Hedge Fund Cybersecurity: Preparing Your Defensive Team

By Katie Sloane | Thursday, November 6th, 2014

When it comes to cybersecurity defenses, this isn’t a fantasy league. The threats are real and growing in sophistication for the hedge fund and alternative investment industry. In today’s blog, we will discuss how to prepare your firm’s defense for external attacks and internal breaches. Hedge Fund Cybersecurity

Cybercrime works like a defensive team that studies their opponents and plays and can make midgame adjustments. The only true way to thwart an incident is to establish a layered security program to safeguard against attacks and vulnerabilities of all kinds. Football teams share a similar composition, as there are defensive tackles and ends, cornerback and safety roles. You need to ensure your infrastructure is highly secure and cannot be penetrated by external attackers or easily manipulated by internal threats.

Best Practices

To increase protection, hedge funds and investment firms should employ a Defense in Depth strategy. This includes maintaining up-to-date anti-virus and anti-malware software as well as network firewalls, deep inspection proxy and intrusion detection and prevention systems (IDS/IPS) to reduce the amount of traffic on the network.

It also means taking into account physical and virtual security elements. In regards to physical security, consider the following:

24x7x365 manned lobby with visual verification of identity
Two-phase authentication of visitors (card and biometric)
Secured access doors and elevator banks
Monitored security cameras
Additional door, motion and camera sensors
Visitor logs for cages
Key-locked cages and cabinets

Security Playbook: Policies and Procedures

Additionally, firms should curate the following policies and procedures to ensure their critical systems and data do not fumble into the wrong hands.

Principle of Least Privilege: This involves restricting access to only those employees who need it.
Secure User Authentication Protocols
- Assigning unique domain user IDs to each employee
- Limiting access to only active users and active user accounts
- Implementing strong domain password credentials (e.g. enforcing password age limits, minimum length, etc.)
- Managing data security passwords and ensuring they reside in a secure location
Monitor, Audit and Logging Network Activity

Business Continuity Planning (BCP)

Just as a football team has backup players in case of injuries as well as varying game tactics, so too must technical security safeguards in the form of a Business Continuity Plan (BCP). Firms must put in place security-focused policies and procedures to further protect their data from cyber-attacks and data breaches. The Securities and Exchange Commission (SEC) reinforced this by focusing on written policies within its recent cybersecurity exam questionnaire. The following are key policies firms should create and implement.

Written Information Security Policy (WISP): Outlines administrative and technical safeguards that firm’s implement to protect sensitive data and infrastructure
Access Control Policy: Determines who at your firm needs access to what
Acceptable Use Policy: Specifically, what programs and activities employees are or are not permitted to access
Incident Response Policy: Outlines how the firm will handle a security incident