Third-party administrators for alternatives managers are double- and triple-checking their cyber defenses following revelations that two firms in the past six months have been hit by hackers.
Sources would not name the firms that were subject to email phishing but said both attempts were thwarted before any information was accessed.
Despite their lack of success, the attacks raised red flags for an industry that has worked behind the scenes in investment for years. With asset owners boosting their allocations to private equity, real estate and hedge funds, administrators have seen an increase in both business and in the information they hold.
Fund administration is “pretty well known now with the shift over the last 15 years by private equity firms and hedge funds to outsource their back office,” said Chad Burhance, CEO of NewOak Credit Services, a New York fund administration firm targeting private credit. “People who know finance are aware of administrators. Plus, the countries where a lot of these hacks come from have sovereign wealth funds which use third-party administrators. So hackers know this market is there and what administrators have.”
W. Reece Hirsch, who advises third-party fund administrators as partner and co-head of the privacy and cybersecurity practice at the law firm of Morgan, Lewis & Bockius LLP, San Francisco, said while cybersecurity concerns reflect a trend across all industries, “it's particularly true for financial vendors. They're handling large volumes of data, and often the legal responsibility for that data remains with the financial institution.”
Hackers looking at fund administrators could be working alone, but sources said that, increasingly, many are in criminal rings or work as agents for countries that have their own motivations for cybercrime.
“If you look at the transition in cybersecurity in the last five years, previously cybercriminals were interested in a specific target,” such as Social Security or credit card account numbers, said Ben Carr, technical director of security strategy, Americas, at Tenable Network Security Inc., a Columbia, Md.-based cybersecurity software developer. “Now it's the monetization of the data that was hacked. First it was ransomware, then it transitioned to criminal organizations that were looking to monetize. It's become a longer-term intellectual property play, both by criminal groups and by states like North Korea.”
Earlier this month, cybersecurity company FireEye Inc., Milpitas, Calif., and the Securities and Exchange Commission warned of an email phishing campaign against employees tasked with filing 10-Ks and other documents with the SEC. FireEye said the scheme involved emails alleging to be from the SEC sent to filers whose names were on previous 10-Ks with a link to an updated 10-K form; the link instead would download malware that could obtain confidential information from the filer's employer.
“For the fund business sector, if a system gets compromised and you can't execute trades or respond to margin calls, you may have some losses or, in the worst case, go out of business,” said Lisa McLaughlin, vice president, corporate security and data integrity, SS&C Technologies Holdings Inc., Windsor, Conn. SS&C provides software for third-party administration as well as operates its own fund administration business.
SS&C takes a “risk-based approach” to cybersecurity, Ms. McLaughlin said, an approach echoed by others interviewed for this story. “To protect the client, any information held is in a risk-assessment structure. Any assets that are exposed to risk, we mitigate that risk.”
Part of that risk assessment is to remain proactive rather than reactive to cyber threats, and Ms. McLaughlin said that includes monitoring media reports of cyber breaches in all kinds of industries, not just financial services.
“Media reports are vital” to remain proactive in gauging the risk to security protocols in place, she said. “Prediction is part of assessing risk.”
As hackers have targeted people as the weakest link in data security, Ms. McLaughlin said administrators have targeted the education of employees to avoid the inadvertent click on a link that could send information pouring out to criminals.