Don’t Let Cyber Criminals Make a Profit on Your Hedge Fund Business

Hedge funds are being challenged more than ever thanks to the COVID-19 pandemic, while trying to meet their objectives and attempting to overcome severely strained resources. Countless numbers of vulnerable individuals are reliant upon the crucial investment provided by the hedge fund sector, and disruptions could have catastrophic results. One type of disruptor is a cybersecurity attack perpetrated by compassionless criminals that turn a blind eye to whether their victims are large or small firms. Compounding the threat of attack is that hedge funds gear their internal budgets towards meeting their goals and may not have the ability to make the expenditures needed to fortify their defenses. However, all is not lost, as there are many cost-effective methods for reducing the risk of cybersecurity incidents. The following list provides some guidance to help navigate the many threats that lurk behind every click and keystroke:

• Has an inventory of sensitive data been completed?
  It is very difficult to protect what you don’t know you have, and if you deal with proprietary trading algorithms, investor data, protected health information (PHI), or personally identifiable information (PII), there are regulatory requirements that need to be met.

• Are employees receiving cybersecurity awareness training?
  Considering that over 90% of breaches are initiated by spear-phishing attacks, employees must be aware of these attacks.

• Are spear-phishing simulations being conducted?
  Using the “trust-but-verify” approach, complement your training with simulated spear-phishing attacks to gauge who is susceptible to this threat (and provide those users with additional training).

• Have you established third-party security management protocols?
  Having the best security measures in place within your organization doesn’t mean much if your third-party vendors aren’t secure, so be sure to have protocols that enforce their security requirements.

• Do you have strong password requirements?
  While utilizing complex passwords that need to be changed every few months may seem like an inconvenience, it is the first line of defense against attackers gaining access to your network.

• Is someone keeping an eye on your event logs?
  Every time an action occurs on your network, it should be logged, with anomalous events (e.g., repeated failed login attempts) resulting in an alert sent to your IT contact.

• Has the firm implemented two-factor authentication?
  Being required to acknowledge a prompt on a mobile device in addition to entering a password provides a significant security upgrade over passwords alone.

• Are your servers, systems, and applications patched on a regular basis?
  Vendors are constantly finding and addressing newly found issues, so be sure to implement a regular patching schedule to address these vulnerabilities.

• Have you established a written information security program?
  By documenting good security practices, end users will be better informed and equipped to make good security decisions.

• Do you perform viability testing on your backups?
  While it is nice to receive an email confirmation that your backups have successfully completed, go the extra mile and perform a periodic restoration to test the viability of the backups, whether they are located onsite or offsite.

• Has a cyber-insurance policy been obtained?
  Costs pile up quickly when a breach occurs, so having insurance to help lessen the financial blow is critically important to surviving the recovery process.

• Is there a detailed incident response plan in place that is periodically tested?
  Considering that a breach could be right around the corner, it is imperative to have a tried and tested plan that will help with a rapid response.

For more information or to set up a meeting to discuss how Citrin Cooperman can provide assistance with establishing strong cybersecurity defenses, please reach out to Kevin Ricci at kricci@citrincooperman.com or Dave Roath at droath@citrincooperman.com.