credit cards to a company that is authorized to book and reimburse the travel, she said. Or sometimes credit cards are submitted to attend conferences or payment for research.

For Valentine, it all comes down to stringent due diligence. Vendor risk management means asking, What information am I giving? What are benefits and travel agency vendors doing with the information? Blue Cross Blue Shield is a major provider to financial services firms and they were a big target this year, she said, referring to a cyberattack in which data of 80 million clients were stolen.

Abacus has roughly 270 hedge fund and private equity clients on its platform that range from small firms with 10 to 12 employees on up to larger funds. According to Lozada, larger investment firms like Goldman Sachs and Credit Suisse have invested in network security lately. That said, they can still be vulnerable via the smaller hedge funds and boutique investment firms. If I was doing recon, I would target hedge funds, he explained. Why? Because they are weaker, they dont have the funds to protect themselves against organized crime, and if I am able to get into one of these funds that uses Goldman or Credit Suisse as a prime broker, thats a way to get to them.

So far, the attacks in the asset management space have been twofold, according to Mark Clancy of Soltra. First are the run-of-the-mill operations where a hacker finds a hedge fund employees LinkedIn or Facebook account and emails him or her a malicious software with clickable links; the hacker then steals the employees credentials or encrypts the hard drive.

In other cases, there have been targeted attacks in the hedge fund space where the employees credentials are used to move client funds. This is called an account takeover, where hackers attempt to rob the funds actual bank accounts. To do this, hackers obtain the credentials of more than one person in the hedge fund because these transactions require the approval of multiple managers.

Hackers have moved from mom-and-pop retail accounts and business accounts. They realize that financial firms like hedge funds have large-balance business accounts, and conveniently send money to all types of places, Clancy said. If youre a hedge fund that trades in commodities, wiring money to an oil-rich nation outside the U.S. is probably not an unusual transaction for you.

These incidents have spurred growth in the burgeoning identity and access management sector. Research firm IDC predicted that the investment in ID and access management solutions will increase from $4.8 billion last year to $7.1 billion in 2018. Financial firms are seen as primarily behind this push due to their enthusiastic adoption of ID management technology.

Exploiting a Managers Strength

Hedge funds are notoriously secretive and do not shy away from risk. Getting a hedge fund manager to admit vulnerability to his or her high-net-worth clients – many of whom entrust hedge fund managers with tens and even hundreds of millions of their personal fortune – is anathema to them.
Tony Amicangioli from Hyannis Port Research, maker of Riskbot, works with hedge funds and broker-dealers, and he knows the concerns of hedge fund managers firsthand. The sensitivity to information leakage is extreme.

Lozada agrees. If a hedge fun admits that it has been breached and had little to no security in place, he said that the damage will be extensive and would take years to recover. He added, If a fund goes out of business when it gets hacked, would you ever recover from that? A compromise can follow you for the rest of your career.

This fear of failure could make the buyside even more vulnerable to theft – and resistant to change. One outspoken member of the hedge fund community admitted that the alternative investment industry is more concerned with returns than cyber-security. You dont feel insecure until you are breached. The average person in the financial sector, myself included, is not as focused on these threats as they need to be, said hedge fund manager Anthony Scaramucci in response to the comments by Carlin, the assistant attorney general, at the Las Vegas hedge fund conference.

The Regulators Act

Regulators are not taking the threat to hedge funds and other smaller asset managers lightly. Last April, the SEC issued its first-ever Cyber-Security Guidance recommendations. Why? Because of the rapidly changing nature of cyber-threats, the [Security] Division will continue to focus on cyber-security and monitor events in this area, the SEC report stated.

Likewise, the DTCC issued a white paper entitled Beyond the Horizon: A White Paper to the Industry on Systemic Risk to warn that financial institutions face considerable threat from malware that can be sent by hacktivists through email attachments or compromised Websites. It added that [t]hese hacktivists are likely to use social networking tools to identify and attack the machines of targeted individuals within financial companies.

Clancy calls these measures a good first step but warns that they might not be enough for fast-moving hackers and online thieves. The challenge is that regulatory frameworks tend to be fairly static by the nature of how these rules get propagated, and these problems are very dynamic, he said, adding that regulators are using a carrot-and-stick approach. I think regulation is a lagging indicator because of the nature of how it is produced.

At the end of the day – or the middle of the night – the odds are in the hackers favor.

As Lozada put it: Being a chief information security officer, I have to be right 100 percent of the time, but a hacker has to be lucky just once.