PE Tech Report


Like this article?

Sign up to our free newsletter

Lock up the front door: cybersecurity perspectives of FoHF managers

Cybersecurity issues have existed as long as the internet. What seems to have changed in the last 18 months is not only that the nature of the breaches has become more sophisticated, but also the fact that hedge funds have become a much bigger target. 

For fund-of-hedge-fund (FoHF) managers, whose value-add to investors is identifying the best talent to invest with, the issue of cybersecurity and data protection has taken on far greater importance. They have to be fully satisfied that a manager’s IT network is secure, and that best practices are being adopted as far as possible.

“The cybersecurity flag was raised by the SEC because in my view managers probably assumed they weren’t vulnerable. A lot of them are small organisations who aren’t in possession of the crown jewels, as it were. It is precisely because they weren’t perceived to be vulnerable that they have become targets for a security breach,” says one US FoHF manager who prefers to remain anonymous. 

Bassam Fawaz is Chief Information & Technology Officer at Pacific Alternative Asset Management Company (PAAMCO), a leading US FoHF manager with approximately USD9 billion of assets under management. Discussing the vulnerability of smaller managers, Fawaz shares the following anecdote:  

“A client was visiting the small office of a hedge fund manager and they asked to see their IT room. The manager led them into the kitchen, which doubled as a makeshift server room, where the servers were kept under a table. Servers generate a lot of heat so they had the kitchen windows wide open in the middle of the winter. This speaks to the nature of the infrastructure that some of the small hedge fund managers keep and why they are vulnerable. Investors are becoming a lot more aware of this and including it in their ODD process,” reveals Fawaz.  

PAAMCO has long focused on IT as part of its own ODD process. This begins with an IT questionnaire developed by the firm’s internal IT group to establish what are the risks to a particular hedge fund from an IT security standpoint. 

“Then we discuss the manager’s IT security plan; who runs it, what physical security measures are in place, what information security measures are in place? That gives us a broad baseline to assess a manager’s IT set-up. Next, we visit the manager to perform IT testing. If the manager says that their systems are password protected, we want to check that they really are. We want reassurances that the proper internal controls are in place and working,” explains Michael Levin, Vice President at PAAMCO.

Since the SEC came out with its cybersecurity risk alert questionnaire last year, PAAMCO has been speaking with all of its underlying managers to determine whether or not they are doing a gap analysis of their current infrastructure. In other words, does their IT network pass muster in relation to all 28 points contained in the questionnaire. Which ones are they covered on and which ones do they need to work on? 

“It’s about making sure that they are thinking closely about these issues to get up to the security standards expected by the SEC,” says Levin. 

One important issue for managers to be mindful of is that they are putting in place measures to assess the ability of the systems used by external IT consultants; are they fully up to speed and up to the task? This is more an issue for smaller managers who typically use outsourced providers. Vendor management has to be part of any manager’s cybersecurity policy so it’s important that they select the right partners.

“I think managers are now concerned that the SEC could pay them a visit at any moment to find out how they responded to the risk alert, what measures did they take? That fear of being seen by the SEC as having inadequate cybersecurity is pushing managers to do the gap analysis. Not only that, but investors are demanding it. Managers have to be prepared to provide the appropriate responses when investors come in to meet with them,” stresses Levin. 

John Murtagh is Head of Operations at FQS Capital (‘FQS’), a FoHF manager with a strong quantitative approach to investment management. FQS was established by Dr. Robert Frey, a former managing director of Renaissance Technologies, one of the industry’s most illustrious hedge funds. 

In Murtagh’s view, the US is further advanced in respect to market legislation and the overall threat posed by cybersecurity. Although AIMA has a working group that is looking at the issues on behalf of the industry, in terms of prioritising the SEC is one step ahead. 

“US managers, from our perspective, are more understanding and tech-savvy. They typically have systems and processes in place to both be aware of, and prevent, security breaches. We also see this trend in European managers but certainly the regulator – in this case the SEC – seems to be the main driver in my view, with the FCA also indicating that they will follow suit,” comments Murtagh. 

Expanding on the point Levin makes about gap analysis, Murtagh believes that the SEC’s stance is changing. Whereas previously it might have sufficed to say that X, Y and Z security protocols were in place, “now they are going to start verifying that that is indeed the case by doing their own independent testing. I think that’s where the SEC has made more progress than other global regulators on cybersecurity, with the FCA indicating a similar developing view. 

“Consequently, US managers are seen to be more on top of the issues,” says Murtagh. 

“The SEC has gone from saying ‘It’s a good idea for you to do this’, to now saying, ‘You’d better have this in place’. I’ve been to at least half a dozen conferences recently where cybersecurity was a major topic. In February, an SEC spokesperson was saying, ‘When we visit, here’s what you can expect us to look in to. If we find a gap in one of these areas it gives us more reason to dive deeper, so you’d better have all your ducks in a row,’” confirms the undisclosed source.  

One of the inferences to draw out of the SEC’s examination findings on cybersecurity is that of the 74 per cent of managers who said they had suffered a cybersecurity-related incident, a large proportion of those breaches were a result of employee oversight.

At FQS, a material consideration when assessing the security of a prospective manager is to look at the employees within the firm. Whilst having robust systems and processes in place is primary, these can only ever be as strong as the employees using them in their daily operations. 

“The key message is that cybersecurity is about the people just as much as it is about the technology. A manager could have the best systems money can buy but if one employee accidentally opens up a nefarious email then it defeats the point. In our opinion it substantially turns on employee training,” confirms Murtagh. 

Managers face so many challenges today to stand out from the crowd and give themselves the best chance of raising assets. Institutional investors, ultimately, look for reasons not to invest. What seems to be changing today is that when a FoHF manager – or any other investor – assesses its manager short-list, and is trying to choose between the last two, the manager with the strongest security framework is likely to come out on top.

“Our operational due diligence team has a veto power over any manager. If one of our managers doesn’t hit the minimum standard with respect to security or wider operational issues we take them off the list of investable managers,” explains Levin. 

Given the very exacting data security and physical security standards that FQS has installed, it is perhaps unsurprising that a similar approach is taken when screening managers. Like PAAMCO, FQS runs through the usual due diligence questions. In addition, the team looks at a manager’s server room; at who is doing cloud provision and what controls are in place. Indeed, one of the considerations is whether a manager is overly reliant on the cloud. 

“Some managers might think the cloud is a panacea but it is not. One of our questions asks what would be the internal training in terms of cybersecurity, because as mentioned, a manager is only as secure as the employees they’ve got.

“Technology-wise, good practice is the use of dual-layer firewalls, for example. That’s becoming a growing trend. A lot of the bigger managers will have that. It obviously depends on the AUM and the years of operation of the managers we look at in terms of how sophisticated their infrastructure is. Larger firms will have lots of resilience built in to their primary line. But what happens if that primary line goes down? Do they have a back-up line? Are they using multiple lines, or are they completely reliant on the cloud? 

“Once we’ve looked at these cybersecurity aspects we ask questions on firewall security. Do they have annual penetration testing? And even around the firewall we’ll ask how many ports they have open – for example, we would have all of our firewall ports locked down. These are all worthwhile questions when we delve in to a manager’s IT set-up before we are willing to invest in them,” states Murtagh. 

The most cost-efficient way for managers to get as IT secure as possible is to work with external technology providers, but as mentioned, a lot of care and consideration has to go in to this. “Using a hosted solution absolutely does not give them a free pass,” states Levin. “They really have to do their due diligence beforehand to make sure they are comfortable with the vendor, and that they are making the right choice. 

“We try to speak to all of the vendors that our managers use. Most tend to use vendors that everyone’s heard of but if they choose one that we aren’t familiar we’ll definitely do our own due diligence on them.”

The nature of cyber attacks impacting hedge funds is only going to get more and sophisticated and as such both FoHFs and the managers they invest with cannot afford to drop their guard.

The FoHF manager who asked to remain anonymous recalls a spear phishing incident whereby the manager received an email from a large investor to request a wire transfer. 

The hacker was so good that they were able to mimic the investor in the ensuing email correspondence – how they said things, the use of nicknames etc. 

“It was only thanks to a member of the team being alert that they acted but they had already sent the wire transfer. Luckily it was still with the custodian so they were able to nip it in the bud,” says the manager.  

This is where training people properly is important. Having something built in to the fund’s procedural workflow to confirm how to know when to confirm the request for a wire transfer; the steps to take and seeking the correct approvals. Whilst this may be seen as an annoyance to some managers, it is a necessary one.

“Sometimes when we look at a manager and think, ‘That’s not up to standard’, or ‘That’s not best practice’, it can sometimes, though not always, be symptomatic of a wider issue. It’s important to take a holistic approach to these things. If we see a red flag, we would definitely raise that with the manager, and as I say, it could be a sign that operational best practices are not being adhered to,” explains Murtagh.

To illustrate just how fast the industry has moved in relation to cybersecurity, FoHF managers are now starting to send out an annual privacy document, detailing to investors the latest security measures that have been put in place to secure their data.  

It’s this level of focus and commitment to internal data protection, as much as network security, that FoHFs now demand of the managers they allocate to. 

“We’ve gone from a state of blissful ignorance to one of growing awareness. People are becoming a lot more aware of the implications of getting breached. The analogy I would use is that hedge funds have gone from living in a community where everyone felt safe to one where everybody is now putting locks on their front doors,” concludes Fawaz.  


Like this article? Sign up to our free newsletter