Cognivo Full Logo White

Steps Investment Management Firms Should Take to Prevent Cyber Attack on Their Data

By Hardeep

December 1, 2021
Image Person on Computer 11

Cyberattacks are becoming more commonplace these days. 2017 saw an increase in cyberattack incidents all over the world. In the U.S., Equifax saw one of the largest cyber incidents with personal and financial information of over 143 million customers being stolen in one cyber attack.

According to Bloomberg, “Extra spending on security and lawyers in the wake of the hacking helped push third-quarter operating expenses to the highest on record, the Atlanta-based company said Thursday in a statement. The company also said it’s facing more than 240 class-action lawsuits and more than 60 regulatory or governmental inquiries.” In addition to the costs, the loss of reputation and consumer confidence is huge and hard to measure in real dollar terms.

This makes it even more pivotal for investment managers to make sure that their fund is well prepared against cyberattacks. In addition, even regulators are taking a stronger interest in understanding and assessing the resilience of regulated investment firms to cyberattacks. In this post, we will cover four topics; (a) What are an investment management firm’s key digital assets? (b) What are regulators looking for? © What areas should an investment management firm focus on? (d) What are the simple steps to take to get started?

What are an investment management firm’s key digital assets?

The key vulnerable digital assets for an investment management firm include personal and financial information of clients, proprietary trading models, and algorithms, portfolio positions, risk, and trade execution details. All of these are highly critical pieces of data and should be strictly guarded against a cyber attack. If an investment management firm loses confidential client data in a cyberattack, this will lead to a huge loss in reputation, legal problems from both regulators and clients, and possibly the inability to raise new capital in the future.

As you can see, the consequences of losing personal and financial client data are paramount. This is especially important for investment management firms using multiple prime brokers, custodians, and other third-party firms to perform their operations. Although the investment manager does not have direct control over the business function of another company, they should do their due diligence and ask for proof of whether proper safeguards are in place before selecting a vendor. In addition, the investment manager should ask for up-to-date documentation on how the third-party maintains strict cybersecurity standards. As an investment manager, you should see whether the vendor you are considering is listed on FINRA’s website under the Compliance Vendor Directory.

What are regulators looking for?

What are U.S. regulators expecting from investment management firms as far as cybersecurity due diligence and compliance requirements are concerned? Let’s cover the various departments.

Securities & Exchange Commission

As an investment manager, you should start by reviewing the information provided by the SEC at Cybersecurity, the SEC, and You. This is an important place to start the cybersecurity readiness for your investment management firm. Here, you can find detailed information on Regulation S-PSubpart C — Regulation S-ID: Identity Theft Red Flags, and other critical compliance information related to registered investment advisors and their companies. Two other documents that provide detailed requirements, standards, and best practices are (a) Cybersecurity Guidance for Investment Advisers and Registered Investment Companies, and (b) Guidance on Business Continuity Planning for Registered Investment Companies. We recommend that you make sure that your risk and operations departments are aware of and following these documents and compliance requirements.


FINRAs cybersecurity website covers a lot of details related to cybersecurity and its approach to reviewing investment management firms and their ability to protect their client’s information. They also perform the review of an investment management firm adherence to the SEC regulatory requirements. According to their website, “FINRA reviews firms’ approaches to cybersecurity risk management, including technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.” For smaller investment management firms, they provide a cybersecurity checklist. It also covers what an investment manager should do in case of a cyberattack or data breach.

US-CERT — Critical Infrastructure Cyber Community Voluntary Program

US-CERT is the government agency created in the early 2000s by the Federal Government in response to increased cyber-attacks. In addition to other activities, their mission includes “responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world.”. The US-CERT is part of the Department of Homeland Security (DHS) initiative to help businesses in the United States adopt the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (the Framework). Investment management firms can find more information about the NIST Cybersecurity framework; we recommend starting at their FAQ section.

What areas should an investment management firm focus on?

With cyberattacks, data breaches, and other cyber fraud getting increasingly sophisticated, there are some key areas that investment management firms should focus on to prevent the most common types of cybersecurity vulnerabilities. According to leading research, the majority of cyber attacks can be linked to human carelessness and errors. These attacks are also the easiest to prevent by following simple, but important guidelines. It is highly critical for investment management firms and their employees to adhere to these guidelines thoroughly and consistently in order for them to be effective in preventing cyber thefts, cybersecurity breaches, and attacks. Although these guidelines might seem strict, it is a lot easier to follow them and prevent a cyber threat, than to have to work on cleanup after the fact. To get started, you should focus on the following areas.

Most users tend to use easy-to-remember passwords. This also makes passwords more susceptible to cyberattacks. Hedge fund managers and their compliance and risk departments should ensure that, in order to mitigate risk, there is a password policy in place that requires complex passwords that incorporate numbers and special characters. It is also important that the password policies set forth by compliance are being followed. There should be regular checks to ensure this.

In addition, the investment management firm should set a limit to the number of login attempts, and that the password is being changed at regular intervals to prevent hackers from guessing and logging into your systems. Most banks have now incorporated two-factor authentication, which requires a randomly generated number in addition to the password for the user to be authenticated and allowed into internal systems. Investment management firms should incorporate similar two-factor authentication.

Use of remembering password type features should be disabled within browsers and other places where applicable. Storing the login information using this feature completely defeats the purpose of having login protection.

Investment management firms should incorporate strict controls on who in the company has access to which systems. This access should be granted at various levels, for example, read-only access, or a more secure read-only access where sensitive information is scrubbed. Hedge fund managers should ensure that these user access privileges are reviewed on an ongoing basis.

If a workstation is left unattended and unlocked, even for a few minutes, it is completely susceptible to someone using it. In most cases, the individual will be able to install malware and or spyware on the machine using a USB stick in a matter of seconds. We recommend locking your workstations every time you walk away from it. This practice should also be applied to mobile phones, tablets, and other devices that contain or can be used to access highly sensitive business information and data.

Having the email user opens an attachment is the most common way for hackers to install malicious code onto the computer. Most of these malicious codes have the ability to propagate within your investment management firm’s internal network and infect other computers and servers. These types of software also email other contacts in the person’s email list, significantly increasing the risk of other workings in your investment management firm being affected by the same malicious spyware, malware, or computer virus.

Phishing is a type of online identity theft used by hackers and other cybercriminals to trick the user into providing sensitive information. This is usually done via email. In a typical scenario, the investment management firm employee will get a seemingly harmless email from a familiar source that you trust, which will ask them to click on a link that takes them to a familiar-looking, but fraudulent website. Once there, the user will be asked to confirm login credentials and or other highly critical personal or financial information, which will be sent to the hacker.

Spear phishing is a more complex type of email-spoofing attack. In a spear-phishing attack, the email message will include details and other information that will make the user believe that it is coming from a highly trusted source, like other investment management firm employees or someone in a position of authority, like their manager. In these scenarios, the hacker has usually spent time targeting the employee and has researched them on websites like LinkedIn or other online websites before sending a highly targeted email.

In both scenarios, the investment management firm employees should be advised to not click on any links within the email and immediately inform their IT department or the compliance department. Hedge fund IT and compliance should share with their employees examples of real phishing email attempts. Another clever way of ensuring that your employees do not fall for a phishing attack is to send them a phishing email yourself and gauge their response. This will help the investment management firm employee get more vigilant to real phishing emails, and help you identify which employees might need more education and training.

What are the simple steps to take to get started?

The liability of securing the investment management firm’s “crown jewels” ultimately falls with the investment manager and their risk and compliance departments. It is a lot easier to prevent a cyber attack than to clean up after your investment management firm has been a victim of a cyberattack. This makes cybersecurity a highly critical responsibility for an investment manager, one that should not be ignored or put on the back burner.

However, unlike other operational risks, this one requires the involvement of all your employees and possibly third-party vendors. Investment management firms using third-party vendors should not simply rely on them to do their due diligence. In fact, they should be proactively asking questions and finding out as much detail about the vendor as possible. If a vendor is unwilling or unable to share critical information and facts, that is usually not a good sign. In addition, we recommend the following simple steps to get you started.

However, unlike other operational risks, this one requires the involvement of all your employees and possibly third-party vendors. Investment management firms using third-party vendors should not simply rely on them to do their due diligence. In fact, they should be proactively asking questions and finding out as much detail about the vendor as possible. If a vendor is unwilling or unable to share critical information and facts, that is usually not a good sign. In addition, we recommend the following simple steps to get you started.

If you don’t already have one, compile a cybersecurity policy or guidelines for your investment management firm. Even more importantly, make sure that everyone in your investment management firm understands the importance of cybersecurity and the risks involved due to an attack. This can usually be done by providing education and knowledge material, having regular information sessions where employees can ask questions, and sharing with them examples of current cyberattacks.

Check the wired and wireless network security at your investment management firm. Is your investment management firm securing against a wireless cyber attack? Follow these tips and recommendations provided by US-CERT. For employees using any type of remote access, enable two-factor authentication. Make sure you or someone in compliance understands the risks associated with mobile devices. There is a comprehensive document by the US-CERT on mobile security, that covers portable storage media like USB sticks, and portable mobile devices like phones and tablets.

Most common cyber attacks use email to bypass network security and antivirus software installed within your internal network. It is highly important to secure your incoming and outgoing email messages. For starters, be wary of clicking links and opening attachments from anyone outside the investment management firm. Educate your team by sharing examples of real email phishing and other cyberattacks with them, and allow them to ask questions without reservation. Here is a detailed PDF by the US-CERT on Recognizing and Avoiding Email Scams that we recommend you share within your investment management firm.

As a rule of thumb, we recommend disabling USB support on your workstations. This not only prevents the installation of malware and spyware, but it also prevents an odd rouge employee from simply copying your business secrets and other data onto the USB stick, and simply walking out with them.

In this post, we shared how you can better prepare your investment management firm against cyberattacks. The threat of cybersecurity is constantly increasing, and it is highly important for you to take a proactive approach, and not assume or hope that this will not happen to your firm. The consequences of loss of reputation and legal liabilities are almost irreparable and take a long time to recover from.