SPECIAL REPORT CYBER-RISK AND SECURITY 2014 - HFM Globalhfm.global/digitaleditions/hfmw/reports/HFM_CyberRisk_2014.pdf · security and services company netConsult, ... EY 2013 Global

FEATURING Baronsmead // Eze Castle Integration // ENCODE UK // Ernst & Young // eSentire // Matsco Solutions // netConsult // Richard Fleischman & Associates

TECHNOLOGYThe importance of using the right technological solutions for your hedge fund

EDUCATIONWhat hedge funds need to know to protect themselves from cyber-attacks

TAKING ACTIONInsight on the SEC’s cyber-security examinations

C Y B E R - R I S K A N D S E C U R I T Y 2 0 1 4

WEEKHFMS P E C I A L R E P O R T

Quality protection, peace of mind.

“Cyber Risk… it’s not just an IT issue.”

Contact us for a free consultationE: [email protected] T: 020 7529 2305 W: www.baronsmead.com

Honesty is the best policy

H F M W E E K . CO M 3

n an age of rapid technological advances, cyber-attacks are becoming more and more common as increasingly savvy fraudsters find new ways to hack into sensitive and confidential information. Cyber-security is more important to the financial services sector than it has ever been before.

Cyber-attacks on hedge funds are particularly dangerous as in many cases they remain undetected and a large number of hedge funds are unaware of their susceptibility to attack. In the past, while hedge funds may have protected themselves from external attacks, they have failed to realise the significance of the threats posed internally. Many lack the knowledge that employees can sometimes unknowingly assist an attack by revealing confidential information or simply by clicking on a seemingly harmless link.

Ensuring that hedge funds have both external and internal cyber-security, sophisticated technology solutions and user education are imperative to counteract potential threats.

Action is being taken, however, by certain governments to crack down on cyber-attacks. In the US, the SEC has released a questionnaire in preparation for examinations which will assess financial firms’ cyber-security preparedness; while the UK Government has also been working on how best to address cyber-threats to the country’s essential services.

HFMWeek catches up with professionals from the cyber-security and hedge fund sectors in the HFM Cyber-Risk and Security Report 2014. Read on to find out what cyber-attacks mean for the industry and how hedge funds can best protect themselves from these threats.

Karolina KaminskaReport editor

IC Y B E R - R I S K A N D S E C U R I T I Y 2 0 1 4

21

REPORT EDITOR Karolina Kaminska T: +44 (0) 20 7832 6654 [email protected] STAFF WRITER Chris Matthews T: +44 (0) 20 7832 6656 [email protected] GROUP HEAD OF CONTENT Gwyn Roberts T: +44 (0) 20 7832 6623 [email protected] HEAD OF PRODUCTION Claudia Honerjager SUB-EDITORS Rachel Kurzfi eld, Eleanor Stanley, Luke Tuchscherer GROUP COMMERCIAL MANAGER Lucy Churchill T: +44 (0) 20 7832 6615 [email protected] SENIOR PUBLISHING ACCOUNT MANAGER Tara Nolan +44 (0) 20 7832 6612, [email protected] PUBLISHING ACCOUNT MANAGER Joakim (Joe) Nilsson T: +44 (0) 20 7832 6616 [email protected] PUBLISHING ACCOUNT MANAGER Jack Duddy T: +44 (0) 20 7832 6631 [email protected] CONTENT SALES Tel: +44 (0) 20 7832 6511 [email protected] CIRCULATION MANAGER Fay Muddle T: +44 (0) 20 7832 6524 [email protected] CEO Charlie Kerr

HFMWeek is published weekly by Pageant Media Ltd ISSN 1748-5894 Printed by The Manson Group © 2014 all rights reserved. No part of this publication may be reproduced or used without the prior permission from the publisher

Published by Pageant Media Ltd LONDONThird Floor, Thavies Inn House, 3-4 Holborn Circus, London, EC1N 2HAT +44 (0) 20 7832 6500 NEW YORK 1441 Broadway, Suite 3024, New York , NY 10018 T +1 (212) 268 4919

I N T R O D U C T I O N

4 H F M W E E K . CO M

C Y B E R - R I S K A N D S E C U R I T Y 2 0 1 4 C O N T E N T S

ADVISORY

10 KEY SECURITY CONSIDERATIONS Jaime Kahan of Ernst & Young recommends 10 areas related to cyber-security that firms should focus on as they operate in an environment of continuous and evolving threats

CYBER-SECURITY SOLUTIONS

THE ‘INEVITABLE’ CYBER-ATTACK: ARE YOU PREPARED?Mark Sangster shares with HFMWeek what three cyber-security experts had to say at a recent panel discussing the SEC’s cyber examinations

INSURANCE

THE CYBER CHALLENGEAndrew Ducat of Baronsmead explains the issues and challenges facing cyber insurance and why there is a limited uptake in the asset management industry

TECHNOLOGY

KEEPING ON TOP OF CYBER-SECURITYLisa Smith outlines what is expected from the SEC’s cyber-security questionnaire and how Eze Castle Integration helps hedge funds to understand and meet these requirements

06IT SERVICES

START-UP CONCERNSRichard McDonald, co-founder of London-based hedge fund IT security and services company netConsult, discusses the need for security management and the growing number of cyber-threats effecting the financial industry

SECURITY SERVICES

PEOPLE POWERTechnology advisory firm Richard Fleischman & Associates outlines the importance of workforce awareness and the need for expert personnel when tackling cyber-security threats

SECURITY SERVICES

IS CYBER-SECURITY FACING AN IDENTITY CRISIS?Jim Serpi outlines what companies need to be aware of and discusses the ‘identity crisis’ faced by cyber-security

SECURITY SERVICES

DEATH & BREACHESGraham Mann, of IT security specialists ENCODE, tells HFMWeek how businesses must switch on to the threat of cyber-attacks, and gives an inside track on the company’s innovative anti-hacker software

09

12

14

17

20

22

25

CONTENTS

6 H F M W E E K . CO M


As the dangers posed by cyber-att acks con-tinue to rise, and with fi nancial services fi rms being increasingly targeted, the abil-ity to prevent, detect, respond and recover from virtual att acks is of growing impor-tance to the asset management industry.

Th is has been further highlighted in the recent risk alert from the SEC’s Offi ce of Compliance and Inspection Ex-aminations (OCIE). We have outlined 10 areas that we believe fi rms should focus on as they improve their se-curity posture to protect themselves from cyber-att acks.

1. BOARD SUPPORT AND GOVERNANCEBoard support and governance is the fi rst component of an eff ective cyber-security program. It sets the tone at the top, including policy approval. Executive support is needed to establish a clear charter for the information security func-tion, strategy for its growth and funding. Since understand-ing cyber-risk is everyone’s responsibility, asset managers are moving towards a collaborative approach by forming risk committ ees, which include representation from all the fi rm’s key stakeholders.

Board members should take an interest in hearing about what you are doing to protect the assets. According to the EY 2013 Global Information Security Survey (EY Study), a third of the asset management fi rms said that they were never/rarely asked by the board to present on information security matt ers. Some board members also acknowledged that they did not possess the technical knowledge required. In these situations, boards should consider bringing in out-side experts to ensure they are asking the right questions of their security personnel on a frequent basis.

2. POLICIES AND PROCEDURESFirms should establish robust cyber-security policies and procedures. Th is would allow for a consistent approach to defi ning, communicating and implementing steps in man-aging cyber-security matt ers, as well as meeting regulatory requirements. Procedures should be detailed, step-by-step instructions for achieving the policies, and they will provide the blueprint for the day-to-day technology operations, in-cluding roles, responsibilities, tasks, hardware, application and process.

3. PEOPLEToday’s information security function requires a person with a broad range of skills as well as a clear articulation of roles, responsibilities and reporting lines. Relevant skills include an understanding of business/technology risk, knowledge in designing and executing technology controls

that mitigate those risks, and the willingness to keep up-to-date with the latest technologies and potential cyber-threats. Technologists should also participate in forums with peers where information on the latest threats and potential solu-tions can be discussed.

According to the EY Study, 44% of asset managers indi-cated that the lack of skilled personnel was preventing them from implementing a successful security program. In these instances, fi rms should consider supplementing their team with vendors and training their own employees.

4. TECHNOLOGYTh e threats fi rms face are evolving on a daily basis due to technological innovation, the increasing reliance on tech-nology, and increasing number of access points to data (i.e. email, mobile devices, websites, laptops, etc.). Hackers have become more sophisticated and they exploit loopholes in technology. Firms need to keep up with soft ware that is available in the market that can help with detection and monitoring. However, the cost of cyber-threat management can be daunting. If there are budget constraints, having the dialogue with board members and the risk committ ee can help to determine the most critical areas and prioritise re-source allocation.

5. AWARENESSTh e fi rst line of defence against cyber-crimes is the fi rm’s employees. By providing employees with security aware-ness training, a fi rm can make it more diffi cult for att ackers to gain unauthorised access, and to identify phoney/suspi-cious activities more quickly. Training should occur at least annually, and followed up with periodic refreshers. Com-mon areas of focus include: password security and compo-sition, how to identify and report phony emails, protecting data while in public, eff ective use of social media, and pro-tecting against the latest cyber-att ack methods used to ac-cess confi dential fi rm data.

It is important that your employees know what to look for and when something doesn’t feel right, they have a responsi-bility to report it. Att ackers typically gather information on a fi rm for seven to 12 months before an att ack. Employee notifi cation of a suspicious email is a warning sign that your organisation may be targeted and it can help you to take pre-ventative measures.

6. ASSET INVENTORYFirms need to be able to identify who has access and to what physical and electronic assets within the organisation. Th is would include but not be limited to laptops, computers, servers, soft ware, iPads, mobile devices and electronic fi les.

Jaime Kahan is a principal at Ernst & Young LLP where she leads the wealth & asset management sector for information technology risk & assurance. She assists firms with their cyber-security programs, risk and control frameworks, service organisation control reports, benchmarking assessments, and financial statement audits. She also develops and delivers security, risk and technology training.

10 KEY SECURITY CONSIDERATIONS

JAIME KAHAN OF ERNST & YOUNG RECOMMENDS 10 AREAS RELATED TO CYBER-SECURITY THAT FIRMS SHOULD FOCUS ON AS THEY OPERATE IN AN ENVIRONMENT OF CONTINUOUS AND EVOLVING THREATS


A D V I S O R Y

In addition to managing user access, firms should consider maintaining an inventory of their electronic and physi-cal assets so that all the assets can be backed up when an employee leaves the organisation. The inventory is also a way to account for lost devices such as mobile devices and laptops, which are more susceptible to theft. Firms must have a way to degauss lost devices and prevent unauthor-ised data access.

7. VENDOR OVERSIGHT Organisations need to understand the security measures in place for their vendors, who has access to their data at each point within the transaction life cycle, from inception to re-cording, and that data is secured in transit, in use, and at rest. Firms need to determine what checks are in place to ensure that their vendors are protecting information and data as-sets with the same level of security controls that are adopted internally. Such vendor oversight is particularly important in the asset management industry as many asset managers outsource much of their middle and back office functions and processes.

8. CONTINUOUS MONITORING The EY Study found that a third of respondents had spent more on cyber monitoring than in the past and had in-creased funding for the upcoming year. Types of attacks that firms monitored included: denial of service (an attack that makes a computer, website or service unavailable to users), spoofing (attacker impersonates another user), port scan-ning (attacker determines which servers are active), sniffing (capturing transmitted data such as password credentials) and compromised key attacks (a virus that records key-strokes made by the computer’s owner).

Signature and rule-based tools that perform monitoring are no longer as effective in today’s environment. Instead, information security functions may wish to consider using behaviour-based analytics against environmental baselines and have incident response plans in place. This allows com-panies to pinpoint any anomalies within their network and stay abreast of potential new threats.

9. REPORTINGInformation security reporting requires a well-maintained enterprise event monitoring and incident/problem track-ing and reporting system to manage events associated with business priorities and assess the true risk to the organisa-tion. Creating metrics can help to quantify the firm’s security posture as well as provide perspective on the firm’s current threats, risks and actual breaches. By having a system or tool in place to document and categorise different security inci-dents, the organisation can perform trend analysis and iden-tify potential attack patterns as well as the types of threats the organisation is most susceptible to. In addition, having reporting capabilities in place can help firms report security breaches to regulatory organisations when required.

Information that should be reported includes: the type of attack, tools utilised by the attacker, amount of time it took to detect the breach, processes impacted by the attack, num-ber of impacted users and financial damage of the attack.

10. CONTINUOUS IMPROVEMENTThere is not a one-size-fits-all or operating model approach for a cyber-security program. As firms put cyber-threat management programs in place – they can’t just be thinking about today, but what is coming tomorrow. Cyber-security programs need to have strong lines of communication and protocols in place, awareness, knowledge, and getting every-one working together so that your organisation can be quick and nimble to react to new threats. Firms are always trying to innovate to keep ahead of their competitors, but there needs to be an awareness of how such changes can impact your technology protection. Firms need to keep the lines of communication open – and ensure that they are constantly obtaining information on new threats and vulnerabilities from multiple sources such as industry events, peer discus-sion groups, newsgroups and security vendors.

By focusing on the areas above, firms will be able to improve their security stance and reduce risk. The more you know and prepare today, the better you can detect, respond and recover tomorrow and minimise the impact to your business.

C Y B E R - S E C U R I T Y S O L U T I O N S



Cyber-threats are unprecedented and today surpass terrorism with the seriousness of the risks they pose to the United States and its economy. This from the US Securities and Exchange Commission’s Office of Compli-ance Inspections and Examinations (OCIE)

and those assembled to lead an industry-wide examina-tion initiative tasked with establishing cyber-security best practices.

In preparation for the approaching exams, the OCIE has released a questionnaire to promote dialogue and aid in cyber-security readiness. The questionnaire it-self will be used by SEC staff as they conduct a series of examinations. Gus Hunt (president and CEO of Hunt Technologies LLC and former CIA chief technology of-ficer), Deborah Prutzman (founder of The Regulatory Fundamentals Group LLC) and Eldon Sprickerhoff (chief security strategist and co-founder of eSentire), are three thought leaders and cyber-security experts working within the OCIE space. They recently con-vened as a panel to present to over 100 representatives from various alternative asset management funds and had this to say about industry threats and the overall impact of the examinations.

What does the cyber-threat landscape look like, and what trends do you see emerging?

Gus Hunt (GH): The landscape continues to dete-riorate. The entire threat space is fluid and growing ag-gressively. The pace of threats is increasing and those threats are not about stealing. We’re beginning to see a trend with nation state attacks. Those focus on the simple act of stepping in front of trade decisions. They shift your price, affecting your bottom line. This en-sures the nation state’s competing firm outperforms you in the marketspace and achieves their goal of shifting portfolio assets away from you, directing them to their own firm instead. We’ve seen this technique in the past across other industries, which suffer when competition intercepts and alter bids prior to delivery, ultimately winning contracts.

Threat sophistication is increasing and firms today are only as vulnerable as their weakest link. Frictionless and agile cyber-weapons target internal applications, like heating and ventilation and progress from there.

We’re witnessing the perfect storm in cyber-security. Fundamentally, defence becomes too challenging, too complex and too expensive to tackle independently. And firms must look for solutions.

Why are the OCIE and other government agencies focusing on the threat to financial services posed by cyber-attacks?

Deborah Prutzman (DP): Cyber-threats are becoming a threat to our way of life. There’s potential for a major targeted attack that could catastrophically impact the financial market. Not unlike terrorism, cyber-criminals view this as a powerful tool to use against our society. Enhancing cyber-protection is a critical exercise and necessary to instill confidence in the financial sector. The agencies driving this initiative want to do what it takes to ensure investors and third-parties are comfort-able operating within the industry.

In addition to fostering confidence in the market, there’s a need to provide clarity within the legal system. The regulators have shared concerns and are beginning to question what would happen if there was a major loss, and where the liabilities would lie. They recognise the need for greater transparency and the collabora-tive effort required from all financial regulatory agen-cies. There’s no doubt that the landscape today poses an enormous risk with growing potential consequences and this ultimately motivates the need for proactive planning.

How are cyber-criminals specifi cally targeting hedge funds, private equity funds and investment banks?

GH: There are a variety of attacks that happen. Those include socially engineered emails and phone calls, phishing scams (emails with infected links), infected media and DDOS/data destruction. But more com-monly, we’re starting to see watering hole attacks. We liken this to predators on the savannah, who patiently wait for prey to approach the water. Oftentimes this uses, for example, Wordpress attacks targeting blogs published by law firms and hedge funds. These attacks appear to be more focused on gathering credentials rather than deploying malware directly.

We see cyber-criminals gathering key company con-tacts by trolling social media like LinkedIn. Remote login attempts via Outlook Web Access and remote desktop are also on the rise, with cyber-criminals at-tempting access using real employee names.

There’s also an increase in external scans of inter-net facing web applications through commercial web assessment tools. These assessment tools probe for weaknesses and use those weaknesses to their advan-tage.

MARK SANGSTER SHARES WITH HFMWEEK WHAT THREE CYBER-SECURITY EXPERTS HAD TO SAY AT A RECENT PANEL DISCUSSING THE SEC’S CYBER EXAMINATIONS

THE ‘INEVITABLE’ CYBER-ATTACK: ARE YOU PREPARED?

Mark Sangstervice president, marketing at eSentire. Mark combines an entrepreneurial spirit with more than 20 years’ experience managing marketing operations, with small and large teams in various high-tech sectors serving global markets. Through his career he has garnered experience at industry giants Intel Corporation, Research in Motion and Cisco Systems.

C Y B E R - S E C U R I T Y S O L U T I O N S

1 0 H F M W E E K . CO M


What areas will the OCIE cyber-security questionnaire cover and when will the OCIE begin examinations of RIAs?

Eldon Sprickerhoff (ES): This is a broad questionnaire with such deep, probing ques-tions that the respondents themselves are being asked to thoroughly understand the data and technology in their environment. It touches on every facet of the firm. The goal is to get a sense of how well cyber-security issues are un-derstood and how they impact each firm. The exam will focus on what sorts of policies and procedures exist, what data is important and how cyber-security issues have been handled in the past and how well documented they are. The examinations are scheduled to launch in September.

DP: There will be a process of refinement and the process itself is meant to be non-prescrip-tive, with the goal of improving the stance of every firm in the industry.

GH: This is the first of many regulatory salvos that will be launched. The government feels that this is the role they have to take to protect the industry.

In the face of ever-evolving cyber-threats, what can organisations do to protect their business, employees and investors?

ES: I’d recommend a three-pronged approach to organisations. First, gain an understanding of where your cyber-security stands today. Perform vulnerability assessments to get a clear picture of security gaps that exist. Anti-virus programs seem to be a troubling weak point in firms of all sizes. Many firms believe they are protected when they have an anti-virus program running, but the reality is that this is often easily compro-mised when software becomes outdated or when malicious code is uploaded to disable software updates.

Second, organisations need to be cognisant of the fact that external vectors are not the only threat. Insiders have access to critical data, which they can sometimes unknowingly put at risk. End-user education is integral in any cyber-secu-rity plan.

And finally, companies must recognise that technol-ogy alone will not shield against attacks and prevent breaches. Fusing people, process, technology and end-user education is key to define and plan for this kind of event.

MORE COMMONLY, WE’RE STARTING TO SEE WATERING HOLE ATTACKS. WE LIKEN THIS TO PREDATORS ON THE SAVANNAH, WHO

PATIENTLY WAIT FOR PREY TO APPROACH THE WATER



HFMWeek (HFM): Why do you think there is a low uptake of cyber insurance?Andrew Ducat (AD): Th ere are a number of reasons for the limited purchase of cyber insurance. First, there is a lack of understanding about what cyber insurance products ac-tually do. We all read stories in the newspapers about loss of personal data at a bank, or a credit card company losing an unencrypted laptop computer and thereby inadvert-ently losing personal data for tens of millions of individu-als. But there is a perception that technology and security risks are those predominately associated with parties who hold large amounts of personal data. If you’re not a bank or a health authority and you don’t hold large volumes of per-sonal data, then the problem of loss of data and the issues associated with it such as the time and costs of notifying all of the involved parties and amending the error, let alone the regulatory or reputational implications, probably seem a bit abstract. We can all recognise that they are very real problems, but broadly speaking within the as-set management industry, because managers typically don’t hold vast quantities of personal data, it probably isn’t one of their fi rst con-cerns. However, cyber insurance is far broader in scope than providing cover for notifi cation costs. For ex-ample, it’s possible to obtain cover for emergency analysis and rectifi -cation of breached technology sys-tems – issues likely to be of more signifi cance to the sector.

Second, the regulatory regime in Europe as it stands at the moment isn’t as stringent or as onerous as it is in the US. Arguably we could say that the cyber and technology risk environment is probably more ma-ture in the US as are the regulatory implications of breach, certainly of loss of data, and so is the development of the cyber network insurance industry. So a question to consider is: what are the implications of the proposed changes to European legislation? To the ex-tent that the proposed changes are actually implemented as currently proposed, we would be at least in a similar position to that which exists in the US. Th at might then, in a sense, drive the cyber network insurance industry for-wards because it would also be driven by the regulatory impact of the underlying exposures.

Th ird, is there really an understanding of the potential

impact of technology on the business? In the asset man-agement industry technology is oft en advanced, but what we fi nd is that there is a signifi cant proportion of the indus-try that is heavily reliant on technology being outsourced. Th e outsource provision is subject to whatever contractual terms and arrangements exist between the asset manager and the technology provider; obviously there are a tre-mendous range of systems and there will be diff erent methodologies of managing those systems.

HFM: Is cyber-risk taken as seriously as it should be?AD: I think we need to draw a distinction between the identifi cation of cyber-risk and the insurance response to it. In terms of cyber-risk, I would say that it is taken seri-ously but there is a risk that simply due to lack of under-standing about the real security within the systems, the right questions may not be asked. Coming back to the fun-

damental principles, if you have a specialised system such as technol-ogy which is understood by com-paratively few, what’s the best way of managing the integrity of that system? To take it seriously one really needs to understand it, but it’s diffi cult to understand a highly technical process in any subject so maybe one needs to engage with a third party to undertake independ-ent analysis or stress testing and to require that the results be commu-nicated in appropriate terms.

HFM: How does the scale of technology outsourcing aff ect the issue?AD: Large companies with sig-nifi cant resources and technology personnel can build robust systems and communicate clearly inter-

nally. Having large resources and personnel is going to be benefi cial in terms of managing the risk. Smaller compa-nies necessarily outsource a lot of service provision, tech-nology being just one of those services. Th en it becomes a question of not just the scale of the outsourcing but the basis on which the outsourced provision is being provid-ed. Th ere will be a broad range of system types that will be dependent on the user’s requirements, businesses and management styles. It isn’t the outsourcing of technology service that’s an issue, but rather the manner in which its strengths and weaknesses are understood by the client.

CYBER-RISK IS TAKEN SERIOUSLY BUT THERE IS A RISK THAT, SIMPLY DUE TO LACK OF UNDERSTANDING ABOUT THE REAL SECURITY WITHIN THE SYSTEMS, THE

RIGHT QUESTIONS MAY NOT BE ASKED

ANDREW DUCAT OF BARONSMEAD EXPLAINS THE ISSUES AND CHALLENGES FACING CYBER INSURANCE AND WHY THERE IS A LIMITED UPTAKE IN THE ASSET MANAGEMENT INDUSTRY

THE CYBER CHALLENGE

Andrew Ducatis partner and head of client service at Baronsmead Partners LLP. Prior to this, he worked at Trafalgar House and Sea Containers before spending 12 years as head of group insurance at Man Group plc. Ducat has over 30 years’ experience in the insurance industry.

I N S U R A N C E


HFM: Would the asset management community ben-efit from a common approach?AD: Going back to the point made that there are many smaller businesses doing their own thing, then there may well be some benefit in having a united voice. At least to have consistency around establishing what that base line might be, if everyone can agree an approach that is con-sistent and appropriate to manage the cyber network risk, then it might put the sector in a stronger position than each standing in isolation. It might be easier and more beneficial to work around a standard approach that may be modified appropriately to represent enhanced or reduced perceptions of risk.

HFM: How does the insurance industry approach cyber-risk?AD: There are a number of different approaches. There are specific cyber insurance products that encompass a num-ber of different types of insurance into a package or modu-lar approach. For example, they may provide cover in re-spect of notification costs, third party legal liabilities and emergency investigative costs, as well as rectification costs.

One of the challenges is that a number of aspects of that cover may well be provided by existing insurances already purchased. In addition to that, when we look at something such as professional indemnity insurance, which provides cover for legal liability to third parties, some insurers are willing to include cyber network risk cover, while others are not. As such, there is a level of inconsistency within the industry. From the buyer’s point of view, what they want to do is identify the level of the exposure and responsiveness of their existing insurances, and then consider the benefits of insurance purchase for the residual risks. What we may find is that the most significant part of the cyber insurance

offering for the asset management sector may actually be the emergency response and rectification issues. This then takes you down the road of establishing what risk analy-sis needs to be done to test the integrity and strength of the system and how those risks would otherwise be man-aged. If it’s not possible to manage those risks away, and that’s perhaps a conversation to have with the technology provider, do they really have the emergency response and depths of specific expertise necessary to interrogate the systems and identify any remedial work? Is that service part of the outsource service provision or would it be bet-ter accessed via a cyber insurance product?

HFM: Is this a risk management or insurance issue, or both?AD: We can definitely say that it’s both. Certainly one could buy a cyber insurance policy, be unconcerned about potential duplications of cover, become comfortable that you’re buying a product that provides the emergency re-sponse, and that may be viewed as a cost-effective expendi-ture in its own right. It’s important to recognise that the insurance products themselves will require a level of un-derwriting so there will be some interrogation and evalu-ation of the insured’s computer and technology systems anyway. The analysis itself may well identify prudent sys-tem enhancements, which obviously may have cost impli-cations.

If inviting that level of analysis and validation via an in-surance product, some may consider it more appropriate for the company to carry out that analysis directly. Hav-ing identified where the risks are, they would be better positioned to evaluate whether they want to transfer those risks to an insurer, subject to understanding the scope of the insurances available.



The SEC’s cyber-security questionnaire sets the framework and best practices for the fi nancial industry. When you consider the type of information that hedge funds are handling on a day-to-day basis, it’s really important that they have security controls

in place. Th e questionnaire is a way for the SEC to ensure that hedge funds, private equity and investment manage-ment companies are taking security controls seriously and are aware of what’s in place for their company.

HFMWeek (HFM): Within the sample SEC cyber-se-curity request document, questions were divided into fi ve categories. What is the SEC looking for in these categories?Lisa Smith (LS): Identifi cation of risks in cyber-securi-ty governance – this involves an analysis of what’s in place. So for instance – when I conduct a business assessment I’ll focus on what’s currently in place versus what should be in place in accordance with the recommendations from the SEC. Anything that is not in place that should be goes into our risk assessment summary and is categorised as low,

medium or high. It’s about ensuring that hedge funds have certain controls and security policies in place to protect their environment and data.Th e protection of the fi rm’s networks and information – ensuring that your information, whether it’s personal, identifi able information or confi dential information about an investor, employee, the funds, portfolios or strategies of the company, is protected by internal and external policies.Risk associated with remote customer access and fund transfer requests – this covers any confi dential data that’s going in and out of the fi rm as well as any external busi-ness partners that have access to the fi rm’s network or infrastructure. You need to assess if information is being encrypted for protection. Risk associated with vendors and other third parties – this relates to fi rms which outsource services to vendors, fund administrators or banks. When you outsource, you are most likely transferring some risk to an external busi-ness partner and you need to make sure they also have similar best practices in place for protecting your data. You need to ensure that they are following those rules

Lisa Smithis business continuity/data privacy manager at Eze Castle Integration. Smith has been working with hedge funds since 2007, focusing on creating BCPs and WISPs. She holds an MS in Business Continuity from Norwich University, BSBA in Finance from Northeastern University and is CBCP with DRII.

KEEPING ON TOP OF CYBER-SECURITY

LISA SMITH OUTLINES WHAT IS EXPECTED FROM THE SEC’S CYBER-SECURITY QUESTIONNAIRE AND HOW EZE CASTLE INTEGRATION HELPS HEDGE FUNDS TO UNDERSTAND AND MEET THESE REQUIREMENTS

T E C H N O L O G Y


and recommendations when it comes to handling their customer data.Protection of unauthorised activity – this includes in-trusion detection software, vulnerability assessments and technical assessments that scan your network to ensure it’s stable, secure and that there isn’t unauthorised activity going on or any unauthorised attempts to break into your network.

HFM: Based on Eze Castle Integration’s work with hedge funds worldwide, do you believe most hedge funds are prepared for this increased focus on cyber-security? LS: I think hedge funds are headed in that direction. Most of them have become very dependent on their IT sup-port providers in order to ensure that these controls are in place and that they’re following best practices. Most of the senior management of hedge funds are very busy, focusing on overseeing the day-to-day operations of the firm and so they tend to leave security considerations to those that have the IT expertise, whether in-house or out-house.

The increased focus on cyber-security is getting those senior managers more involved, increasing their knowl-edge of what’s in place, what needs to be in place and how important it is to make sure the appropriate administrative and technical safeguards are implemented.

If they find gaps, they are actively taking the steps to gather the appropriate information and make sure the ap-propriate controls are in place.

HFM: Many portions of the SEC questionnaire tie back to a firm’s Written Information Security Plan (WISP). What should go into one of these?LS: At Eze Castle Integration, we have been developing and maintaining WISPs for clients since 2009. When putting together the WISP, one of the first things to do is focus on the business assessment by asking questions including:

• How is the business set up? • What type of functions are being done internally and

within those functions who has access to confiden-tial data or personal identifiable information?

• Where is that data stored, who’s using it, and who has access to it?

• What level of security is applied to key applications? For instance, if a hedge fund is using banking or fund

administration websites, they should look at what extra level of identification the sites have in place – are they us-ing security tokens or PC certificates? How are they ac-cessing specific websites or applications? What are the ap-plications accessing? And do they have a business need to access that information?

Another component within a WISP is accounting for hardcopy documentation or information that’s on the net-work shared drives. Again, ensuring that anyone who has access to confidential information has a business need for it and that hardcopy information is being maintained and secured on site and destroyed properly if needed. You also need to identify any external business partners that may be receiving this information, how they are receiving it and whether the information going out to other firms is en-crypted. It’s about understanding the business processes,

where the data lives, who has access to it and how it is be-ing protected.

Another important aspect of the WISP is the technical safeguards a firm has in place. These include anti-viruses, firewalls, internet monitoring and reporting, intrusion de-tection systems as well as technical procedures that restrict access to selected drives and monitor who has access to common area shared computers and Wi-Fi.

An additional aspect is creating a Security Incident Response Plan. This plan identifies the key individu-als in the firm that are responsible for ensuring security policies and procedures are in place, that employees are educated on the administrative and technical safeguards, and that procedures are set and followed for managing a

security incident. As part of the security response plan, a firm must identify who is responsible for overseeing any incidents that might occur, ensuring that the incident is controlled and remediated and executing notification steps including when to inform regulatory agencies and clients.

HFM: How is Eze Castle Integration helping firms ad-dress the growing security threat landscape? LS: With our clients, we go through each question of the questionnaire and provide information and guidance based on our knowledge of their technical and adminis-trative safeguards. We also help clients identify potential security gaps and solutions. For example, if a client doesn’t have a WISP in place, we can help put that together, which will provide more granular detail about how things are implemented, how data is protected, how the firm is pro-tected and any future steps for ensuring that the network is secure and the information within the firm stays in the right hands.

We help and guide our clients through that develop-ment and then once the WISP is created, put together a plan to ensure the defined security policies are communi-cated and that employees are trained. A firm’s employees should know what to look for in terms of a potential se-curity risk or breach, how to protect the firm’s data and the process for escalating security concerns. Once the plan and training is complete, Eze Castle Integration assists cli-ents with plan maintenance to ensure that as the environ-ment, technology and the business processes change, so does the WISP – given the changing risk landscape, it is es-sential that a firm’s security plan and safeguards accurately reflect what’s happening within the business.

IT’S ABOUT UNDERSTANDING THE BUSINESS PROCESSES, WHERE THE DATA LIVES, WHO HAS ACCESS TO IT AND HOW IT IS BEING PROTECTED

The SEC Cybersecurity Examinations are coming.Have you done your homework?

Starting this September, the SEC will conduct examinations to assess individual firm’s cybersecurity readiness and establish industry best practices. Discover how you and your firm can prepare with the exam readiness service from eSentire. There's a reason why over 25% of all global AAM funds trust their cybersecurity to eSentire.

Start studying today. Call 1.866.579.2200 or visit www.esentire.com to learn more.

RICHARD MCDONALD, CO-FOUNDER OF LONDON-BASED HEDGE FUND IT SECURITY AND SERVICES COMPANY NETCONSULT, DISCUSSES THE NEED FOR SECURITY MANAGEMENT AND THE GROWING NUMBER OF CYBER-THREATS EFFECTING THE FINANCIAL INDUSTRY

START-UP CONCERNS

Richard McDonaldis co-founder and chief executive of outsourced IT services provider netConsult, which delivers managed services to alternative financial institutions. Richard has a broad range of qualifications, among them recognition as a Certified Information Systems Security Professional (CISSP) and a National Security Agency Information Systems Security (NIFOSEC) Professional.

I T S E R V I C E S



When a start-up hedge fund comes to us, we advise them that cyber-secu-rity is an essential and necessary part of their business model. However, many new companies can underes-timate the need for such compre-

hensive systems and technologies. Cost can be a major concern for a start-up fund as there can be a degree of hesitation about the level of expenditure from day one, while some funds question what tangible benefits they will receive from implementing such security systems. We explain how having well-managed systems and policies, is just as important as the strategy and day-to-day operational pro-cedures put in place for running the rest of the business. Current-ly there is a multitude of threats such as spear-phishing and cor-porate espionage, where attacks are not coming from individuals, but large criminal organisations who operate in a professional and corporate manner with a specific target audience. These groups are smart, well-funded and are often specifically fo-

cusing on individuals and companies within the finan-cial industry.

Start-ups and smaller financial services companies are at a higher risk due to the financial gain the attackers envisage and cyber-security protections may not be as advanced as larger companies. So it is not a question of ‘if ’ but ‘when’ systems will be compromised. With these realities the question that must be asked is: how quickly can I learn that I have been attacked?

Security Information Event Management (SIEM) reduces the time from attack to discovery. SIEM sys-

tems collect all events that come through from the critical core components in your network (this might be in excess of 100 million events per day), and from here filter and correlate these events to determine which is a real cyber-threat and which is not, and more importantly act upon!

By ‘base-lining’ we are able to determine standard user behav-iour across the network, such as individual logins into various cor-porate devices. Our event security intelligence allows us to act in very short time frames and determine whether an event is a high risk

cyber-threat to a business based upon such processes.Our technology effectively prunes down the masses

of security event data to what is actually important and eliminates the excess information, allowing us to act fast and efficiently. Of our customers, we have a near 100% adoption of our security technology. Some clients do say no, and a good example of this is a cli-ent who very recently was infected with Cryptolocker. Their views on security were previously lacking and by declining to take our advice, all of their data was cor-rupted. Fortunately, we were able to retrieve a historical copy of their data due to the other services we provided for them, however this highlights the dangers that firms, regardless of their size, face.

INDUSTRY THREATSThere are many potential methods with which hackers can use to compromise a business and it is critical for companies to be aware of the dangers as this provides motivation to put into place the correct systems and processes to effectively manage these risks.

As mentioned above, Cryptolocker is a major threat.

WITH THESE REALITIES THE QUESTION THAT MUST BE ASKED IS: HOW QUICKLY CAN I LEARN THAT I HAVE

BEEN ATTACKED?

I T S E R V I C E S



It is a ransomware attack and it can encrypt all your files and make these inaccessible. Criminal hackers then demand payment for these files to be decrypted. It is an increasingly popular at-tack and over 230,000 PCs have been infected globally by Cryptolocker, and there is no guar-antee the files will be restored even after pay-ment has been made. If infected, it is critical to identify the compromised systems as soon as possible and take action to prevent further damage.

Spear-phishing is a directed specific personal email, designed for the recipient to either click on a link which will then download a virus or provide information. These emails are well written, typically with information of interest to the recipient and seemingly benign. Quickly identifying if your company is communicating with a known attacker can prevent doing im-mense damage to your business.

Another major issue in the industry at pre-sent is the Advanced Persistent Threat (APT). These are just what they sound like, an ad-vanced attack and persistent – it is not just

being installed, attacking and then leaving – it is designed to extract information over a long period of time. It might be there for weeks or months before hackers decide to compromise your entire network. These attacks are a par-ticularly difficult threat to identify and eradi-cate, so you really have to approach an APT full on – there is no panacea, and you have to use all of the cyber-security weaponry to combat such a threat.

Defence-in-depth architecture, ‘denied unless explicitly permitted’ best practice configuration, staff training and security awareness will only protect you so far. Cyber-security is challeng-ing and with the new SEC guidelines these chal-lenges are now being recognised by the majority of established companies. There is an increasing awareness of the benefits of having a top down threat knowledge, but there are many firms who do not, so it is important to raise awareness lev-els across the industry. Ultimately, some things are just essential, and no matter whether you are running a start-up business or a $20bn fund, best practice cyber-security is vital for everyone.

THERE IS AN INCREASING AWARENESS OF THE BENEFITS OF HAVING A TOP DOWN THREAT

KNOWLEDGE, BUT THERE ARE MANY FIRMS WHO DO NOT, SO IT IS IMPORTANT

TO RAISE AWARENESS LEVELS ACROSS THE

INDUSTRY

I exploit your weaknesses.It’s my job. And I take it seriously.

What do you do?

The fallout isn’t just the direct costs. Economic cyber crime seriously damages brands, tarnishes reputations beyond repair and impacts market share.As society becomes less tolerant of unethical behaviour, businesses need to make sure they are building – and keeping – trust.

Against a backdrop of data loss, IP theft and financial fraud, ENCODE’s Extrusion Testing™ and Cyber Readiness Assessment service, a simulated cyber attack providing you with the insight you need to address the threats that matter, combined with the Cyber Operation and Intelligence service, which delivers the visibility, early detection and adaptive response you need to protect your organisation against obscure, targeted cyber attacks.

Encode Group, 5 Chancery Lane, London WC2A 1LG, UK

Economic cyber crime does not discriminate.It is truly global. No industry or organisation is immune.

Take control.

+44 (0)207 406 7535www.encodegroup.com



HFMWeek: How important is it for employees to have an understanding of the range of cyber-threats that their business is susceptible to?Grigoriy Milis (GM): Making sure employees are aware of cyber-threats is crucial. In analysing the largest security breaches that have occurred over the course of the last year, the majority of those breaches are due to human er-ror of some kind. Security technology is only one part of the solution.

Yohan Kim (YK): Previously, due diligence focused on the technology that fi nancial fi rms were implement-ing to secure their networks. In the latest version of the SEC’s regulations, however, there is more concern about the policies and training that fi rms have adopted. It’s im-portant to reinforce processes and procedures that have been implemented and educate staff on the appropriate preventative measures. Training and policy implementa-tion make up a large part of the latest SEC cyber-security initiative.

HFM: How should fi rms set up their internal security structures? Michael Asher: Historically, the issue of internal security has not been of major signifi cance in the hedge fund com-munity. Resources were not properly allocated and there was no internal team dedicated to preventing cyber-secu-rity tasks. Today, we see that fi rms are beginning to realise the importance of external and internal security.

Many fi rms rely on third-party consultants and experts who have a breadth and depth of industry experience documenting security policy and training. Th ese fi rms un-derstand best practices with regards to compiling security policies and can implement comprehensive staff training programmes to support these policies.

YK: When we look at the fi nancial sector and hedge funds, the majority are not large entities that can dedicate a person to oversee their security. At many medium and smaller-sized funds, we oft en see a hybrid solution where a chief technology offi cer and a compliance offi cer will share responsibilities.

GM: Compliance has to be a big part of any company’s cy-ber-security procedures. When we discuss cyber-security, the conversation isn’t limited to external threats or intru-sions. We need to think about potential internal threats as well. A compliance team can play a very important role in helping to deal with potential internal threats or data loss. Th e compliance process, especially in the fi nancial industry, is increasingly concerned with the propensity for internal att acks.

If you break down the cyber-security mechanisms that companies typically have in place, the technology im-plementation falls under the IT department’s umbrella. However, the IT department is not in a position to identify what data has to be protected. Th ey need guidance regard-ing the specifi cs of the data they are protecting and that is where a compliance department comes into the picture. By defi nition, the compliance team will have knowledge of every company department along with an understand-ing of what confi dential or sensitive data the business pos-sesses. Companies that have the capacity for a compliance unit can oft en create a good partnership with the IT de-partment to defi ne the policies and procedures the com-pany needs to implement.

Also, since the compliance team deals with the gov-ernance of various communication operations within the company, they already possess certain tools that allow them to monitor employee behaviour. Th ese tools can of-ten be transferred to assist with security solutions.

Together with the IT department, the compliance team can play a vital role not just in writing security policies, but also by participating in the day-to-day monitoring of pro-cedures to make sure they are followed.

HFM: Do companies overlook the importance of hu-man factors in their cyber-security programs?MA: Absolutely. For many fi rms, there needs to be a balance between the ability to allow your users to have freedom while at the same time implementing tech-nology and policies that will monitor their activity and limit user exposure to potential malware and phishing att empts.

Although such security polices and technologies are becoming more common and standardised across the in-dustry, we sometimes see a pushback from fi rms that value

MANY FIRMS RELY ON THIRD-PARTY CONSULTANTS AND EXPERTS

WHO HAVE A BREADTH AND DEPTH OF INDUSTRY EXPERIENCE DOCUMENTING SECURITY POLICY

AND TRAINING

TECHNOLOGY ADVISORY FIRM RICHARD FLEISCHMAN & ASSOCIATES OUTLINES THE IMPORTANCE OF WORKFORCE AWARENESS AND THE NEED FOR EXPERT PERSONNEL WHEN TACKLING CYBER-SECURITY THREATS

PEOPLE POWER

Yohan Kim has been with the RFA team since 2005. As COO, he ensures that the vision of the firm is supported with a proper foundation of controls and strategy. Kim is also responsible for overseeing support services, business development, marketing, software development, logistics and purchasing departments.

Michael Asher joined Richard Fleischman & Associates in 2005. As chief information officer, he is instrumental to the strategic direction of the firm and development of IT policies for the firm and clients. Asher designs and oversees implementation of information standards and processes for managed services product offerings, including the RFA cloud platform, business continuity and disaster recovery services.

S E C U R I T Y S E R V I C E S


employee independence. It is important to work with these fi rms on creating the right mix of access to data and resources while preventing security breaches.

GM: Th e hedge fund industry is not what it used to be fi ve or six years ago. Th e industry would oft en reject any poli-cies or procedures related to security but we have seen a steady change in this att itude over time.

Virtually everyone in the industry has become aware of what a security breach can do to their company. Firms are starting to operate on an enterprise level, realising that they could lose their competitive edge if they lose com-pany data.

HFM: How important are the new SEC guidelines in improving company and employee awareness?YK: Th e purpose behind the SEC’s cyber-security initia-tive is to raise the level of awareness to a point where the majority of funds are mindful of the importance of these guidelines and will implement the required secu-rity precautions, both from a technology and procedure perspective.

I would say there are three goals in security manage-ment: confi dentiality of information, integrity of informa-tion and availability of resources. If a fi rm is operating in the digital world, security management is required in or-der to achieve these three objectives.

MA: As we see with any other type of training or procedural change, there has to be an ongoing cycle of improvement. If a security policy is created simply to satisfy a checkmark on a compliance manual, the internal att itude towards such policies will be that they are not important, thereby greatly diminishing their eff ectiveness. Security management has to be a thoughtful, ongoing process that involves everyone. When we analyse the most common types of breaches, the targets are frequently low-level employees with minimal training who can unwitt ingly facilitate an att ack by clicking on a link or answering the phone and revealing confi dential information. Security management has to cover everyone from interns to administrative staff to top-level employees.

GM: I think that the SEC guidelines are very helpful in encouraging companies to address their lack of security knowledge and understanding. Since the SEC has com-piled cyber-security best practices covering aspects from technological to procedural, the industry has become much more supportive of reform as well as increasingly aware of what guidelines they need to implement.

Financial services professionals are starting to realise that cyber-security is a continuous war between the data owners and those who want to gain illicit access to that data. No matt er how technology develops, there will al-ways be counter-technology created. Employees need to be educated so they can be the fi rst line of defence.

Grigoriy MilisAs CTO, Milis is a 16-year IT veteran with more than 13 years of experience working in the financial industry. He is responsible for managing all aspects of infrastructure design and leads the R&D team in the evaluation and testing of new technologies. Milis also manages the systems architecture team that handles high-level escalations from all technical departments.



Cyber-security is facing an identity crisis. It’s got all the media att ention but is anyone lis-tening? Has the issue of cyber-security be-come desensitised? Th e fables of “Th e Boy Who Cried Wolf ” and “Chicken Litt le” come to mind – unfortunately to the detriment of

your systems and networks.Media att ention on the actions of both the SEC and the

Department of Homeland Security should have sparked immediate concern amongst the alternate investment community. Just a quick reminder of what happened: When a security issue was uncovered with Microsoft ’s In-ternet Explorer browser, the US-CERT (or United States Computer Emergency Readiness Team) issued a warning and recommended immediate att ention to the situation and the use of a diff erent browser. Secondly, the SEC recently announced that it would be auditing fi rms’ IT security practices. Most recently, a major operation led by the FBI and involving the NCA (UK National Crime Agency) has uncovered a planned “cyber-att ack” by a cy-ber-gang which infected 250,000 computers worldwide with malware; and then there is Heartbleed. Th e list goes on and on.

It is known that anti-virus vendors tirelessly endeav-our to keep up with the ever-increasing amount of viruses and malware that are released daily. Companies employ IT staff or have an IT consulting company look aft er their systems including security. With all this att ention to se-curity, you should sleep well at night – right?

Some might call the media att ention scaremongering. Some companies have used it as a call to arms and others have used it as an opportunity to sell, sell, sell new prod-ucts and services. We at Matsco Solutions think it’s time for companies to take inventory of what cyber-security defences they do or do not have, to educate their staff and make some changes if they are needed.

Here is some food for thought:What do most people do when they receive junk mail

at home? Th ey throw it right away without reading it – that’s the majority view on the topic – but does every-one? If that was the case junk mail would have become extinct. Instead it’s been replaced by email SPAM a far quicker, cheaper and easier way to distribute junk mail. If the same theory applies to email SPAM we just applied to junk mail, why the concern?

Here’s why: staff who are not fully educated might assume that the company is fully protected against all of these malicious viruses. Aft er all it’s their work email – what’s the harm in opening the email? Do they really

believe they can inherit $1m from a stranger in a faraway land? Th ey must realise that they have a bett er chance of winning the lott ery – right? Unfortunately the emails that staff open are not as overtly suspect as my example but they are opened nevertheless.

Don’t forget if you do not have a company policy or process in place regarding the use of personal email ac-counts, your staff might be using personal email accounts on their work computers. It doesn’t have to be a work email account that causes you or your staff to download a virus or malware. It simply takes someone to open their personal email account and click on a suspect email or a suspect link in an email.

What about websites your staff browse all day long while they are looking up information, carrying out re-search, etc.? Unfortunately there are many websites out there that are a “wolf in sheep’s clothing”. It could be ei-ther a new website that you browse or even a website you have visited many times in the past that has a small bit of code att ached to it that covertly installs malware or vi-ruses on your computer.

While it would be great to think that all systems de-ployed to protect you from viruses, malware, etc. are pre-dictive (they can predict if and when a new type of virus

or malware is going to be released). Th e reality is that it’s somewhat reactive. Your computer is protected until a hacker or cyber-criminal develops a new virus or mal-ware code and slips it into a seemingly legitimate email to you or places it on a website. You then open the email or browse the website and all of a sudden your computer displays a message. Maybe it’s more sinister and there is a program installed on your computer or offi ce network

IT IS KNOWN THAT ANTI-VIRUS VENDORS TIRELESSLY ENDEAVOUR TO KEEP UP WITH THE EVER-INCREASING AMOUNT OF VIRUSES AND MALWARE

THAT ARE RELEASED DAILY

JIM SERPI OUTLINES WHAT COMPANIES NEED TO BE AWARE OF AND DISCUSSES THE ‘IDENTITY CRISIS’ FACED BY CYBER-SECURITY

IS CYBER-SECURITY FACING AN IDENTITY CRISIS?

Jim Serpi is the director of global operations and an owner of Matsco Solutions. He has over 25 years of experience providing technology solutions to financial services companies.



that gives someone access to you or your company’s infor-mation… damage done. A clean-up effort begins but if the clean-up is unsuccessful, your IT team will then speak to your cyber-security vendors. In this case the vendor advises that this is a new virus and they will need to develop a fix. Until the fix is released by the vendor, your IT team will need to rebuild your com-puter rather than just repair it. Unfortunately this is the reactive component of virus defence.

There are many other angles of cyber-security. It’s about your computers, the USB drives that you may or may not allow your staff to use, the wire-less networks in your office that might be open for anyone to use, your company website, the laptops that access your network that your staff members’ children might use, the servers that you save files to, and lastly the switches and firewalls, etc. All of these need protecting and have vulnerabilities.

Is there a straight answer to fight cyber-attacks? • Increase your security defences?• Resign yourself to the fact that a security

breach is going to happen and work on how to re-cover from a breach?

• Restrict computer/user access so much that your staff do not have the ability to do their jobs?

• Maybe it’s a little bit of all of the above and a heavy dose of education. An ounce of prevention is worth a pound of cure.

To sum it up, follow best practices that your IT team recommend. As the SEC and most governments recom-

mend, review the systems you use, implement policies, work with your staff to understand risks, work with your service provider or IT staff to ensure that they have processes and procedures in place to deal with a security breach should it happen. Ensure your computers, servers and network are regularly patched and additionally patched when notices come out regarding poten-tial risks.

Most of all educate, educate and re-educate your staff on risks and best practices. Don’t un-derestimate the human aspect of cyber-security. Cyber-criminals take advantage of this. As we implement new cyber-defences, cyber-criminals and hackers are changing and adapting their at-tacks to get around the new defences. The one constant is that they focus on the human factor. People will open junk mail, people are always cu-rious to see what’s inside the envelope and people over time will let down their guard.

Do not take the ‘not me’ approach and think “I am too small for someone to target me”. Not true – look at the math on the case where 250,000 computers were affected with malware. If cyber-criminals are able to steal $10 from each of them – they have taken home $2.5m. Not bad for a day’s work…

PEOPLE WILL OPEN JUNK MAIL, PEOPLE ARE ALWAYS CURIOUS TO SEE WHAT’S

INSIDE THE ENVELOPE AND PEOPLE OVER TIME WILL LET DOWN THEIR GUARD

EVERY WEEK YOU WILL RECEIVE More exclusive stories than any other hedge fund publication All the latest searches and investment news Exclusive data on launches and performance Investment strategy analysis Topical comment from leading industry figures

Exclusive research surveys Regulatory developments People on the move

As a subscriber, you will also receive full registration to www.hfmweek.com, where you can access:

Daily updated performance data Exclusive research Daily news alerts Industry events information Service directory listings and much more...

vF O R M O R E I N F O R M A T I O N P L E A S E C O N T A C TRichard Freckleton at +44 (0)207 832 6593 OR email r. f [email protected] O R V I S I T H F M W E E K . C O M F O R D E T A I L S

THE BEST READ IN THE HEDGE FUND INDUSTRY

SUBSCRIBE TO

www.hfmweek .com

A MORGAN STANLEY vet-

eran’s new firm is planning a

series of significant hedge fund

investments, backed with more

than $1bn of family office capi-

tal, HFMWeek has learned.

Ahmad Butt, who spent five

years at private equity firm

Centurion Capital, as well as six-

years at MS, is putting togeth-

er TPS Asset Management, a

major new investment platform

that will allocate across alterna-

tives and long-only products.

Sources say the London-

based firm aims to hire up to

30 staff, many with strategy

expertise – including heads of

alternatives, fixed income and

equities – who will be tasked

with allocating TPS assets.

Butt is believed to have been

hired by a significant Russian

family office which is financing

the fund of funds-style project

with up to $1.5bn, a source said.

The firm, which has yet to reg-

ister with the FCA, has its ini-

tial launched planned for year-

end or Q1 2015. Following the

launch, TPS plans to outgrow its

family office roots and will man-

age capital for external investors,

with sources indicating these

will likely be other family offices.

Early hires at the firm include

Brevan Howard’s former head of

finance Diane Abeyawickrama

as financial director

and Ian Scorah, who

Ahmad Butt is planning to

launch TPS Asset Management

backed by Russian family office

BY JASMIN LEITNER

03

COMMENT SIGN OF STRENGTH: FUNDS RETURNING INVESTOR CASH14

Morgan Stanley

veteran launches

major allocator

INVESTOR 08

SERVICE PROVIDER

SNAPSHOT

SEC DATA REVEALS THE 20

LARGEST ADMINISTRATORS,

AUDITORS, CUSTODIANS AND

PRIME BROKERSFEATURE 18

The long and the short of it

ISSUE 339 15 May 2014

CALIFORNIA PENSION FUND SEEKS MANAGERS

Kern County starts due diligence on Paamco, Myriad and Turiya

NEWS 03

EX-SATOR GROUP CIO PREPS ARGENTA LAUNCH

Mario Frontini builds long/short equity fi rm in London

LAUNCH 10

EX-SCOUT CAPITAL PARTNER READIES PACIFIC GROVE

Jamie Mendola builds long/short fi rm in San Francisco

GAME OVER

FEATURE 17After the March/April sell-off and amid

rumours of a potential bubble, is the

technology sector’s star starting to fade?

s indd 1

13/05/2014 15

www.hfmweek .com

HUGH HENDRY’S Eclectica Asset Man-

agement has parted ways with its COO

as part of a cost-cut-ting drive sparked by

a sustained period of investment losses and redemp-

tions felt across the global macro

sector, HFMWeek has learned.

Paul Bramley is the most sen-

ior of several recent departures

from London-based Eclectica,

which was founded in 2005

when Hendry left Odey Asset

Management, Crispin Odey’s

$12.6bn firm.Eclectica’s assets peaked at

more than $1bn but the flag-

ship lost -1.72% in 2012 and is

down -6.14% YTD as of 2 May,

between which came a flat 2013,

according to figures seen by HFMWeek.Bramley joined

Eclectica in 2012 from Matrix Asset

Management and performed the COO

and CCO roles before

being offered voluntary redun-

dancy earlier this month. It is

understood that head of opera-

tions Richard Harris will assume

most of his responsibilities. Other recent departures

include execution trader Gavin

Brennon, who like Bramley was

delisted from the firm’s FCA

register earlier in May. Business development

London firm pares back staff

following decline in assetsBY WILL WAINEWRIGHT

03

COMMENT W H Y C Y B E R S E C U R I T Y S U D D E N LY M AT T E R S 14

Hendry’s Eclectica cuts COO amid

macro struggle

INVESTOR 08CAPACITY CRUNCH

AS MORE HEDGE FUNDS CLOSE TO NEW CAPITAL,

WHAT WILL IT MEAN FOR THE INDUSTRY?

FEATURE 17


ISSUE 340 22 May 2014

KERN COUNTY PENSION TARGETS ASIA HF MANAGERS

Up to six Asian hedge funds compete for more than $50m

NEWS 03

DARSANA CAPITAL ATTRACTS $1.2BN FOR JUNE LAUNCH

Anand Desai’s New York start-up becomes latest $1bn-plus fi rm

LAUNCH 10

TPG CAPITAL CO-FOUNDER OPENS OFFERING EXTERNALLY

David Bonderman’s Wildcat family offi ce starts Infi nity Q fund

HUGH HENDRY (PHOTO: BLOOMBERG)

PROF I LE 20

HFMWeek sits down with the managing

partner at Algebris Investments to

discuss politics, banking and business001_003_HFM340_News.indd 1

20/05/2014 15:18

www.hfmweek .com

HEDGE FUND industry assets

increased by 9% to $4.43trn in

the last six months, according to

HFMWeek’

s latest survey of the

sector’s fund administrators,

in a further indicator that net

inflows persist despite muted

wider performance.

The growth came between 1

November 2013 and 30 April

this year, when the average

hedge fund gained just 2.9%,

suggesting that investors are

continuing to increase their

allocations to the space.

State Street has strength-

ened its position as the leading

hedge fund valuations provider,

extending its lead over second-

placed Citco to more than

$100bn.

Growth of 5% in the Boston

bank’s single manager assets

under administration (AuA)

took its total to $717bn, while

Citco’s grew 3% to $610bn dur-

ing the six-month reporting

period.

The 59-strong list’s top

ten saw just one change as

Northern Trust suffered a 9%

drop in AuA, moving it down

a place to eighth, but numbers

will be replenished when its

Bridgewater Associates con-

tract goes live later this year.

Deal activity again wrought

changes to the list, with

Mitsubishi UFJ, US

Bancorp and Conifer’s

Sector hits $4.43trn in AuA

State Street extends lead

Bank exec tips further M&A

BY WILL WAINEWRIGHT

03

COMMENT A I F M D D E A D L I N E L O O M S : A R E Y O U R E A D Y ? 14

Admins swell

as hedge fund

inflows continue

INVESTOR 08

LATIN AMERICA

FOCUSINSTITU

TIONAL INVESTORS

IN LATIN AMERICA ARE

STILL COOL ON FOREIGN

HEDGE FUND MANAGERS

FEATURE 22


ISSUE 341 5 June 2014

TEXAS TECH ENDOWMENT HIRES BEACH POINT AND EOS

Hedge funds receive combined $50m in allocation overhaul

NEWS 05

CITADEL EXPANDS WITH NEW CONNECTICUT OFFICE

Firm aims to replicate global equity and fi xed income strategies

LAUNCH 07

EX-TPG AXON PARTNER PREPS LONG/SHORT FUND

Svein Høgset to launch Incentive Active Value fund next month

L AT I N A M E R I C A

SEARCH

WATCH

P A R T 1 S I N G L E M A N A G E R S

H F M W E E K ’ S 2 2 n d B I A N N U A L

A S S E T S U N D E R

A D M I N I S T R AT I O N

S U R V E Y

FEATURE 17HFMWeek’s latest AuA survey

digs into the data behind the

industry ’s continuing rise

03/06/2014

www.hfmweek .com

REGULATORS IN THE UK and US are in discussions over

a unified reporting initiative that could significantly ease a

number of new and emerging regulatory burdens, HFMWeek

has learned.The UK’s FCA has been responsible for ramping up an

initiative to better harmonise reporting globally, appoint-

ing technical specialist Olivier Fines to spearhead the cam-

paign.Fines has been meeting

with key hedge fund manag-ers and industry participants

in London and travelled to the US last week to meet with the

SEC and hedge fund operators, asking how possible it is to syn-

chronise Form PF, PQR and AIFMD Annex IV reporting.

Sources close to the FCA and SEC said the bodies are work-

ing towards improved transpar-ency, enhanced controls over

significant financial institu-tions, international harmonisa-

tion and effective global regula-tion of the financial markets.

They added the issue is “an ongoing focus” and confirmed

that the SEC has been meeting with the FCA, MFA, Aima and

managers as it looked at the fea-sibility of various harmonised

reporting options. One lawyer said the initiative was prompted

FCA pursues meetings with key regulators and managers

on Form PF, PQR and Annex IVBY MAIYA KEIDAN

03

COMMENT T H E C O U N T D O W N T O E M I R F O R A I F M S14

UK regulator leads harmonised data initiative

INVESTOR 08

AUA SURVEYTHE SECOND PART OF HFMWEEK’S AUA SURVEY REVEALS THE WINNERS AND LOSERS AMONG FOHF ADMINISTRATORS

FEATURE 17


ISSUE 342 12 June 2014

KEMPEN FOHF MULLS ASIA EQUITY EXPOSURE

Directional equity manager on cards for Dutch asset manager

NEWS 03

MARSHALL WACE INVESTMENT TAKES TEXAS ERS PAST $1BN

Retirement scheme’s hedge fund spend up to $1.2bn and rising

LAUNCH 10

MONTRICA CO-FOUNDER PLANS EUROPEAN LAUNCH

Fredrik Juntti follows ex-colleagues and lines up Abberton Capital

T R A D E M I S S I O N

FEATURE 20

New Aima CEO Jack Inglis speaks to

HFMWeek about his plans for the

trade body

001_003_HFM342_News.indd 1




Benjamin Franklin said: “In this world noth-ing can be said to be certain, except death and taxes.” Nowadays, maybe taxes can be avoided, but cyber-breaches are the new inevitability.

Like it or not, cyber-security has become critically important to organisations globally, none more so than companies operating in the fi nancial services sec-tor. Th is article explores the issues surrounding cyber-born att acks, specifi cally in relation to fund managers, mutual funds and hedge funds.

In April, the SEC issued a risk alert outlining its plans to examine US fi nancial fi rms’ cyber-security preparedness. Th e announcement came hot on the heels of the US Fi-nancial Industry Regulatory Authority’s (Finra) assessment of fi rms’ approaches to managing cyber-security threats. While in the UK, the coalition government brought to-gether regulators from various sectors along with ministers and senior offi cials from security and intelligence agencies to discuss how best to address cyber-threats to the country’s essential services.

It is not only institutional compliance that funds need to be concerned about. Prospective investor due diligence questions are also increasingly refl ecting the universal

concerns surrounding cyber-stability. Th ere are lots of hedge funds all vying for business and so security has to be seen as a key business enabler rather than an overhead.

Hedge funds have become synonymous with risk but the cyber-risk currently facing almost all but the smallest organisations is very diff erent. At the heart of any hedge fund is the intellectual property (IP), which if lost or com-promised, would be hugely fi nancially damaging. Finan-cial institutions are always a target for fraudsters but in the

THERE ARE LOTS OF HEDGE FUNDS ALL VYING FOR BUSINESS AND SO

SECURITY HAS TO BE SEEN AS A KEY BUSINESS ENABLER RATHER THAN

AN OVERHEAD

GRAHAM MANN, OF IT SECURITY SPECIALISTS ENCODE, TELLS HFMWEEK HOW BUSINESSES MUST SWITCH ON TO THE THREAT OF CYBER-ATTACKS, AND GIVES AN INSIDE TRACK ON THE COMPANY’S INNOVATIVE ANTI-HACKER SOFTWARE

DEATH & BREACHES

Graham MannIn 2012, Graham Mann was appointed managing director of ENCODE UK Ltd and Group CMO. Prior to that, he has worked on numerous security projects throughout the UK on behalf of ENCODE S.A. as MD of ENCODE’s UK partner, Managed Security Services Ltd.




case of hedge funds and other asset managers, the drivers behind cyber-attacks are many and varied, for example;

• Investment, trading, portfolio and risk management models

• Investment strategies and processes • Portfolio positions• Business plans• Market forecasts• Investor details.The operational, regulatory and reputational implica-

tions of losing any of this intellectual property are liable to be considerable and potentially catastrophic. Yet despite this, a significant number of hedge funds are unaware of their susceptibility to attack. This is probably because, in most cases, cyber-attacks remain undetected.

For this very reason, ENCODE offers a “simulated” cyber-attack that accurately replicates an actual attack, providing all insights but obviously without the dire im-plications. ENCODE calls these simulated cyber-attacks Extrusion Testing™, and has undertaken more than 150 such attacks worldwide on behalf of clients over a period of eight years. Half of all the Extrusion Tests carried out by ENCODE have been for financial services companies. The experience gained in performing such attacks has enabled ENCODE to develop a ground-breaking platform that provides a means of identification and defence against real cyber-attacks.

What isn’t commonly understood is just how easy it is to break into an organisation’s network without being detected. By using simple ‘spear phishing’ techniques, it takes ENCODE minutes to dupe unsuspecting employees into opening the door to their organisation’s network. Preparation for the attack starts with surveying the internet for information relating to the target organisation, a technique widely employed by hackers. This exer-cise provides the attacker with an understanding of the organisation’s position on the internet via a variety of sources: Facebook, LinkedIn and many other social media community sites. The attacker now has access to personal details of your employ-ees, their email addresses, their likes/dislikes, their friends and much more.

With this information, hackers can target specific indi-viduals and create a ‘spear phishing’ or personalised email account designed to encourage them to click on attach-ments or visit purpose-built websites. The aim of the at-tacker is simple, they just need one person to take the bait and then they have their trojan in place on the organisa-tion’s network. Pinpoint targeting of their victim ensures 100% certainty of success. Once the trojan or remote ac-cess tool, as it is also known, is safely installed, the attacker will consolidate their foothold.

Typically, this “foothold” stage includes the capability to link up with the attacker’s command and control serv-ers. This link will relay files to the attacker’s computer, execute programs and commands, and more importantly, exfiltrate (export) data. Tools providing this type of func-tionality are now available to purchase on the internet (if you know where to look), so it’s not difficult for almost anyone to mount such attacks.

Once established on the target network, the attacker will eventually escalate their level of privileges and start moving laterally around searching for items of data to exfil-trate. Attackers steer clear of known vulnerabilities during this process to avoid the potential of setting off alarms. Networks are now so complicated that policies/alarms are too often ignored, making it a very simple process to move around the network unseen. Providing the attacker sticks to activities consistent with legitimate network traffic, the chances of detection are extremely low. At this point, they can take their time to acquire whatever information they desire; in our experience, detection is by a third party like ENCODE and typically organisations have been compro-mised for many months or even years.

In all of the simulated cyber-attacks undertaken by EN-CODE, such parties have never once been detected and are always able to exfiltrate significant data. In less than two weeks and in over 70% of the Extrusion Tests, EN-CODE is able to take full control of the client’s network (called domain administration).

The cyber-threat is very real, yet because it’s generally unseen, and therefore undetected, companies wrongly as-

sume that they aren’t/haven’t been the subject of an attack. There are little external indications of attack; computer systems continue to function as normal, security sensors rarely detect nefarious ac-tivity and digital assets are still intact or seem to be. Unlike the real world, assets in cyberland can be taken without any tangible sign.

The only way to determine whether your secu-rity infrastructure is capable of detecting such at-tacks is to test it. We can state with almost com-plete certainty that the security products currently on the market will not detect the type of simulated attack articulated above. Post Extrusion Test, a detailed report is provided showing how the at-tack was perpetrated, what data was exfiltrated and the method used to remove it. This enables ENCODE’s clients to implement the recom-mended changes to their processes, procedures and policies but more importantly, to improve the visibility of such attacks (security sensors will need

to be installed and configured). Typically, the client’s net-work will require significant architectural changes. Once the changes have been made and new security sensors installed, ENCODE’s cyber-attack detection and manage-ment platform can be installed, providing both visibility and defence against cyber-attacks. The platform can be implemented on location or as a managed service.

Undertaking a rigorous test like ENCODE’s Extru-sion Test is vital in determining where you are vulnerable. From this point you can then determine whether exist-ing insurance policies will cover the threats identified or whether separate cyber coverage is needed.

Recent studies have shown how cyber-attacks are per-petrated, and have highlighted significant gaps in the defences that most organisations deploy. Firewalls, anti-virus, intrusion detection/prevention systems, etc., are of no use when faced with a persistent, targeted cyber-attack that uses employees as the method of entry. It requires a whole different approach, something that most organisa-tions need to realise and embrace.

ENCODE OFFERS A “SIMULATED” CYBER-

ATTACK THAT ACCURATELY REPLICATES AN ACTUAL ATTACK, PROVIDING ALL

INSIGHTS BUT OBVIOUSLY WITHOUT THE DIRE

IMPLICATIONS

Enterprise Business Technology That Provides Guaranteed Security, Resilience & Uptime.

Speak to netConsult on 020 7100 3310

Established in 2002, netConsult is an award winning provider of managed IT Services to the global alternative investment industry.

We aim to provide a high level of technical expertise to our clients combined with a dedication to customer service. Our ethos is based upon designing secure IT platforms which are manageable over the long term.

We are a trusted technology provider to a large portfolio of clients ranging from small start ups to large global funds. netConsult provides a bespoke service to its clients and provides a full suite of IT services including Cloud Services, Outsourced IT, BCP, Virtual CTO and IT Security. For more information visit www.netconsult.co.uk

IT Security &

Business Continuity

High Availability

Cloud Platform

24x7x365 Support

Central London

Head Office

Level 3, 75 Wells Street London, W1T 3QH Tel: 020 7100 3310 www.netconsult.co.uk

© 2

014

EYG

M L

imite

d. A

ll Ri

ghts

Res

erve

d. E

D N

one.

If you want to be a leader, work with one.

For more than 25 years, EY has been recognized as a leader in helping hedge funds succeed. Our professionals’ extensive experience, knowledge and commitment to client service gain us

publications in the business, including:

• “Top Global Accounting Firm” — Institutional Investor’s Alpha 2014 Alpha Award

• “Best Global Accounting Firm” — Hedge Funds Review 2013, 2012, 2011

• “Best Accounting Firm” — HFM Week 2013, 2012, 2011, 2010, 2009

Find out more at ey.com/wealthassetmgmt.

Documents

SPECIAL REPORT CYBER-RISK AND SECURITY 2014 - HFM Globalhfm.global/digitaleditions/hfmw/reports/HFM_CyberRisk_2014.pdf · security and services company netConsult, ... EY 2013 Global