Willie Sutton, one of the most notorious bank robbers in history and one of the FBI's most wanted men of the 1950s, allegedly said that he robbed banks "because that is where the money is."
Fast forward to 2014 and "Slick Willie" would undoubtedly respond differently today, as banks are no longer easy places to rob and bank robbers no longer need a gun. The Internet is the platform for new communications – and new crime – in our highly data-driven and interconnected world. The trillions of dollars managed by hedge funds are now increasingly under attack from cybercriminals, whose tools of the trade are computers, technology networks and a devious mind.
Cybersecurity is a fast-moving, constantly evolving threat. It has caught the attention of regulatory organizations like the Securities and Exchange Commission and the International Organization of Securities Commissions, which are deeply concerned about such threats and predict "that the next big financial shock will come from cyber space."
Cyber crimes have spawned a new breed of outlaws, who operate largely unseen and are very often difficult to recognize. Modern cybercriminals are highly intelligent, creative and determined. They present a dynamic and serious threat to fund investors. Bad actors could include criminals, foreign governments, military, activist groups or even competitors.
The range of risks includes not just fraud, bad publicity, or business continuity, but loss of material non-public information as well. The sheer volume of threats that could emerge from any fund information loss creates substantial risks for fund sponsors and investors.
In the eyes of the cybercriminal, hedge funds represent soft targets relative to banks because their smaller size might not afford them the scale required to invest in the people and sophisticated technology necessary to maintain strong cybersecurity controls, including those against the unique risks presented by mobile devices. This is not solely a concern for the investment manager, but for any service provider to the hedge fund, including its directors.
Hedge funds rely on a supply chain of service providers who operate with a steady stream of important and confidential fund information. Sophisticated cybercriminals can easily identify weak links in this information chain and exploit them.
An integral part of the fund information ecosystem rests with its board of directors. A well-functioning board of directors is essential to a well-managed hedge fund. Hedge fund directors need to be provided with the information required to properly engage and understand the risks relevant to the hedge fund from its investment and risk management professionals. They need to ensure that the fund information they receive strikes the right balance between a comprehensive macro perspective and the required level of detail when necessary.
These fiduciary obligations mean that hedge fund directors often have access to sensitive fund information and need the ability to properly synthesize – and protect – that information. If the hedge fund directors are truly involved in the affairs of the fund, they will ultimately collect and hold many gigabytes of digital fund information, inevitably making information security a major concern.
Any small piece of fund information in the wrong hands could be damaging to the fund. To a sophisticated cybercriminal, seemingly insignificant information could actually be the final piece of solving a puzzle that inflicts real losses on the fund investors whom hedge fund directors have a duty to protect.
Unlike deposits in banks, hedge fund investments are not guaranteed by the federal government. Instead, fund investors and the SEC are relying on the sponsor's judgment in making sound decisions about the level of safety and sophistication of the fund's service providers under Rule 206(4)7, which mandates that registered investment advisers develop and implement written policies and procedures to comply with SEC regulations. In today's highly sophisticated industry, an unsophisticated service provider is a competitive disadvantage and even potentially detrimental to fund investors. The consequences of an unsophisticated approach to cybersecurity are foreseeable and unjustified. Prevention is always better than the cure.
Hedge fund directors should expect a marked increase in inquiries from fund investors focused on mitigating this threat, including requests for information regarding the ability of the directors to create the network transparency to assess risk, comply with SEC cybersecurity threat assessment and annual compliance reviews under Rule 206(4)7. Fund investors will also need to be assured that directors have the ability to invest in people, process and technology to properly manage and protect the fund information within their control. And, if the hedge fund does suffer an intrusion, directors should expect to be interrogated by the FBI and answer serious questions about the security of the fund information held within their control. Yes, the FBI. Welcome to the major league of crime. The threat is real and growing exponentially.
When it comes to security control, hedge fund directors cannot simply set it and forget it. Set it today and it could be obsolete tomorrow, because cyber criminals are continuously looking for any weakness to exploit, no matter how small. The simplistic legacy technology approaches used in the past are now outdated and any gaps in information security could prove costly for fund investors. Sophisticated technology is the key.
No hedge fund director wants to be exposed as the Achilles heel in the hedge fund structure and the source of security breaches that cause fund investors to suffer losses. It would be unnerving, career-ending and potentially negligent. It's a known risk that can be actively managed.
Originally published in Institutional Investors Alpha.
Don Seymour is the Founder of DMS Offshore Investment Services, the world's leading fund governance firm. Neil Stone-Wigg is Vice President of Information Technology at DMS Offshore Investment Services.