Global menu

Our global pages


Cyber Security: What Managers Need to Know

  • United Kingdom
  • Financial services and markets regulation
  • Financial services and markets regulation - Hedge funds
  • Privacy, data protection and cybersecurity
  • Financial services


There is no cyber-security threat looming on the horizon, the truth is that the storm is already here. An arms race, unseen, digital and all too little understood, is raging. The UK’s Head of Armed Forces, General Sir Nick Carter, recently stated that “the risk of cyber warfare with Russia is now a greater threat than terrorism.”

Institutions and the individuals that comprise them are fighting to adapt to a new reality where loosely organised “hacktivists”, organised criminal groups and rogue states attack infrastructure, raid databases and meddle in democratic elections. The internet we use today was never designed to be secure, it was designed to be open. And this open exchange has brought huge benefits – but it has left security struggling to make up last ground.

It is no secret that there is money in asset management and corresponding incentives for those willing to test an institution’s cyber-defences. This fact is not lost on the industry’s participants, including the traders who paid for access to a hacked Bank of England audio feed, presumably hoping it would give them a competitive edge in the moments before a press conference on interest rates was broadcast.

We know that this vulnerability cuts both ways, but the attacker’s motives may not always be discernible. Hacktivists driven by political or ethical causes are not necessarily interested in financial gain. Last year’s attack on Cayman National Bank by “Phineas Fisher”, the pseudonymous figure claiming credit for the hack and publication of more than two terabytes of documents containing the details of 3,800 high net worth individuals, trusts and offshore companies, is a clear case in point.

What is more, while cyber attacks have historically been associated with the theft of sensitive data, high profile digital heists — like the theft of $81m from the Bank of Bangladesh — should alarm anyone feeling complacent about our digitised economy. Particularly if that attack was state-sponsored, as some pundits suggest. A new generation of attacks is anticipated to have a fundamental and systemic impact on financial markets and their infrastructure. Leaving aside the risk of financial loss or system failure, fund managers can ill-afford the press coverage that comes with a breach of their control systems. Managers trade on their reputation for competence and an ability to inspire trust in investors — poor cyber security calls both into question.

Regulatory authorities are moving quickly to keep pace with technological innovation and this means that cyber security is no longer a question of sound business practice, it is increasingly an issue of regulatory compliance. In the UK, the Financial Conduct Authority (FCA) covers its requirements in its Principles for Businesses, notably Principle 3 (Management and Control), with further information set out in the Senior Management Arrangements, Systems and Controls Sourcebook. The key takeaway from these documents is that basic cyber security measures are now in the rulebook.

These basic measures are as significant than ever, because while the figures making these attacks are increasingly sophisticated, their methods are not always technologically sophisticated. Phishing emails requesting sensitive data remain one of the most common and effective means of breaching secure systems. Lax password control, leaving cloud storage systems unsecured, failing to keep systems patched and up to date – these basic errors are no longer overlooked by financial regulators. Not every managers needs to be a computer scientist, but good digital hygiene is a necessity: employ  practicable systems, make sure they are understood by their users and review controls on a regular basis. Ideally these basic steps should become habitual, like locking the front door of a house.

So what are the key threats faced by hedge fund managers? We have already covered one of more prevalent, the email (“phishing”) attack, but these messages only get results when the hook is swallowed. A business’s employees will always be the firm’s first line of defence (and its Achilles heel). Human error can never be eliminated, but it can be manged by implementing effective systems – like biometric tools or two factor authentication systems – and ensuring that staff understand their role in the cyber security policy. Often simple staff-friendly shifts in culture make the biggest differences. To take one example, passwords comprised of short sequences of random figures (i.e. “G71a!oP”) are not user friendly and because the complexity of a password increases with length, they are easier for a hacker to brute force. A long password comprised of several random dictionary words with sensical numerals (i.e. “5PurpleCentipedesAnd1Apple”) is much harder for a computer to guess and difficult to forget (particularly if the combination of words is sufficiently absurd). 

That said, even the best procedures will not mitigate the threat posed by insider action, but then the need to employ trusted staff is nothing new. What is new is the need to manage who has access to key systems. Don’t give blanket authorisation and when someone leaves the business make sure they don’t take their access with them. A 2017 industry survey showed that 50 percent of IT decision-makers employee accounts are still active 24 hours after they left the company. If a manager can assemble a team they trust, proper cyber security procedures allow them to contribute to the security of the business; acting as a wall, not a back door.

Of course, relying on better systems will only improve the situation if these critical pieces of software are kept up to date. Business systems need to be patched on a regular basis, with close attention paid to the provider’s minimum recommendations. The introduction of new systems should also be handled with care and proper pre-testing is needed to ensure that these products are “Secure by Design”. Together these consideration contribute to an internal culture of effective cyber control.

Outsourcing is often a reality of doing business, but managers need to understand that they cannot outsource their regulatory responsibilities. The key regulatory instrument for hedge funds operating in Europe – the Alternative Investment Fund Managers Directive (AIFMD) – targets managers, not the funds they operate. Whenever an entity manages fund data, trades its assets or simply has access to the fund’s systems, oversight of that third party becomes the managers responsibility. Though it may seem counterintuitive, it is generally better to outsource functions that you feel more comfortable with. Only then managers you ensure that their oversight of third party providers is effective. 

 “Risk-centric governance” does not roll off the tongue, but it’s the standard regulators in the US and the UK are increasingly demanding from their charges. The development of increasingly prescriptive requirements across the Middle East, Latin America, Asia and Africa signal a global shift towards the standards being set in Europe and the US. Consequently, financial institutions should expect their IT and software vendors to include “privacy by design” and not as an afterthought or a bolt-on. Managers should interrogate vendor’s security policies from the outset, and include this as a critical stage-gate to any procurement process.

Ultimately, this means that managers can no longer fixate on performance. A fund needs to accrue value, secure its assets and protect the client data it holds. Regulators have shown a willingness to impose significant penalties for firms that do not manage their outsourced functions effectively. In May 2019, a UK retail bank was fined nearly £2m by the FCA and the “Prudential Regulation Authority” (PRA) in connection with perceived weaknesses in the oversight of material outsourcing arrangements. There is no reason to expect that investment managers won’t be liable for the same harsh treatment.

 If firms fail to managing cybersecurity effectively, their authorisation – the “licence” they require to do business in a regulated market – may come under threat as well.

Of course risk cannot be eliminated entirely. When preventative measures fail, an effective response is crucial. Again, these business continuity plans are increasingly a regulatory requirement. In the UK the recurrence of IT failures, perceived risk to consumers and the threat it posed to the viability and stability of the financial system as a whole, triggered a systemic review by the FCA, PRA and Bank of England in July 2018. This was preceded by a report from the FCA following their survey on technology and cyber resilience and coincided with the introduction of a new set of requirements from the PRA. The signals coming out of these bodies is clear: firms are now expected to continue to operating even if they do become the target of a cyber-attack.

Force majeure clauses often make clients feel safer, but when it comes to cyber security they offer cold comfort. Cyber-attacks are part of the furniture in a modern digital economy and the manager’s policies should reflect that. An effective continuity plan should take into account the complexity of the business, its scale, the regulatory demands placed upon it and the needs of its investors. It should also take into account the kinds of attacks which are likely to occur. What will different groups be after and how will they achieve those aims? If managers can prepare a tailored response to counter the methods these different groups are likely to employ they will be better placed to create a resilient cyber security strategy. The existence of these plans will reassure regulators and, more importantly, the fund’s investors. No breach is likely to “go to plan”, but conducting proper exercises ensures that management knows the key respondents and tests that staff understand their roles. Familiarity with a systems makes it easier to adapt flexibly when things go wrong.

Managers need to approach cyber security with humility. Cyber security is not something that can be fixed once and continual improvement is fast evolving from best practice, to minimum requirement. Fund managers have long been fighting to keep pace with the cyber attackers. They now need to do so under an increasingly watchful regulatory eye.