Two years of remote and hybrid work have significantly strained the hedge fund industry’s cybersecurity defenses and resiliency, according to the findings of a survey by cybersecurity and managed IT firm Agio.
In a newly published report, Agio said cyberattacks targeting hedge funds grew more frequent and more severe as “[t]he added surface area required to support remote investment teams taxed the industry.” In other words, having executives accessing a firm’s network from various different locations made it harder to protect the network.
Methodology
Agio worked with survey administrator Market Measurement to conduct 100 online interviews with technology, cybersecurity, operations and compliance professionals in the hedge fund industry during the first quarter. In addition to looking at the number of cyberattacks firms have experienced during the last two years, the interviews assessed hedge fund executives’ attitudes, behaviors, and perceptions about how to source and manage their cybersecurity solutions and programs.
Cyberattack trends
Interestingly, the survey found links between the size and AUM of firms and their likelihood of experiencing more cyberattacks. Companies with more than 75 people or with more than $5 billion in AUM were 28% and 27% more likely to report that attacks on their firm had increased, respectively. Most larger firms also said the time required to resolve an attack that resulted in unauthorized access to systems and data has increased during the last two years, with 59% of respondents from firms with more than 75 people reporting this, as did 58% of firms with more than $5 billion in AUM.
Overall, the frequency of cyber-attacks during the last two years rose for 22% of the firms that responded, but 51% of respondents said the time and resources required to resolve attacks increased. And while 78% of respondents reported attack frequency stayed about the same or decreased in the last two years, 39% of firms that manage cyber programs internally reported attack increases, compared with 19% of those who outsourced some or all their programs.
Outsourcing
A significant majority of respondents (62%) said their firm took a hybrid approach, managing some cyberdefense programs internally while outsourcing others. Only 15% of respondents said their firms managed all programs internally, while 23% reported their firms outsource all cybersecurity programs.
Again, the size and AUM of firms made a difference, as 41% of firms with more than 75 people and 36% of those with more than $5 billion in AUM were more likely to report their firm outsourced all their cyberprograms. A firm’s age was also a factor, as 26% of those in operation for longer than five years said they in-source all their cyberprograms, compared with only 3% for firms that launched within the last five years.
Among the firms that outsource all their cyberprograms, 61% said that choice was driven by the need for independent third-party review of cyberpolicies and programs, while 58% cited the need to improve their cyberposture to keep insurance rates down, and 53% said outsourcing was necessary to integrate threat detection & response with core their IT provider.
The way forward
Regardless of the approach firms are currently taking toward cybersecurity, change is in the offing. Among the firms that manage most or all cybersecurity programs internally, 97% said they were likely or extremely likely to outsource some or all their cyberprograms over the next two years, while 100% of those that are outsourcing said they are likely or extremely likely to consider a different provider in the next two years.
Among firms with more than 75 people, 71% cited the desire for a fresh perspective as a key driver for change, compared with 22% among smaller firms. Additionally, 80% of firms with more than $5 billion in AUM said a desire for a fresh perspective on cybergovernance was the the main reason for considering new providers, compared with 49% of firms with between $2 billion and $5 billion in AUM and 15% of firms with under $2 billion in AUM.
