An Obama administration official showed up at the SALT conference last week to warn the hedge fund industry and its investors of the distinct risks they face from hackers and cyber terrorists. According to the official, information held with hedge funds is valuable to criminal cartels around the world, and to others that want to create disruption in the domestic or global financial markets and systems. In today's report, we glean some important takeaways from the warnings, comments by officials and industry insiders, and the clear messages the Obama administration is sending hedge fund managers and investors by way of the Department of Justice.
The Financial Times reported from Anthony Scaramucci's SALT conference in Las Vegas last week that the Obama administration is demanding hedge fund managers wake up to the new realities of cyber risk and recognize the "weak link" status their industry holds for investors and more broadly, the nation.
John Carlin, assistant attorney general for national security, was sent by the Department of Justice to warn managers and investors that they hold formidable risk from criminal cartels, fringe governments, and militaries around the world. According to Carlin, information at hedge funds is particularly desirable to those seeking profit, disruption in financial systems, or both. The full FT article is here: http://on.ft.com/1JzCrDe
Hedge funds are a weak link in the US financial system's defences against hackers and terrorists, the Obama administration has warned the industry.
Stephen Foley for the Financial Times, reporting from SALT, Las Vegas
According to Carlin, banks have already been down this road and are rapidly beefing up information security at every level but hedge funds haven't taken even the first steps. Yet, hedge funds hold enormous levels of capital and influence in the world's financial markets. Their trading systems, proprietary information, sensitive personal and financial data on employees and investors, and coveted reputations are all at risk, evidently well beyond their recognition and understanding of the issues.
Hedge funds hold a tremendous amount of capital, incredibly sensitive proprietary information, and valuable algorithms, but they are small shops and they often have weak IT.
John Carlin, assistant attorney-general for national security.
According to the Financial Times, Carlin held a closed-door meeting at the conference in order to relay a few direct messages to the hedge fund industry, including:
As an industry, especially considering the unique role hedge funds play in the domestic and global financial systems, they are vastly unprepared for the current environment, much less what is developing.
The Obama administration does not have an appetite for non-reporting of breaches and incidents.
The hedge fund industry is expected to participate in Obama's efforts to bring information security intelligence forward, and to participate in the collaborative corporate and government level systems he and his administration are advocating.
Hedge fund investors be warned of the multi-dimensional information security risks they hold, albeit inadvertently.
There are other meaningful takeaways embedded in the administration's warnings and comments by officials and industry insiders, including:
#1 - Apathy Still Rules
There is no greater bastion of apathy than that in cyber security, and Scaramucci says it best; "You do not feel insecure until you are breached. The average person in the financial sector - myself included - is not as focused on these threats as they need to be."
Stephen Foley of the Financial Times picks up on the apathy issue with cyber security when he describes Scaramucci's through his comment as a "tough sell."
The seeds of this apathy can be found deep in the human psyche. People are overly motivated by the potential for small gain and vastly underestimate significant risk, especially when it is "virtual", and even if the consequences are very "real." Additionally, we are still wired to manage "local, linear, and analog" risk, and yet our greatest vulnerabilities are fast and predominantly becoming "global, exponential, and digital."
It is going to take much effort over a long period of time to create broad initiative, support, and advocacy and they are going to be required at many levels before pre-emptive and pro-active defense becomes the norm. The hedge fund industry needs to make a vigorous, concerted, and collaborative effort to address the issues, and start now to avoid an industry-level crisis.
For more insight to apathy in privacy and information security at every level, especially personal, consider this:
In the last ten years, our lack of appreciation for the value of our information has created some of history's largest fortunes in the shortest amounts of time. With our personal information, we engage in volumes of losing trades every day as others arbitrage the broad disconnect in our understanding in the most ingenious though sometimes unscrupulous ways imaginable. For more on the subject see our report; "How to Become a Billionaire by Age 25."
The risk to personal and professional information has become asymmetrical. For the counter-party, our information may be desirable and perhaps even valuable, but it is also disposable. For us, it is now irreplaceable.
One of Google's server cooling facilities.
“You do not feel insecure until you are breached. The average person in the financial sector — myself included — is not as focused on these threats as they need to be.”
Anthony Scaramucci, Skybridge and SALT conference leader.
For more on apathy in cyber security, see Dr. Punam A. Keller's recent article in the Wall Street Journal "I Should Worry. But I Don't." Dr. Keller is a professor of marketing at Dartmouth's Tuck School of Business. She is an expert in behavioral change, and the article is autobiographical. We loved this article as it is perfectly consistent with our view and her five points of recommendation are a direct reflection of the core elements to our mission statement and operating precepts.
Read Dr. Keller's Wall Street Journal article here: "I Should Worry. But I Don't."
Actually, it's more. And apathy is the reason. Especially if you extrapolate the exponential progress innovation is making in the area and contrast it to our desire and ability to change. As a result in the delta between the two, at some point in the future, some elements of cyber security will be in the form of a public service. The probabilities of a breach are too high, are advancing at very high rates, and the potential consequence are too deep to ignore, especially as physical and virtual crimes continue to converge. The public sector will eventually absorb some level of cyber risk mitigation to protect vital community interests and patch the delta as a result of persistent apathy in information security.
So, how does "Cyber Security as a Social Science" relate to the hedge fund industry? Leadership and training. On an organizational level, it is not going to work without training that is incorporated into the fabric of the culture of the enterprise. Without training, the greatest threat is predominantly internal and unpredictable. The best leaders will understand the value they can bring to shareholders, employees, customers, and vendors by advocating and demonstrating life-skills that apply to every level of an active, engaged, and productive life.
Cyber security needs to be as understood as is fastening a seat belt and staying out of dark alleys. The internet holds the world's information and knowledge, and fear and risk should not stand in its way. For any possibility of personal autonomy and a functional everyday life, cyber security needs to be understood at an individual level in order to maximize the benefit of any technology, and training will produce multi-dimensional, short and long-term benefits for the organization that performs it well.
We visited one of the most entrepreneurial universities in the nation to talk about cyber security as a social science, and the report can be accessed here: "ERAU - at the Leading Edge of Cyber Security as a Social Science."
#3 - It's All About the Perimeter Environments
Medium and large enterprises around the world have invested for decades in IT security. The centralized, server-based architecture was managed like it was a hand from above and users of the technology just needed to know they shouldn't trade passwords. That changed dramatically in 2007 when Steve Jobs held up the first iPhone and said "This changes everything." He was pointing to the first phone Apple ever developed, but he was specifically referring to the smartphone. It was in 2007 that computing went mobile and the smartphone started its rise to become the fastest-spreading technology in history, far surpassing the automobile, TV, PC, and even the internet itself.
Now, the managers of the centralized technology architecture have no control over what is really happening in the course of daily business and routine operations, and hackers, criminal cartels around the world, and some the most unscrupulous characters on the planet are loving every second of it. One doesn't need a gun, much less an army, and can operate and trade with anonymity to plunder or panic in any way they please. The internet has successfully democratized cyber risk and now, there is no looking back.
For more, see from the New York Times, "How My Mom Got Hacked."
Cyber Security Fundamentals for hedge funds
Assume a Leadership Position in the Matter - Hedge fund leaders should feel empowered to make a difference. The industry needs to be internally vocal and provide resources all the way down the food-chain of players. Peer pressure, intelligent dialogue, collaboration, and relentless attention to the issues are paramount.
Provide Meaningful, Effective, and Ongoing Training - Information security is no longer just the IT department's job and as someone once said, "It takes a village." Like the corporate sector has addressed crucial issues before such as diversity, this takes an all-in approach that starts at the top and is integrated deeply and broadly accross the organization.
Protect the Perimiter, Immediately- From a central, corporate standpoint, such as headquarters and regional offices, large and highly successful hedge funds have robust IT departments that are highly aware of the risks, and they manage and mitigate them as well as anyone today. Still, this elite level of the industry faces formidable challenges at the perimeters of their environment. It is the intersection of daily life and the internet where the emerging risks are taking seat and facing the challenges of behavioral change and accountability. Fortunately, the new-breed of innovative solutions are software-defined, cloud-enabled, and require a minimal, if any, level of behavioral change and user interaction. Research, strategy, and a plan that will nimbly and dynamically manage the massive change we will see in the immediate to intermediate future in both problems and solutions are imperatives for ongoing effectiveness, cost-control, and sheer survival.
For Smaller Hedge Funds - For smaller hedge funds with inadequate IT support to manage the complexities of the new environment it is now clearly a matter of acknowledging the risk vs. reward equation that is at stake, and to find answers that serve their particular challenges. Fortunately, IT security is morphing from the traditional "break/fix" reactive model, to security-as-a-service, or SECaaS. This new model provides fixed IT costs and is pre-emptive by nature. SECaaS is simple to use, highly effective and affordable, and is delivered without hardware or the need for on-site IT support. We will continue to see strong progress in innovation with SECaaS and it is increasingly imperative for any organization of any size to understand their options in the space, not only at the central-office, but even more especially at the perimeter and remote locations.
The Democratization of Cyber Risk vs. The Commodization of Solutions
As the internet has democratized cyber risk, so is it democratizing cyber-security technology. Innovation and progress are accelerating and guaranteed to bring better, easier, faster, and cheaper security solutions regularly in the present and immediate future. There will never be 100% security and it will always be a game of "cat and mouse", but the risks can be managed and significantly mitigated in a highly cost-effective manner. But, to fully leverage the progress, good decisions must be made now in order to strategically position the enterprise to manage the dynamic environments of both threats, and solutions.
Total Digital Security is the premier resource for all things related to innovation in cyber-security, the deployment of SECaaS in distinct environments, and effective and economic strategies for managing hyper- change in information security.