Just a month after the SolarWinds attack, the Superintendent of Financial Services for the N.Y. State Department of Financial Services noted that a cyber-attack could trigger the next great financial crisis. While this idea may seem far-fetched or sound like the plot of a Black Mirror episode, the truth is that a single attack — of the right magnitude and with an ideal target — has the potential to introduce instability and uncertainty into the financial industry.
Financial institutions have an extensive dependency on outsourced technology — and this reliance on third-party service providers can significantly heighten risk. The Financial Stability Board recently highlighted a successful cyber-attack on a widely used vendor to create a single point of failure and cause a domino effect in the market.
What does this mean for your hedge fund? While you shouldn’t fixate on the possibility of a cyberattack triggering the next financial crisis, the prospect should make you pause and think about how critical it is to focus on due diligence, third-party risk and operational resilience.
Where to begin?
The first step in assessing supply chain risk is identifying points of vulnerability. Determining the problem is the first step to finding a solution. What are the potential failure points? Where is the weakest link? Have you thoroughly evaluated vendor and third-party crisis response plans? Then, prioritize working with vendors that can demonstrate they employ a robust, proactive cybersecurity system — and set the expectation that vendors should vet companies in the same manner. Diligently implementing these precautions across the board is what will lead to a resilient and prepared financial services industry. The best way for your fund to reduce supply chain based cyberattacks is to prioritize adequate due diligence and resource allocation focusing on third-party risk, and take proactive efforts to enhance your defenses and secure your data before any attack strikes.
The threat landscape is constantly evolving, which means your proactive plan must evolve with it or risk becoming ineffective. Continuously track attacks against similar funds to yours and work with cybersecurity experts who are up to date on trends and meticulously evaluate the cybersecurity landscape. Taking these precautions can better inform your cybersecurity decisions. If your cybersecurity support consists of a small I.T. team with a diverse array of responsibilities encompassing data, security and tech, now may be the time to reevaluate and devise a new approach. A small I.T. team might not have adequate resources or time to handle daily I.T. needs, assess security threats and keep up with regulatory guidance.
Adapt to the evolving landscape
Cyberattacks occur every 39 seconds, as illustrated by the FBI’s Internet Crime Complaint Center. In 2020, 791,790 cybercrime complaints were received with over $4.1 billion in losses. Criminals do not discriminate and the size of your fund does not matter. Criminals will likely target you directly or target your partners and vendors. In either instance, your data is at risk.
The cybercriminals we face today are persistent, competent and greedy, and some even consider themselves aspiring cyber vigilantes. Therefore, it’s critical to allocate resources to establish proactive security and reactive contingency plans. Building a strong defense system and plan is not enough; you also need a plan in case of failure. In the event of a breach, a business continuity plan you can quickly and easily implement and follow is critical to ensure the fund can swiftly respond and maintain business as usual.
After a breach: how to recover
Although cyber attacks are devastating, they can be a learning experience. Where exactly did the security breach occur, and how did it succeed? Were employee credentials compromised through phishing? Did criminals impersonate the CEO to funnel funds? Was your fund the intended target? Are you collateral damage due to an attack up or down the chain? You must quickly identify the vulnerability — and act.
Understand which servers were compromised in the attack and be certain your data is protected. Identify all active networks during the attack and which employees have access to the point of infection. Then, change passwords, secure the network, and follow legal advice and requirements to notify your customers, employees and relevant government bodies that a breach occurred. Finally, activate your continuity and recovery plans to protect the fund from a similar breach.
While the threat landscape is complex, the solution is not. It takes commitment, resources, efficiency and due diligence to adequately protect your fund.
Regulation is changing the game
Regulators across the board are applying more pressure on institutions globally when it comes to cyber hygiene and operational resilience. In the U.K., the PRA, FCA and the Bank of England are considering implementing a regulatory framework. NIST accelerated the update to its cyber resiliency guideline to combat cyber-attacks against critical U.S. targets, and the U.S. Division of Examinations published operational resilience and cyber security observations. In 2023 the E.U.’s Digital Operational Resilience Act (DORA) is also expected to come into effect. Even though these deadlines are quickly approaching, don’t rush. Cyber security is not about checking boxes to get it done. It’s about employing a thoughtful approach to get it done well.
What are the next steps for your fund? Analyze and consider notable security developments, evaluate your cybersecurity preparedness — and then identify ways to improve it. The SolarWinds attack and others have shown us the cascading impact of the cyberattack domino effect. Now is the time to focus on assessing your own third-party risk and understanding how large-scale supply chain attacks occur. This isn’t the time to rest on your laurels and simply check a box to show you remain compliant. This is the time to build trust and demonstrate your fund is a robust and resilient business in the alternative investment and financial services industry.