Do More for Your Hedge Fund’s Cyber Security

U.S. regulators are increasingly dialing up the heat on hedge funds to better protect against cyber threats. You can thank the fact that cyber security is becoming an increasingly prominent concern within the global financial system.

After slapping investment advising firm R.T. Jones with a $75,000 penalty for a 2013 data breach, the SEC kicked off 2016 by claiming it will increase its efforts to enforce security rules at hedge funds. Meanwhile, directors at the Hedge Fund Standards Board made statements urging fund managers to “take further steps to protect their crown jewels” by keeping their valuable information and resources safe from hackers.

Still, more than halfway through 2016, many hedge funds are behind the 8-ball in protecting against cyber crime. Attack methods are evolving, and financial firms are in the crosshairs. Even for those who are compliant with the SEC-mandated NIST cyber framework, breaches can and do occur, often leading to disastrous consequences.

But why?

Well, one significant issue is that hedge funds are centering their cyber security approach around a compliance model that’s at least two years behind their current security demands. The NIST cyber framework, which the SEC has adopted as its standard, was introduced in 2014. And given the time-consuming process required for updating NIST models, the current framework likely is much older than that — and future updates are assured to be behind the times, too!

You see, whenever NIST needs to revise the security framework, a small group of analysts examine the existing model, identify gaps and vulnerabilities, make their updates, then sort through the layers of red tape required for publishing an update. Following that is a request-for-comments period lasting three to four months, followed by revisions to accommodate these comments. When all is said and done, the time from starting the update to its release can last one to two years.

NIST recently published a revision for commentary, and did a summary of observations in April. The agency is planning a release date sometime in 2017.

Rather than relying solely on the NIST update, which will already have outdated components by the time of its publication, hedge funds should seek to go beyond the compliance checkbox and build proactive security programs on par with the best and latest practices in cyber security.

This is vital not just because of the importance of protecting your data, but also because of the financial impact. The SEC often levies fines after a data breach — take the $1 million fine that Morgan Stanley ate after a third party was able to hack into customer information that an employee had transferred onto a personal server.

The best resource to support this type of development is a dedicated consultant, either within the team or from an external vendor partner, who is up to date on the latest in cyber security and well-versed in the NIST standards. These professionals can drive growth within your security operations and keep your security team informed about any new developments that could impact your organization.

Gotham Security can help hedge funds of all sizes drive the changes needed to bring your security programs up to snuff. Our experts specialize in security specifically tailored to the financial sector, meaning they can help you stay compliant with the regulations and prepared for the kinds of attacks you’ll experience in the real world. Whether you need a full-scale security operations center keeping watch on your systems or a professional consultant for building your internal capabilities, Gotham has the skills and experience you’ll need.

For more about Gotham Security and how our services improve hedge funds’ security, call us at 937-734-4120 or email