When Hackers Attack Hedge Funds

News began to spread last month about an extraordinary cyber attack on a large hedge fund that struck at the firm’s high-speed trading apparatus. The assault appeared to take the hacking of financial firms to a whole new level.

According to an executive at BAE Systems, the firm was hired to help the hedge fund respond to the attack. He said that in late 2013 hackers used a tactic called “spear phishing” to trick hedge fund employees into opening e-mails that secretly installed malware on the hedge fund’s servers. Soon thereafter, the BAE executive said, the hedge fund began to realize that its high-speed trading strategy was no longer effective, due to unexplained lags in the time between when they issued trade orders and the execution of those orders.

After analyzing the problem, BAE concluded that the hackers had intentionally built a lag into the firm’s order-entry system that not only undermined the hedge fund’s strategy (and had a material effect on its performance), but also exposed that proprietary strategy to the intruders. The intruders could then “easily copy that information out of the network and replicate it, trade ahead of it, trade around it, et cetera,” BAE said. According to the firm, the hackers were likely able to use it to make significant trading profits.

The news of this audacious cyber attack has prompted the latest flurry of warnings to hedge funds, asset managers, and other investment firms about the quickly escalating need for firms to focus on and invest in cyber-security. Surely such warnings have caused plenty of anxiety at those firms.

Given the current threats to regulated entities such as investment firms and public companies, these warnings—and resulting anxiety—are completely warranted. Don’t, however, believe everything you hear about cyber attacks on Wall Street firms. Less than two weeks after the buzz about the attack on the unnamed hedge fund , BAE was forced to admit that the attack its executive described was not a real client case study at all, but was, instead, just an “illustrative example” or “scenario” used by experts inside BAE Systems. “We offer our sincere apologies,” a BAE spokesman said in early July. “It took some time” to conclude that the supposed attack had never happened.

Although the attack the BAE executives described was not real, it is by no means a far-fetched scenario. Indeed, cyber-security experts say the idea of hackers stealing hedge fund trading data to enable themselves to profit in the financial markets is entirely plausible. John Stark, managing director of digital risk-management firm Stroz Friedberg, said that the scenario is reminiscent of the 2007 case of SEC v. Dorozhko—or maybe “Dorozhko on steroids,” Stark said.

In Dorozhko, the SEC sued a Ukrainian citizen for insider trading based on information he obtained through hacking. The SEC alleged that Dorozhko purchased 630 put options after hacking into an investor relations firm’s secure computer network to unlawfully access earnings information for a company called IMS Health. When IMS Health’s below-estimates earnings were later announced to the public and the stock cratered, Dorozhko sold all of his IMS Health put options and realized profits of nearly $300,000.

Hacking the News

The SEC has brought similar cases against other hackers. In 2005, the SEC charged Estonian financial firm Lohmus Haavel & Viisemann and two of its employees with a scheme that allegedly involved the electronic theft and trading in advance of more than 360 confidential press releases issued by more than 200 U.S. public companies. The SEC alleged that Lohmus became a client of Business Wire, a leading disseminator of news releases and regulatory filings for companies, for the sole purpose of gaining access to Business Wire’s secure client Website.

Once the defendants had access, they secretly used a “spider” software program to gain unauthorized access to material information about other Business Wire clients (such as mergers and earnings releases) contained in non-public press releases, and used that stolen information to make over $10 million in illegal profits.

Hedge funds and other asset managers must understand that they are squarely in the crosshairs of hackers who view them as vulnerable, that an attack on their firm at some point is a near-certainty, and that their preparation and defenses to cyber attacks may well be subject to significant scrutiny by the SEC.

The SEC brought a similar case in 2007 against Blue Bottle, a Hong Kong company, and Matthew Charles Stokes, a citizen of Guernsey, for trading in advance of news releases by 12 different U.S. public companies after allegedly “hacking into computer networks or otherwise improperly obtaining electronic access to systems that contain information about imminent news releases.”

As hacking and cyber attacks have become more prevalent and destructive in the financial world, the SEC’s focus has gone beyond the hackers to also include the cyber-security policies and procedures of targeted companies. Stark said that although the SEC’s enforcement actions in the cyber-security area initially focused on the need for regulated entities to have adequate protections on customer data, that paradigm is also shifting. Now, Stark said, it is the SEC’s view that “asset management firms, especially hedge funds and investment advisers, need to have adequate cyber-security because if they don’t, the integrity of the global financial marketplace is at risk.”

The SEC Is Getting Concerned

SEC Chairman Mary Jo White and Commissioner Luis Aguilar have expressed this view in recent public statements. In her opening statement at an SEC roundtable on cyber-security earlier this year, White noted that the SEC’s formal jurisdiction over cyber-security is directly focused on “the integrity of our market systems, customer data protection, and disclosure of material information.”

That same day, Commissioner Aguilar stated that he, too, had become particularly worried about the risks that cyber attacks pose not only to public companies but “to the capital markets and its critical participants, including the exchanges, clearing agencies, transfer agents, broker-dealers, and investment advisers. Cyber-attacks aimed at these market participants can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard.”

Specifically, there are growing concerns that hackers will, if they have not already, gain sufficient access to the networks and systems used globally for high-speed trading, and they could disrupt or bring down such networks. In addition, U.S. Rep. Mike Rogers (R-Mich.) said last month that he fears that hackers such as those sponsored by China could steal inside information from trading networks and thereby undercut the integrity of the market by finding out “the value of trades and the value of mergers and acquisitions before they would happen.”

Cyber-security experts believe hedge funds are particularly vulnerable to cyber attacks. Tom Kellerman, chief cyber-security officer for security software company Trend Micro, recently stated that there has been an uptick in attacks on hedge funds over the past two years because, in his estimation, only about 25 percent of major hedge funds have adequate cyber-security protection.

Hedge funds tend to be smaller organizations, says Kellerman, often with little to no security personnel on staff. Some hedge fund managers may also be less focused on their cyber-security responsibilities because they have outsourced much of their IT infrastructure. Hackers are aware of this vulnerability, Kellerman said, and view hedge funds as low-hanging fruit. “The criminals have become aware there is far more money in market manipulation,” Kellerman recently told Bloomberg.

With the SEC is now viewing cyber-security as an issue that underpins the integrity of the global financial marketplace, it seems inevitable that the agency will seek to reinforce that message through an enforcement action in the near future. The prospect of such an action has likely been bolstered by the early findings of the SEC’s Office of Compliance Inspections and Examinations from its recent examinations of more than 50 registered broker-dealers and registered investment advisers for cyber-security readiness. In May 2014, an SEC official stated that the results of the first wave of examinations had been poor and “disappointing.”

In early July 2014, Bloomberg reported that the SEC had, in fact, opened multiple investigations into whether companies adequately guarded data and informed investors about the impact of breaches. Hedge funds and other asset managers must understand that they are squarely in the crosshairs of hackers who view them as vulnerable, that an attack on their firm at some point is a near-certainty, and that their preparation and defenses to cyber attacks may well be subject to significant scrutiny by the SEC.