Hedge funds should improve risk assessments on service providers' security policies
Hedge fund managers need to conduct more thorough risk analysis on the security policies at their service providers, it has been warned.
This warning comes as 260 gigabytes of confidential data containing information on 120,000 offshore entities was leaked from the offices of Portcullis Trustnet, a Singapore-based fund administrator, to the International Consortium of Investigative Journalists.
The leak prompted a swathe of embarrassing articles in the mainstream press. A source close to the company said an investigation into the leak was on-going, adding the firm had "identified an individual whom it strongly suspects as having been involved in the data theft", although he did not disclose their name.
However, the source said no hedge fund data had been stolen to the best of their knowledge. "Our new information also strongly suggests that the data theft ended in early 2010. Notwithstanding this fact, we have engaged KPMG to conduct an IT security review and we have reviewed our physical and information security at all levels," he said.
One fund administrator, also with offices in Asia, said he had seen hedge funds reviewing data security at fund administrators, and advised managers to adopt more rigorous procedures when looking at fund administrators' internal security policies.
However, he warned such leaks were impossible to prevent but could be mitigated. “A company, irrespective of size, cannot prevent employees leaking data to the press or third parties. However, the threat can be mitigated. At our company, we have simple ID solutions which prevent employees downloading data onto an external cloud or memory stick. If an employee wants to download data, then they have to run it past our IT department,” said the administrator.
He added some administrators could do more to keep employees happy to prevent such leaks further. “Nonetheless, despite all the security measures firms can take, they can never prevent an employee printing out or faxing confidential data to external parties,” he said.
Similar security breaches have affected major banks. A former HSBC private bank employee in Switzerland leaked details of 24,000 customers to tax authorities across Europe in 2010. The employee was recently charged by Swiss authorities with leaking confidential data.
Meanwhile, Eze Castle Integration also advised hedge funds to conduct greater due diligence on the security policies at their cloud computing providers.
“Hedge funds need to bolster the resources they employ when conducting due diligence on cloud providers. Some managers do lack knowledge about the security policies at a few cloud providers, and they need to be alert to providers’ security practices, as well as the overall robustness of the security design at the cloud service providers. A growing number of managers are reviewing their cloud providers’ protections against hacking or security breaches,” said Vinod Paul, managing director at Eze Castle Integration in New York.
The threat of hacking has been elevated in recent years. Sophisticated hackers have caused disruption at a number of bulge bracket organisations including Sony and Microsoft, and several hedge funds including CQS have warned it remains a serious threat to their businesses, and those of their service providers.
The surge in cloud usage has prompted investors to undertake more operational due diligence on technology providers. “Investors are fast becoming highly educated on matters surrounding cloud computing, something which in years gone by would not have been on the radar. I have attended several investor meetings whereby investors have asked about where our data centres are located and what our procedures are in terms of disaster recovery. Investors want to ensure we have controls in place,” commented Paul.