Cyber Regulations: How Fund Managers Should Get Started

Cyber Regulations: How Fund Managers Should Get Started

Oleg Bogomolniy

May 20, 2016

Over the past three decades, the alternative investment industry has grown to become one of the most imperative contributors to global economy, managing trillions of dollars.

By no means this industry is a stranger to some of the toughest, business impacting regulations the global financial system has ever seen: Dodd-Frank, AIFMD, GLBA, SOX, FISMA, along other regulations planned for 2016 and beyond. However, recent cybersecurity initiatives from the U.S. Security and Exchange Commission (SEC), and later by National Futures Association (NFA), caught many fund managers by surprise for two main reasons.

First, most of the firms impacted by these regulations either do not have their own IT departments, or only rely on rudimentary IT support personnel. Second, unlike funds’ bigger cousins (banks, …), alternative investment industry has been laying low enough to escape under cyber-threat radars. There just hasn’t been much value of hacking into a hedge fund. So why now? To understand the thinking and methodology of regulators behind these cybersecurity initiatives, we first need to understand the ingredients in the mix.

Fast and Furious

SEC Cybersecurity Initiative and NFA Cybersecurity Interpretive Notice have raised the bar on the cybersecurity awareness and preparedness, triggering prominent changes in the alternative investment industry. Fund management is expected to incorporate cybersecurity into business strategy and CapEx/OpEx budgets, as well as to develop short-term and long-term strategies on implementing adequate cybersecurity controls into every day routines.

Even though cybersecurity has not been on the top priority list for the alternative investment industry in the past decade, technology on the other hand has unequivocally been one of the biggest enablers. I am referring to quantitative analysis, High Frequency Trading (HFT), and other algo-trading strategies, or “the secret sauce”: VWAP, TWAP, high-tech front-running, delta-neutral trading, rebalancing index fund, arbitrage opportunities, or just simply following trends. Algo-trading redefined the need for speed of trading computer connections and made every microsecond count. However, despite of lucrative profits, algo-trading proved to be naturally capable of detrimental powers, as seen in 2010 and 2015 Flash Crashes. So why can’t the same powers be harnessed for deliberate manipulations?  What would stop an adversary to create malicious algorithms, let’s say, to paralyze financial exchanges? It is rather trivial today to plug-in algorithms into financial markets from anywhere, but that would be too obvious, or as the Millennials say it, “that is so last century”. Instead, one could covertly “tap” into legitimate trading models used by a firm with weak cyber-defenses. Now the perpetrator can take any “cyber-position”:

  • Financial gains from hidden trades
  • Offering “for hire” services to artificially manipulate the market conditions
  • Stealing proprietary trading strategies, or
  • Simply selling a segue into a firm with access to financial exchanges to a higher bidder 

The Costs Add Up

In 2015, there were more than 700 major security breaches with averaging price tag of over (US)$1.57M. This number is expected to grow in 2016 with more industry sectors being mandated to report security breaches. Financial industry was the target of over 80% of attacks and breaches. The top 3 categories of security incidents in relation to the alternative investment industry are:

  • Cyber-crime
  • Cyber-espionage
  • Insider misuse (deliberate or incidental)

The Cyber Commodity

Cyber is now one of the most valuable commodity! Cybercrime has grown into its own $400+ billion industry and has plenty of room for growing potential. Underground markets are booming with counterfeit credentials, premium credit cards, online bank accounts, malware for sale, hacking services-for-hire, hacker tutorials, and much more.

The competition among cybercriminals themselves is getting increasingly intense, which drives the price for stolen cyber down. So now they tend to target wealthier victims – a serious concern for the alternative investment industry.

Assessing Defense Capabilities

In 2015 Moody's Corp. announced their plans to include cyber defense capabilities in its analysis of the creditworthiness across all sectors. Data breach detection and incident response will be a part of their analysis. Following Moody’s announcement, Standard & Poor’s revealed they had begun querying financial institutions using a list of 16 questions to gauge their cybersecurity readiness. Those questions include:

  • How long has it typically taken to detect a cyber attack?
  • What containment procedures are in place if a business is breached?
  • How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?
  • What's the internal phishing success rate?
  • What kind of expertise about cyber attacks exists on the board of directors?
  • How much does the business spend on cybersecurity, what resources does it devote, and what is the total tech budget this year versus last?

Measuring the Key Risks

The rise in adversarial sophistication and continuous persistence of advanced threats against American entities prompted the Executive Order 13694 signed by the President Barack Obama in April of 2015 and authorizing action against “malicious cyber actors whose activities are directed against U.S. critical infrastructure, our companies, or our citizens and could threaten the national security, foreign policy, economic health, or financial stability of the United States.”

To summarize, the key risks for alternative investment industry that dictated the need for new cybersecurity regulations are:

  • Covert manipulation of various types of trading (e.g., algorithmic) for financial gains or malicious intent (crashing the market)
  • Cyber-espionage: theft of Intellectual Property (IP), confidential or investors’ personal information
  • Cyber-extortions: “siege” of computer systems for monetary compensation
  • Malware: inability to conduct business for prolonged period of time

Cybersecurity Initiatives

How it’s made

In 2014, SEC was tasked to provide guidelines for creating and enhancing Cybersecurity Programs to its registered entities. My kudos to SEC for not blindly adopting a monstrous grand pyramid of cybersecurity and dumping it on top of the industry. Instead, SEC took pragmatic, phased approach to build its own pyramid using cybersecurity best practices:

[*]       NIST Cybersecurity Framework

[*]       CIS Controls for Effective Cyber Defense (formerly, Top 20 Critical Controls)

A year later, SEC published the results of their ongoing Cybersecurity Examination Initiative conducted by the Office of Compliance Inspections and Examinations (OCIE), including specific six areas of focus for succeeding rounds of audits:

  • Cybersecurity Governance and Risk Assessments
  • Access Rights and Controls
  • Data Loss Prevention (DLP)
  • Vendor Management
  • Cybersecurity Incident Response
  • Cybersecurity Awareness & Training

As of March 2016, NFA’s Cybersecurity Interpretive Notice went into effect. Approved by the Commodity Futures Trading Commission (CFTC), it requires “Member firms to adopt and enforce written policies and procedures to secure customer data and access to their electronic systems.” NFA has adopted SEC’s approach of addressing cybersecurity threats. So for all intents and purposes I will concentrate on the six main areas mentioned earlier.

Now let’s take a closer look into each area and define “quick wins” to start you off.

1.1 Cybersecurity Governance and Risk Assessments

Myth: I will be better prepared to pass OCIE examination if I invest into technical controls, first. Once I have a better protection against cyber-threats, there is less chance of an incident.

One of the tenets of today’s cybersecurity best practice is “offense informs defense.” It means that cybersecurity threats, similar to investment strategies, are not constant and continuously evolve. Whatever technology you may have in place today may not be efficient against a new threat tomorrow. That’s why it is important to have proper governance and periodically evaluate the risks and gaps. This concept can be clearly seen in SEC’s approach to cybersecurity when in September of 2015 SEC charges R.T. Jones Capital Equities Management with failing to adopt proper cybersecurity policies and procedures prior to a data breach. Specifically, the firm failed to:

adopt written policies and procedures reasonably designed to safeguard customer information, and
conduct periodic risk assessments

Quick Wins:

1. Establish an organizational body (e.g. Security & Privacy Committee) tasked with overseeing all aspects of cybersecurity and reporting information security risks, including changes in federal/local laws and regulations, directly to the Board of Directors and/or investors.

2. Written Information Security Policy (WISP), at a minimum, should incorporate these six topics covered in the latest SEC Risk Alert.

NOTE: I often come across firms hiring an external party to develop their WISP. I strongly recommend to first ensure that whomever is tasked with developing your WISP is indeed a subject matter expert in SEC Cybersecurity Initiative.

3. Consider engaging a third party to conduct risk assessment / gap analysis. It will immensely help you to build the foundation for your cybersecurity program:

  • Alignment of cybersecurity program with strategic business plan
  • Gap analysis will help your cybersecurity roadmap
  • Findings can be used to develop metrics and build a business case

Access Rights and Controls

Myth: We already have a firewall. Plus, we have enterprise-level anti-virus on all computers. All we need is to encrypt the sensitive data, so that even if someone steals it, they won’t be able to use it.

Any technical security control, e.g., a firewall, an Intrusion Prevention Systems (IPS), data encryption and many other ones, could be viable against some type of threats, yet defenseless against other threats. For example, anti-virus is known to be only 20% effective, or encryption can be circumvented under many conditions. That’s exactly how the defense-in-depth methodology of layered security came about:

No technical solution on its own can protect against evolving cyber threats. Yet, a combination of right defenses working in concert with each other will force attackers to maximize their efforts, and in turn will minimize chances of successful attacks

Even if one layer is breached, there is time to deploy new or updated countermeasures:

The defense-in-depth methodology works hand-in-hand with the CIS Critical Controls and maps well into NIST Cybersecurity Framework. It greatly helps with making the starting point.

Quick Wins:

1. Administrative access to computer systems. Vast majority of malware relies on having administrative access to infected system. Removing administrative privileges and only using it when required can significantly reduce the footprint of potential attacks.
2. Access rights based on “need to know” and “least privilege” principles. All information stored on computer systems should be protected in a way that only authorized individuals have access to the information based on their responsibilities. For example, not all employees need the ability to modify files with sensitive information. Limiting such access can significantly reduce the damage of potential attacks or significantly lowering the risk of a data breach.


1.3 Data Loss Prevention (DLP)

Myth: We spoke to a few vendors, and we can have DLP in no time.

DLP is a strategy for controlling different types of information based on the classification. For example, proprietary information or Personally Identifiable Information (PII) may not be allowed for copying into portable media, or sent via email to external parties. There is a plethora of available DLP related products ranging in price from a few thousands to hundreds of thousands of dollars. Regardless of the price, the implementation may not be so simple, because data comes in many different forms. Most DLP products today come with predetermined policies to match specific compliance standards such as PCI, HIPPA, SOX, etc. Most certainly, there will be a customization effort to match specific needs of your firm, which has at least two dependencies:

  • DLP is a tradeoff between the convenience and security, and
  • DLP customization relies on established Data Classification and Data Mapping standards

Quick Wins:

1. Establish Data Classification policy and standards outlining the data classification types (e.g., sensitive, confidential, protected, etc.) and associated risk levels (e.g., low, medium, or high). Develop document templates (e.g., MS Office) with embedded data classification.
2. Establish dedicated, centralized locations, where different types of data must be stored.
3. Establish a strategy for these three general scenarios:

  • Data residing on endpoint systems (workstations, portable or mobile devices)
  • Data-at-rest on file servers, shared network storage, etc.
  • Data-in-transit – when data is being sent via email, copied across the Internet, etc.

4. Define data ownership and custodianship standards. For example, in the case of InfoHedge, we are data custodians, whereas our customers are data owners. As a data custodian, InfoHedge heavily relies on the Data Classification and Data Mapping set by our customers.


1.4 Vendor Management

Myth: I have managed many vendors throughout my career, and I don’t think this is any different.

A spree of data breaches over the last few years, such as Target’s credit card breach, originated from breached vendor networks, and then made its way into customer networks. As a result, examiners may focus on firm practices and controls related to:

  • Due diligence with regard to vendor selection.
  • Whether vendor relationships are part of firm’s ongoing risk assessment process.
  • Due diligence with regards to vendor access to firm’s network or data, including the services provided and contractual terms related to accessing firm networks or data, and

How vendors facilitate the mitigation of cybersecurity risks by means related to access controls, data loss prevention, and management of PII

Quick Wins:

  • Develop a technology specific Due Diligence Questionnaire (DDQ), which has been recognized in the market for its depth of content and efficiency.

1.5 Cybersecurity Awareness and Training

Myth: There are plenty of cybersecurity related information available today by any means possible. Plus, we follow the news and popular cybersecurity blogs. There is not much point to have our employees spending valuable time to listen to the same thing.

The main goal of cybersecurity training is to lower the risk of a security incident. Remember the old cliché about a chain being as strong as its weakest link? In the case of cybersecurity chain, the human happens to be the weakest link. By training your employees about cybersecurity risks, along with the consequences of taking (accepting) these risks, and different methods to avoid these risks, you eventually lower the risk of a security incident.

Quick Wins:

1. Develop short, tailored training sessions for specific job functions, based on cybersecurity risks identified for your firm and the industry.
2. Encourage responsible employee and vendor behavior.
3. Include procedures to follow in case of a cyber incident.


1.6 Incident Response

Myth: Our firm has contracted a third party to provide incident response, so we don’t need our own team or procedures.

Incident Response, although technical in nature, incorporates a great deal of non-technical functions. More importantly, in order to engage incident response, you need to be aware of an incident. Nowadays, vast majority of security incidents are reported by external parties. Similar to crisis management plans, all functions need to be clearly documented and periodically tested.

Quick Wins:

1) Determine which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.

2) Discuss possible scenarios of security incidents with either your internal security team or another third party.

3) Develop your own Incident Response Plan and procedures with assigned roles to address these scenarios. If a third party services are involved, incorporate their procedures into your plan:

  • Who has the authority to engage the incident response process?
  • What is the escalation process?
  • Who will be determining the amount of actual clients’ losses?
  • Who will be documenting the date/time of an incident, discovery process, escalation, and any responsive remediation efforts taken?
  • When will the investors be notified of a security incident? And,
  • When and how will this plan be tested?

Oleg Bogomolniy is Chief Security Officer at InfoHedge Technologies, LLC, a leader in best in class, single-custody IT Hosted Platform services. Built on the expertise in security leadership, cybersecurity awareness training, forming and training of incident response teams, and digital forensics, Mr. Bogomolniy leads the InfoHedge Cybersecurity Program geared to solidify cybersecurity-aware culture of InfoHedge and promote cybersecurity awareness and compliance to InfoHedge customers as part of the vCSO® offering.


Getting in on the Groundfloor

Dara Albright

Alternative Thinking on Today's Market Events

The Daily Alpha - 09.21.15

Garrett Baldwin

Assume Breach

Garrett Baldwin


The Week Ahead for Forex


Alternative Thinking

The Daily Alpha - 09.18.15

Garrett Baldwin

Alternative Thinking on Today's Market Events

The Daily Alpha - 09.17.15

Garrett Baldwin

Alternative Thinking on Today's Market Events

The Daily Alpha - 09.16.15

Garrett Baldwin

Modern Trader

Rise of the Ethical Hacker

Garrett Baldwin


Quotes of the Day

Garrett Baldwin

Modern Trader

Why are Hedge Funds Hiring Poker Pros?

Garrett Baldwin

Gambling and Gaming

Wall Street Casino

Garrett Baldwin

Gambling and Gaming

Investing: A Pretentious Word for Gambling?

Doug Litowitz

Gambling and Gaming

Gambling and Gaming: A Common Thread of Risk

Michael Stegemoller, Baylor University


Where Gambling Meets Trading

Modern Trader, William Ziemba


Fire-sale: Were Three Leading Organizations Hit By A Global Cyber-Attack?

Dr. Timothy Summers and Dr. Joseph Wall

Real Talk

CNBC Demystified

Doug Litowitz

Modern Trader

False prophets

Garrett Baldwin, Illustrated by Mario Zucca


Why OTC is Back in Vogue

Edward Lopez

Modern Trader Magazine

Does Your Alma Mater?

TAP Innovation Series

Alpha Pages Innovation Series: Acorns

Garrett Baldwin

Alternative Energy

Yield Cos? More like Yield Can’ts!

Bryan Birsic

Vice Spending

April Vice Index Shows Strong Rebound

Andrew Zatlin

Disruptive Technology

Part II: Possible Hedges Against the Robot Apocalypse

Garrett Baldwin

Disruptive Technology

Part I: Possible Hedges Against the Robot Apocalypse

Garrett Baldwin

Water Investment

Rick Rule: Time to Change California’s Water Policy

Global AgInvesting

Insider Trading

Why The Second Circuit Refuses to Reconsider Its Newman Decision

Jonathan N. Halpern, Ehren M. Fournier

Futures Magazine



Art, Antiques & Collectibles • Forestry • Film Investments • Alternative ETFs • Wine, Spirits & Cannabis • Hard Assets • Sports & Exotic Wagering • Oil & Gas Exploration • Startup Investing • Private Equity • Treasure Recovery • Commodities • Digital Currencies • Peer-to-Peer Lending • Venture Capital • Hedge Funds • Private Real Estate • Managed Futures & CTAs • Forex & Derivatives Trading • Alternative Energy • Futures & Options