Industry experts are warning of an increase in cyber attacks on hedge funds in the wake of a major data breach recently reported by CNBC and verified by the cyber security firm BAE Systems Applied Intelligence. Hackers attacked a large hedge fund in late 2013, resulting in a significant security breach that passed information about trades to the hackers and disrupted the firm’s trading system, according to the recent CNBC report. BAE Systems, which investigated the breach for the hedge fund, has declined to comment on its client’s identity. The company did, however, tell CNBC that the attack cost the fund millions of dollars and suggested that it shows hackers are using increasingly sophisticated measures to wage cyber warfare against financial institutions. The breach occurred after hedge fund employees opened an e-mail that installed malware on their computers. The program delayed the execution of trades by milliseconds and sent some trade details to outside sources. The amount of profits earned by the hackers in this breach is unknown. In recent months, the government has made cyber security a priority and has strongly encouraged companies to join forces with enforcement agencies in order to better address cyber threats. The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations went so far as to announce it would conduct examinations of more than 50 registered broker dealers and registered investment advisers, and would focus on areas related to cyber security, according to an April 2014 report from the agency. The agency stated that its goal was to help “empower compliance professionals” with tools they can use to assess their prospective firms’ cyber security preparedness.
Likewise, in April 2014, the Federal Bureau of Investigation told the House Homeland Security Committee’s Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies that the agency was making cyber security a top priority. In February 2014, the Commerce Department’s National Institute of Standards and Technology (“NIST”) released a set of voluntary, risk-based industry standards and best practices aimed at helping private financial, health care, energy, and other companies manage cyber security risks, pursuant to Executive Order 13636 issued by President Barack Obama. The report—Framework for Improving Critical Infrastructure Cybersecurity—was a collaborative effort between the government and the private sector and recommends a wide range of best practices targeted toward reducing and better managing cyber security risks. Experts generally agree, however, that cyber attacks against financial institutions are rarely reported to the Securities and Exchange Commission or the Federal Bureau of Investigation, largely due to concerns related to any potential investigation or bad press.
TIP: Hedge funds and other financial institutions should be prepared for hacking attempts. Companies can assess their own preparedness using an SEC form designed to evaluate cyber security risk or the NIST framework, and should proactively establish procedures to deal with the myriad reporting, notice, and other obligations that may arise in the wake of a data breach.