It was a ploy as brazen as it was ingenious.
A team of rogue traders from the U.S. teamed up with clever hackers and traders in Ukraine to break into the servers of major media firms. The plan was to steal soon-to-be announced reports of earnings and other business dealings connected to HP, Boeing, Ford, Bank of America, Home Depot and others, and make trades ahead of the news.
Early one morning last month, the traders were arrested in their homes in the U.S. while arrest warrants were issued for hackers in Europe. U.S. authorities also seized $6.5 million in bank and brokerage accounts, and plan to charge 30 defendants with stealing information from two newswire services. According to the SEC, the hackers and traders stole $100 million in their insider trading scheme.
The hacked information? Press releases.
"The traders are alleged to have used this nonpublic information in a short window of opportunity to place illicit trades in stocks, options and other securities, sometimes purportedly funneling a portion of their illegal profits to the hackers," said the SEC.
Once a source of agita mainly for commercial banks and credit card companies, hackers are now training their sights on investment firms, broker-dealers and hedge funds.
News of hack attacks, dedicated denial of service attacks that take down a business' servers, and cyber-threats by so-called hacktivists have been gaining in urgency in the past year.
According to industry observers, hedge funds are ripe for cyberattacks. As a $2 trillion industry, U.S. hedge funds boast high-net-worth clients, have leaner operations that rely on vulnerable technology such as cloud computing, and must deal with broker-dealers and third-party IT and financial services providers.
In what ultimately might be their weakest link, hedge fund managers deal in a world of high risk and near anonymity. Even if they are hacked, many hedge funds would not come forward to admit that their servers have been breached and their client data compromised.
"Hedge funds hold a tremendous amount of capital, incredibly sensitive proprietary information and valuable algorithms, but they are small shops and often have weak IT," Assistant U.S. Attorney General John Carlin told an audience of hedge fund professionals at a conference in Las Vegas in May.
Carlin urged hedge fund managers to share information about attempted hacks and phishing schemes. He called the managers' traditional refusal to report these violations as "payday" for hackers.
"It means they can conduct their activities cost-free, they can keep getting better at stealing information, and no one is improving on our end by sharing information to prevent it from happening."
TWOFOLD ATTACKS
So far, the attacks in the asset management space have been twofold, according to Mark Clancy of Soltra. First are the run-of-the-mill operations where a hacker finds a hedge fund employee's LinkedIn or Facebook account and emails him or her a malicious software with clickable links; the hacker then steals the employee's credentials or encrypts the hard drive.
In other cases, there have been targeted attacks in the hedge fund space where the employee's credentials are used to move client funds. This is called an account takeover, where hackers attempt to rob the fund's actual bank accounts. To do this, hackers obtain the credentials of more than one person in the hedge fund because these transactions require the approval of multiple managers.
"They realize that financial firms like hedge funds have large-balance business accounts, and conveniently send money to all types of places," Clancy said. "If you're a hedge fund that trades in commodities, wiring money to an oil-rich nation outside the U.S. is probably not an unusual transaction for you."
WEAK LINKS
There's no mystery as to why hackers have now shifted their attention to asset managers and hedge funds. "Knowing that they have information from high-net-worth investors, hedge funds have bank account numbers, personally identifiable information and wire transfer information for these investors; they are a target," said Brian Lozada of Abacus, a financial security solutions provider.
Aite Group analyst Denise Valentine agrees. Credit cards may be the low-hanging fruit, but hackers cannot resist this lure despite the security that banks and investment firms put in place.
"Every firm has their own unique infrastructure like firewalls, but the culprits are as smart and have as much experience as you," she said. "It's a quite a race to the finish to see who will come out on top."
According to Valentine, third-party vendors could be the weak link in the chain of security. Further, hackers can break into a hedge fund's network via the most mundane and least sexy of avenues: human resources or accounts payable services, for example.
For Valentine, it all comes down to stringent due diligence. "Vendor risk management means asking, What information am I giving? What are benefits and travel agency vendors doing with the information?"
REGULATOR RESPONSE
Regulators are not taking the threat to hedge funds and other smaller asset managers lightly. Last April, the SEC issued its first-ever Cyber-Security Guidance recommendations. Why? "Because of the rapidly changing nature of cyber-threats, the [Security] Division will continue to focus on cyber-security and monitor events in this area," the SEC report stated.
Likewise, the DTCC issued a white paper entitled "Beyond the Horizon: A White Paper to the Industry on Systemic Risk" to warn that "financial institutions face considerable threat from malware that can be sent by 'hacktivists' through email attachments or compromised Websites." It added that "[t]hese hacktivists are likely to use social networking tools to identify and attack the machines of targeted individuals within financial companies."
The measures are good, Clancy says, but adds regulators must do more, faster. "The challenge is that regulatory frameworks tend to be fairly static by the nature of how these rules get propagated, and these problems are very dynamic."
