Information security is a growing concern that impacts almost every aspect of our daily lives – from the soccer mom whose email gets hacked to the multi-billion dollar corporation whose business is ground to a halt due to a massive data theft. Darkness lurks everywhere as our society, commerce, and culture become more and more electronic.
This reality is particularly scary to hedge funds, who are less likely to be equipped to deal with these types of threats than larger institutions such as banks who have dedicated security resources in place. Given the sheer size of many hedge funds and their potential to ‘move markets,’ all industry stakeholders – fund managers, investors, and regulators – are concerned. Regulators and investors specifically have taken several steps over the past couple of years to hold asset managers accountable for proper information security measures which include industry guidance and heightened due diligence requirements.
So, what should hedge fund managers start thinking about when it comes to their information security? As a good first exercise, I recommend that hedge funds develop an understanding of what the actual risks are – in other words what is the bad that can happen if something does go ‘bump in the night.’ It is important to remember that security risks should not be confused with threats – which are scenarios/actors that influence the bad outcome (e.g. hacker attack, insider theft, etc).
With this in mind, here are the top six information security risks that would keep me up at night if I were a hedge fund manager:
Theft or unauthorized sharing of intellectual property. Hedge funds live and die by their ‘secret sauce’ and their ongoing ability to generate alpha. Theft of intellectual property can have serious implications and should be a primary concern for portfolio managers.
Theft or unauthorized sharing of client information. Fund managers have a duty and obligation to ensure that their client information (e.g. account numbers, personally identifiable information, etc) are safeguarded both in house and at an external service providers. A breach of sensitive client data can lead to irreparable damage (e.g. redemptions, lawsuits, etc).
Theft of fund and/or client assets. Wire fraud is a huge risk in the hedge fund space, where billions of dollars in cash and securities are moved each minute. It is critical for organizations to understand their internal and external cash movements as there are countless ways for bad actors to exploit them.
Front running and position copying. Within billions of dollars in trades happening each day, there is ample opportunity for a hedge fund to get “front run.” While this may not be a large concern to some funds, the economic effects can be quite damaging to a market player of size. In addition, competitors can use position copying techniques to potentially back into strategies which increases the likelihood of #1.
Availability and integrity of information systems. Technology security – applications, networks, hardware, etc – is the layer that sits on top of it all. This is both due to the sensitivity of information in which it houses but the ongoing business that it supports.
Loss of key personnel. This is an intellectual property business, and as such it is of utmost importance to protect key individuals within any hedge fund which goes well beyond information security. Fund managers should actively consider information protection, physical security, and executive protection of mission critical staff and their families.