Hacking A Hedge Fund
There are worse things than a market crash.
The Chief Investment Officer article, "Hacking A Hedge Fund," quotes Russell Reynolds Associates' Joe Ghory about the dangers hedge funds now face from increasingly sophisticated hackers. The article is excerpted below.
This is what’s known: Attack vectors, or hacks to laymen, range from phishing (the “Nigerian prince with $10,000,000 USD in an offshore account”), to spear-phishing (an email appearing to be from your boss, but isn’t), to mock software updates and beyond. These intrusions usually aim to either trick an employee into sending money, or to gain access to a system and deliver malware. It’s this payload that scares hedge funds the most: Proprietary algorithms, client data, and reputations could all be fair game.
Whether any major hedge fund has been breached in such a way is unknown—which is not to say it hasn’t happened.
Attacks are “like the example of Israel and nuclear weapons,” says Joe Ghory, a Russell Reynolds recruiter focused on cybersecurity and advanced analytics. (Full disclosure: He is a long-time friend of the author.) “They have no incentive to reveal it, but we all know that they have them.”
Only scattered reports of fund data breaches exist—for example, British defense contractor BAE Systems revealed in 2014 that a major hedge fund had been hacked, only to backtrack weeks later. Yet every industry expert interviewed for this article believed that at least one brand-name hedge fund has been exposed. “You could call it the Wizard of Oz, or the emperor wearing no clothes,” Ghory says. “Because the industry has no interest in disclosure, it leads to a false sense of security. The market feels more stable than it really is. Experts will tell you that there has never been a time—never—where they are more in the bullseye than now.”
This sentiment extends well beyond the alternative investment industry. While hedge funds are the Bobby Fischer of the financial system—eccentric genius mixed with a large dose of crazy—major financial institutions are even larger targets. JP Morgan, for one, has acknowledged that upwards of 100 million customers may have had their personal data exposed to hackers.
“And look at the US military,” Ghory says. “One USB drive lying in a parking lot can change everything.”
For hedge funds, “the threat deserves prominence,” Russell Reynolds’ Ghory says. “Asset managers and hedge funds have always been very much focused on returns for their investors. But as a result, we have seen that the back-office staff has been purposefully designed to allow them to be nimble. They are substantial users of outside services or consultants that aren’t core to their business.” Unsurprisingly, internal communication and focus may be lacking when it comes to cyberthreats. Just as the military consolidated its various cyber-focused branches “into a single four-star command,” hedge funds would be well advised to onboard a chief information security officer, according to Ghory. “I do think that more and more asset managers are hiring into this role,” he says, while admitting his financial interest in seeing this trend continue. “As we spend more time working with limited partners, it’s becoming a question they are expecting to ask and expect a good answer for from the hedge fund or asset manager. It’s no longer, ‘We trust you.’”
“We make the assumption that the moment you’re compromised, someone is willing to act immediately,” says Russell Reynolds’ Ghory. “The reality is that they, whoever ‘they’ are, can be patient, because they’re looking at the large opportunity. The ones who tend to act quickly are classic smash-and-grab robbers—not the people looking to do the single great score, the ‘Ocean’s Eleven’ thing. Just because nothing has come to the hedge fund’s attention yet doesn’t mean it hasn’t been compromised.”
To read the full article, click here.