By Regina Mykolaichuk, Sentronex
The rise of cyber attacks
There have been a number of high profile cyber attacks in recent years. 2014 was the year of the breach; from Sony Entertainment, to eBay, to JP Morgan, big global organisations were hit with a string of cyber security breaches, showing just how weak their IT security infrastructure was. But perhaps nothing caught IT and Financial Services (FS) news headlines quite as much as the infamous GameOver Zeus.
The GameOver Zeus Trojan was a crippling cyber attack of an unprecedented scale. Its CryptoLocker ransomware locked unsuspecting victims’ computers, offering to restore them only if ransom money was paid. An estimated 15,500 computers were infected in the UK, and hundreds of millions of pounds were fraudulently transferred around the world. Given the global nature of cyber attacks, the international operation to take down the GameOver Zeus botnet involved five US federal agencies, the UK, eleven other governments, and thirteen private sector companies.
Unsurprisingly, therefore, a warning was issued to US hedge fund investors by the Department of Justice that they are weakening US financial system defences against cyber attacks from hackers and terrorists, putting pressure on them to act sooner rather than later in order to avoid another such – or even worse – attack in the near future. The Department of Justice also told hedge fund investors that their data could be at risk if they do not increase their cyber security.
The Assistant Attorney General for National Security, John Carlin, expressed his concerns about the vulnerability of hedge funds, stating that they hold incredibly sensitive proprietary information, valuable algorithms, and a tremendous amount of capital; and yet have very weak IT. He urged managers to pay more attention to cyber threats, highlighting the importance of sharing more information with the government.
On the other hand Anthony Scaramucci, the founder of global alternative investment firm SkyBridge Capital, believes that many in the FS sector do not feel threatened by cyber attacks until they face a security breach themselves, and therefore are not as focussed on such threats as they ought to be.
Over in the UK the Government’s National Cyber Security Strategy has put together the Cyber Essentials Scheme, which provides best practice guidance to protect organisations of all sizes from cyber threats. As the Scheme is aimed to help all industries in general, hedge funds come under the same umbrella. The Scheme is not a force of law though, so companies do not have to comply with the regulations if they do not wish to. Moreover, the Scheme itself lays out only the basic technical controls that organisations ought to have in place, so it would be recommended for hedge funds to seek out specialised cybersecurity solutions that are well suited to the intricacies of their needs.
Cyber Security Options
There are two distinct options that organisations can opt for to increase their cyber security. They can be used independently of or in conjunction with each other:
- The cloud is a great place to start when implementing and strengthening cyber security. Private and public clouds both have their benefits and setbacks, which can make it difficult for organisations to decide which option is the best for them. 2015 could see the rise in popularity of collocated cloud services. It is often difficult to find just one vendor who can provide everything, so going for a multi-cloud option will allow organisations within the FS sectors a ‘pick and mix’ approach when establishing their cyber security strategy. Predominantly, a collocated cloud exchange does not require the use of the public internet, which makes it more effective, private, and – most importantly – secure, making it a sound option for hedge funds in particular.
- WISPs are another cyber security feature that FS sectors can implement into their strategies. Standing for ‘Written Information Security Plans’, WISPs cover the administrative and technical safeguards of a company. The Security and Exchange Commission (SEC) is already asking about WISPs in their cyber security questionnaire, including whether the fund has a policy in place and if its employees have been trained and tested on it.
Needless to say, that cybersecurity is not something to be taken lightly, particularly where large quantities of money and sensitive client data are involved. But it is not just hedge funds that need to tighten – and indeed start paying increased attention to – their cybersecurity. In an age when cyber warfare targets money and politics, institutions from all FS sectors should pay more attention to their cybersecurity now than play the waiting game. And this goes for the UK just as much as the US.