Third-party administrators for alternatives managers are double- and triple-checking their cyber defenses following revelations that two firms in the past six months have been hit by hackers.
Sources would not name the firms that were subject to email phishing but said both attempts were thwarted before any information was accessed.
Despite their lack of success, the attacks raised red flags for an industry that has worked behind the scenes in investment for years. With asset owners boosting their allocations to private equity, real estate and hedge funds, administrators have seen an increase in both business and in the information they hold.
Fund administration is “pretty well known now with the shift over the last 15 years by private equity firms and hedge funds to outsource their back office,” said Chad Burhance, CEO of NewOak Credit Services, a New York fund administration firm targeting private credit. “People who know finance are aware of administrators. Plus, the countries where a lot of these hacks come from have sovereign wealth funds which use third-party administrators. So hackers know this market is there and what administrators have.”
W. Reece Hirsch, who advises third-party fund administrators as partner and co-head of the privacy and cybersecurity practice at the law firm of Morgan, Lewis & Bockius LLP, San Francisco, said while cybersecurity concerns reflect a trend across all industries, “it’s particularly true for financial vendors. They’re handling large volumes of data, and often the legal responsibility for that data remains with the financial institution.”
Hackers looking at fund administrators could be working alone, but sources said that, increasingly, many are in criminal rings or work as agents for countries that have their own motivations for cybercrime.
“If you look at the transition in cybersecurity in the last five years, previously cybercriminals were interested in a specific target,” such as Social Security or credit card account numbers, said Ben Carr, technical director of security strategy, Americas, at Tenable Network Security Inc., a Columbia, Md.-based cybersecurity software developer. “Now it’s the monetization of the data that was hacked. First it was ransomware, then it transitioned to criminal organizations that were looking to monetize. It’s become a longer-term intellectual property play, both by criminal groups and by states like North Korea.”
Earlier this month, cybersecurity company FireEye Inc., Milpitas, Calif., and the Securities and Exchange Commission warned of an email phishing campaign against employees tasked with filing 10-Ks and other documents with the SEC. FireEye said the scheme involved emails alleging to be from the SEC sent to filers whose names were on previous 10-Ks with a link to an updated 10-K form; the link instead would download malware that could obtain confidential information from the filer’s employer.
“For the fund business sector, if a system gets compromised and you can’t execute trades or respond to margin calls, you may have some losses or, in the worst case, go out of business,” said Lisa McLaughlin, vice president, corporate security and data integrity, SS&C Technologies Holdings Inc., Windsor, Conn. SS&C provides software for third-party administration as well as operates its own fund administration business.
SS&C takes a “risk-based approach” to cybersecurity, Ms. McLaughlin said, an approach echoed by others interviewed for this story. “To protect the client, any information held is in a risk-assessment structure. Any assets that are exposed to risk, we mitigate that risk.”
Part of that risk assessment is to remain proactive rather than reactive to cyber threats, and Ms. McLaughlin said that includes monitoring media reports of cyber breaches in all kinds of industries, not just financial services.
“Media reports are vital” to remain proactive in gauging the risk to security protocols in place, she said. “Prediction is part of assessing risk.”
As hackers have targeted people as the weakest link in data security, Ms. McLaughlin said administrators have targeted the education of employees to avoid the inadvertent click on a link that could send information pouring out to criminals.
SS&C’s phishing education programs were launched more than 10 years ago, Ms. McLaughlin said. “We do a new program every year. We have an intelligent line of defense every day. It’s a layered, defense-and-depth approach taken from the military, a deep defense that’s several layers into our system.”
She said it incorporates state-of-the-art cybersecurity approaches but also bases its framework on International Organization for Standardization guidelines “going back to the 1940s” as well as criteria from the 2002 Federal Information Security Management Act, a framework for protecting all U.S. government operations, information and assets; Payment Card Industry Security Standards, which sets rules and standards for all credit and debit card transactions; and the National Institute of Standards and Technology’s voluntary cybersecurity framework to help organizations manage cybersecurity risk.
“It’s not just firewalls and software,” said Mr. Burhance of NewOak. “It’s the human element, which is the single biggest threat in cybersecurity. Firms have taken on more secure email measures, with user registration and a second identity or password confirmation. … It’s no surprise managers are more aggressive in monitoring and requiring standards be set for their administrators.”
From the perspective of an alternatives manager, the cybersecurity of its third-party vendors “is critical,” said Dennis McCrary, managing director at private equity manager Pantheon (US) LLC, Chicago. “Everyone’s looking at both third-party administrators and our work in general. When we look for a third-party administrator, (cybersecurity) would be at the top of our list.” While Pantheon performs some of its back-office functions internally, it has outsourced some administration to State Street Alternative Investment Solutions.
Added Morgan Lewis’ Mr. Hirsch: “We’re seeing more managers requiring incidence response plans from their vendors and will reject those administrators that don’t have them. Some may be satisfied with basic due diligence. The level of rigor (by managers) varies, but the definite trend is to (have) more formal written programs and audits of cybersecurity procedures. In the financial services sector, you’re dealing with sensitive information that can be exploited. They have Social Security numbers, account information.”
Third-party administrators also have boosted use of cyberinsurance, said Mr. Burhance at NewOak, who also is on the board of CyberFortis, a cybersecurity firm. “Managers want administrators to have (cyber insurance),” Mr. Burhance said. “Also, managers absolutely have control of the review and testing of cybersecurity needs. Threats change on a daily, weekly, monthly basis. Administrators are required to have a cyber risk policy. … There are all different points of vulnerability with complex operations.”
While managers are concerned about third-party administrator security, Mr. Burhance doesn’t think managers will decide to take more back-office functions in-house. “It would take a lot to bring these activities in-house,” he said. “That said, if they can’t find suitable firms that can guard their operations, then sure, it might revert back. But using third-party administrators isn’t just about saving money. You need that outside source for compliance and verification. Think back to what happened with Madoff. No one would want to manager to have all the data without having someone outside to monitor.”