Agio understands that every hedge fund client of ours is different, and all have unique operational needs when it comes to securing their most critical and sensitive systems and data. We’ve learned that many hedge funds believe they have a firm understanding of their sensitive data types, where that data resides inside and outside of the firm, what internal and external parties have access to it, and how that access is provisioned, monitored, and secured, but few firms actually do.
Securing the funds’ sensitive systems and data extends well beyond SEC compliance. Gaining an understanding of the fund’s critical and sensitive data types is key to understanding the firm’s cybersecurity risk exposure. Here are some of the most common sensitive data types Agio encounters at our hedge fund clients.
Personally Identifiable Information (PII)
Regardless of operational type, every hedge fund has PII. Agio’s hedge fund clients nearly always identify client or investor data as a sensitive data type. The breach in investor trust and the reputational damage that results from a breach of investor or client data is obvious and easy to understand. Many hedge funds, however, fail to recognize their PII exposure extends beyond just client or investor data.
Employee PII is a high-value target for cybercriminals and can be just as damaging to the firm should it be breached. A breach of employee records containing seemingly innocuous information—full name, home and email addresses, and username—can potentially cause the firm to run afoul of various privacy laws, such as GDPR, NY SHIELD, and various other state and international privacy laws. Add in other sensitive employee data, such as Social Security numbers, driver’s license numbers, passports, credit card or bank account numbers, biometric identifiers, etc. and the potential breach impact, regulatory exposure, and associated recovery costs increase significantly.
In some less common circumstances, the fund may have additional compliance or regulatory exposure. For example, firms that self-insure for employee medical coverage may (knowingly or unknowingly) be handling electronic protected health information (ePHI)—a sensitive data type—the protection of which is governed by the Health Information Portability and Accountability Act (HIPAA).
Publicly Available Enumerative Information
In the context of cybersecurity, enumerative information can be defined as information that can be leveraged to craft an exploit against a given target. Most commonly, this takes the form of usernames, passwords, IP addresses, email address schema, hostnames, system and software information, etc. This information is used by cybercriminals to craft attacks against the firm’s internal and public-facing systems.
Do you know if your firm’s users have usernames and/or passwords publicly available in breach databases? Do you know if those users have changed their access credentials since that breach? Do you know all of the systems (internal and external) on which those users are leveraging those same breached credentials? Does your firm have other publicly exposed critical enumerative system information?
For many of our hedge fund clients, enumerative information also takes the form of website listings of executives and key employees, including photographs and email addresses. This information, along with social media and other publicly available data, is leveraged by cybercriminals to craft targeted social engineering attacks against the firm’s users. Targeted social engineering attacks are most often spear-phishing emails—phishing emails custom crafted to be particularly appealing to the target(s). Owners, Principals, C-levels, IT Personnel, Executive Assistants, and individuals with titles that imply that they may be a party to the funds transfer process are the most common targets of these targeted social engineering attacks at our hedge fund clients.
Does the firm currently publish such enumerative information about its principals, executives, and key staff members? Do your firm’s users understand what data is publicly available about them, how that data is used to craft targeted social engineering attacks against them, and the risk exposure that creates for the firm? Are the firm’s users trained to reliably identify targeted social engineering attacks against them?
Trading Book/Position Data
The sensitivity of a firm’s trading book or position data can be highly operationally dependent. For certain firms, a breach of position data could result in significant operational fallout, including competitive disadvantage. For others, the sensitivity stems more from the reputational damage that follows a breach. For certain firms, like activist managers, there may be significant risk associated with a breach of this nature. The extent to which various aspects of the trading lifecycle are outsourced also factors into the fund’s exposure. In all circumstances, a breach of this type has the potential to erode investor trust.
Does your firm understand how its position data is currently protected, internally and by third parties? Has the firm completed adequate cybersecurity due diligence on third parties with access to such data? Does the firm, and third parties with access to position data, understand and agree on responsibilities associated with a data breach? Are those responsibilities adequately defined in vendor contracts?
Trading Strategies and Algorithms
Of particular concern for Agio’s
high-frequency and quantitative hedge fund clients, a breach of a firm’s trading strategy or algorithms, or a degradation in the availability or integrity of the data feeding it, would cause significant operational damage.
Additionally, the reputational damage and breach of investor trust that would result from a breach of this nature would be significant for most hedge funds.
Do you know all the places where the firm’s trading strategies or algorithms reside inside and outside of the firm? Does the firm know everyone who has access to that data? How is that data currently protected? Is it encrypted? Is it properly backed up? Have the backup systems and restoration processes been adequately tested? Would the firm get an alert if that data was accessed, modified, or deleted in an unauthorized fashion? Has the firm recently tested its monitoring and alerting capabilities and its incident response workflows?
These are just a few examples of the many types of sensitive and critical data Agio identifies at our hedge fund clients. The exact nature of and sensitivity of data, and the systems that store, process, and transmit it, are unique at every one of our clients. If you don’t know the answer to some of the questions I’ve mentioned, you’re not alone. Identifying all of your firm’s sensitive and critical data, where it resides inside and outside of the firm, who has access to it, and how it’s accessed, monitored, and secured isn’t an easy task. Agio can help.