How To Start a Hedge Fund in Asia: Getting Technology Right
As Asia begins to recover from the immediate impact of the COVID-19 pandemic, the region’s long-term growth potential is likely to continue to attract new hedge fund launches.
Setting up shop in Singapore or Hong Kong is a well-trodden path for keen managers, but those embarking on this journey still need to prepare fully for the challenges ahead – and cybersecurity is an increasingly important element to consider.
“Security is of paramount importance,” says Michael Steinkuhl, director for the Asia-Pacific region at technology provider ECI. ECI works with hedge funds and financial services organisations to set up and optimise their technology infrastructure and capabilities, especially in relation to cybersecurity.
Cybersecurity is of increasing importance to hedge fund managers and investors – and start-ups need to have a particular focus on it. Recent high-profile cases such as Levitas Capital, which was forced to close due to the reputational damage caused by a cyberattack, have focused the minds of investment professionals on the security of their data and systems.
Even though start-up hedge funds are relatively small companies, they are prime targets for cyber criminals whose methods are increasingly sophisticated. Senior staff must prioritise security, even if they have been trained in it at previous employers.
“Start-up managers are often on their own for the first time, or at least with a new team, as they build out a core team during initial stages of growth. They’re working with a number of new service providers, so seeing requests from unfamiliar names; probably starting off with personal laptops and working-from-home or a shared office environment. They haven’t yet defined security policies or engaged in security training. All of these make new managers more vulnerable to potential threats,” Steinkuhl points out.
“A common misconception is that start-up managers would be off anyone’s radar for an attack since they’ve had much less public press and are likely managing much less AUM than the more established fund managers. However, a lot of threats aren’t specifically targeting just one recipient, but rather casting a wide net, and the start-up manager might just happen to be in someone’s contact list. These new managers have a lot more skin-in-the-game now that it’s their own firm, their name on the wall, so-to say. They’re in the C-suite and likely more accountable to their local regulator. They need to be actively involved in security now they’re managing their company policies and maybe even personally liable, depending on the regulator.”
Understanding the threats
The most common method of attack is phishing scams. These are increasingly sophisticated and difficult to spot. Hackers can send fake invitations to video calls, for example, and just one or two clicks can give attackers access to servers or email accounts.
A successful phishing attack may go unnoticed for months. During this time, hackers will wait and observe how people communicate before beginning to copy their style.
“People are patient. They will sit there, learning how you construct emails, who you’re communicating with, and trying to understand internal processes – especially around payments,” Steinkuhl explains. “If you break into a hedge fund, most of the information it holds is public information. For some there is the ‘secret sauce’, the algorithm, but for the most part the hacker wants to get into the payment process, learn which colleagues make requests and to whom and the language they use.”
Attacks targeting Microsoft Office 365 – one of the most widely used corporate software systems – are increasingly common and have become commoditised, according to Steinkuhl. Login portals and email addresses are easy to obtain or guess, and despite years of awareness efforts and training, many people still use simple passwords or re-use passwords across different services. Most systems will lock if too many incorrect guesses are made, but patient hackers will take their time guessing passwords to avoid triggering security measures.
The best way to protect against these sorts of threats is to employ multi-factor authorisation and act with caution, Steinkuhl says. Ultimately, however, hedge fund managers should invest in a strong IT support function with a fully resourced cybersecurity capability that can immediately respond if a phishing attack succeeds in gaining entry.
For most new hedge funds setting up in Asia, it would not make sense to use up expensive office space with physical servers when staff can work securely using cloud computing technology, Steinkuhl explains. Quantitative strategies may seek to augment cloud software with their own proprietary systems, but these require maintenance and for most start-ups running long-short equity or similar strategies, this is not necessary.
Using cloud-based systems also ensures a team has full flexibility in location. This is important when traveling to visit clients or companies, but as everyone has experienced in the past two years, remote working is now a ‘must-have’ for most businesses.
It is not just online threats that hedge funds must protect against. When setting up a new office space, there are several important security considerations.
Serviced offices are understandably becoming more popular with start-ups, given the flexible terms and ability to scale up/down as headcount changes compared to a traditional rented office space. However, Steinkuhl highlights those serviced offices often host a range of businesses, but hedge funds selecting this route must ensure they have their own security measures in place due to the heightened sensitivity of their investment and client data, and overall responsibility to their clients.
Public Wi-Fi can be a big security risk. A shared internet service with a password openly available can easily be cloned, giving a hacker the ability to control users’ access using just a laptop, direct them to compromised websites, and steal login details. Also, there’s potential for any other device using that shared Wi-Fi to become infected and then laterally attack other computers. Both have already been observed in airport lounges.
In many shared offices, the server rooms are not really segregated based on tenants. Once in the server room, you can often very easily access the physical equipment of other tenants. Whereas, in a data centre, server ‘cabinets’ are subdivided and locked and you only access your own equipment.
Also, many service providers require hedge funds to whitelist an IP address, so they can connect straight into and easily transfer files. That’s not possible in a shared office environment – all the other tenants have that same IP address,” he says.
“We can help people using shared offices understand these risks and take the correct steps so that they can leverage the benefits of a serviced office while ensuring optimal security,” advises Steinkuhl.
Internal versus external resources
The cost associated with cybersecurity often mean hedge funds in Asia do not dedicate sufficient resources to it, especially start-up hedge funds which are more sensitive to each expense, Steinkuhl says. Many hedge fund managers in the US have a dedicated chief technology officer or chief information security officer, for example, but in Asia it is rare to see this in all but the very largest firms.
Having a dedicated IT team can improve a hedge fund’s technology, but the demands of cybersecurity can stretch its resources. This is especially the case if it also has responsibility for other IT development and maintenance work. Bringing in external specialists to oversee cybersecurity can enhance a hedge fund’s IT infrastructure while freeing up internal resources and improving efficiency.
“Cybersecurity is a very specialised area and one of the fastest-evolving landscapes in technology as the threat actors try to stay ahead of the security and vice versa.,” Steinkuhl says. “It’s almost impossible to stay up-to-date without a dedicated team focusing on this. We’re providing specialised expertise and 24x7 security monitoring, so you can focus on what you were actually hired for and providing more value to your business.”
“For example, if data scientists are also looking after how the data is transferred from the provider into your company securely, that’s not their job and maybe not their area of expertise, which could give a false sense of security. For the most part, they are quite happy if someone else can take this task out of their hands.”
It’s an approach that ECI embraces internally, too. “From a security perspective, we help with incident response, with regulatory compliance, and with due diligence,” Steinkuhl says. “These teams and functions are completely segregated, as we don’t want people bogged down with things that are not part of their job.”
An outsourced security provider can take on key-person risk often associated with internal resources. In addition, it opens a much deeper pool of expertise than most hedge funds are able to establish internally. ECI’s teams have a high level of institutional knowledge built up over years of working in the IT and cybersecurity arenas.
As cyber criminals grow more sophisticated and determined in their efforts to infiltrate hedge funds, senior leaders cannot afford to undervalue cybersecurity. Dedicated expertise can complement an internal IT team or provide full coverage to a lean start-up investment firm with robust IT infrastructure from the get-go, giving clients reassurance that their money is in safe hands.