In mid-June I wrote here about an audacious hack on a large hedge fund reported by CNBC. CNBC was told by an executive at BAE Systems, a consulting firm that the hedge fund hired to analyze the problem, that in late 2013 hackers successfully installed malware on the hedge fund's servers through a "spear phishing" email that hedge fund employees opened. To make a long story short, this malware reportedly was designed to build a lag into the firm's order entry system that not only undermined the hedge fund's strategy but also let the hackers "easily copy that information out of the network and replicate it, trade ahead of it, trade around it, et cetera."
This was the latest eye-opener for hedge funds and other asset managers trying to get their arms around the scope of their potential cybersecurity exposure but, alas, it turns out the story spun by the BAE executive was fiction. On July 2, CNBC reported that BAE acknowledged that the BAE executive "incorrectly presented" the alleged incident. BAE Systems spokesperson Natasha Davies confirmed that the alleged hack was not a real event after all, but rather was just a "scenario" or "illustrative example" used by cyber experts inside BAE Systems. "We offer our sincere apologies," said Davies, adding that the executive who made the incorrect statements was now "taking some time away from the business."
Although the reported hack was not real, cybersecurity experts say that the scenario described was not far-fetched. In my monthly column for Compliance Week that will be available here on Tuesday, I will explain why that is, and why hackers and the SEC are now keeping a close eye on hedge funds and asset managers.