Rising up the Agenda: Hedge funds must tackle cybersecurity head-on

RISING UP THE AGENDA

HEDGE FUNDS MUST TACKLE CYBERSECURITY HEAD-ON

EXECUTIVE SUMMARY

Hedge fund managers hold a wealth of data and are responsible for transactions worth billions –this makes them key targets for cyber-attacks. As breaches and data leaks continue to hit the headlines, these players are beginning to understand the potential damage a breach could wreak. A robust, secure infrastructure can take years to build and be destroyed in milliseconds. Therefore, serious thought and attention must be dedicated to this part of a business.

The growing focus on cybersecurity is being driven by a diverse set of factors. Hackers are becoming ever-more creative and hedge fund managers are wary of any incident that could cause financial and reputational damage. Furthermore, investors are demanding greater levels of transparency, which means communication around the security measures being taken is also increasing.

Another significant driving factor is growing regulatory scrutiny. The cybersecurity landscape is shifting as the SEC and other regulators become more hawkish around requirements to document preventive measures and report breaches when they occur.

“Transparency into cyber practices and incidents is turning from voluntary to mandatory, from statutory to actionable, from inconsistent and incomplete to decision-useful. The more extensive information-sharing should empower businesses to build more comprehensive actions and defenses against one of the most daunting risks they face,” details a report by PwC.

In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law in the US. In the same month, the SEC

published the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. In announcing the changes, SEC chairman Gary Gensler, said: “Investors increasingly seek information about cybersecurity risks, which can affect their investment decisions and returns.”

“The biggest change that’s going to cause the most pain and which ultimately gets the most attention is going to be the requirement for notifications,” comments Jacob Comer, Partner, General Counsel and Chief Compliance Officer at NovaQuest Capital Management, discussing cybersecurity during a Hedgeweek webinar. “It’s not just if there’s a material breach…all of these things are now going to need to be disclosed and made public.”

Other experts also draw attention to changes in the culture around cybersecurity. “Responsibility for it [cybersecurity] is moving up the chain now. It used to be that the IT guy takes the fall for a breach. But now the board or the C-suite need to be involved in the decision and allocate funds so now the whole organization – all the way to the top – is responsible for cybersecurity,” says an expert working within a hedge fund firm.

This report details findings of a survey conducted by Hedgeweek. This includes responses from cybersecurity experts within hedge fund firms who were asked about the current arrangements they have in place.

It also includes experiences of a number of hedge fund managers whose views helped to build case studies, focusing on seven cybersecurity best practices which should be a priority for these players.

KEY PIECES OF ADVICE

• Leaders must endorse the need for robust cybersecurity

• Be proactive and design the infrastructure your firm needs

• Test your systems and tools regularly

Linedata has extensive experience helping hedge fund firms address their cybersecurity challenges.

Don Duclos, Chief Information Security Officer, Linedata, points to the pivotal role played by the leaders of a firm: “The tone at the top matters. If the leader of the organization doesn’t think that security is important, that’s going to come through and the rest of the organization isn’t going to think so either. If they do think it’s important, that will set the tone and everybody else will follow.”

Technology and IT officers within hedge funds acknowledge the industry has evolved in the way it considers cybersecurity. Anup Kumar, EVP, Head of Global Services, Linedata,

notes the importance of being proactive: “I would advise hedge funds to have a robust cybersecurity program in place and to address cyber threats by design as opposed to doing this incrementally and by reaction.”

After building this program and infrastructure, managers need to review these systems regularly. Girish Khilnani, Global Director of Technology, Linedata Technology Services, comments: “You need to test whatever tools you have implemented - don’t just let them gather dust. You will get attacked if you don’t test your tools.” This means implementing mandatory tests and training, either on a quarterly or yearly basis.

METHODOLOGY AND CONTRIBUTORS:

The interviews in this report were carried out during September 2022. The survey includes online responses from 46 experts working in hedge funds. The report also includes one-toone interviews with additional technology and IT experts, including:

• Tom Bowles, CTO & Co-founder, Liberty Road Capital

• Jacob Comer, Partner, General Counsel and Chief Compliance Officer at NovaQuest Capital Management

• Douglas Hepworth, Chief Operating Officer and Chief Risk Officer, Gresham Investment Management, a subsidiary of Nuveen

• Adrian Iosifescu, Chief Technology Officer at CIFC Asset Management

• Jeff Schachter, President and Chief Operating Officer of Crawford Lake Capital Management

• Tristan Toomey, Chief Operating Officer, CDT Capital Management

can never be

secure.

you’re always behind the innovative hackers, you try to stay as close as possible to the latest developments

PROACTIVE MEASURES

Hedge fund managers deepen their understanding of the importance of cybersecurity measures

Cybersecurity is fast becoming a priority for hedge fund managers across the board. Though the efforts here may have started as reactionary – with managers going into crisis management-mode following a breach or potential incident – their endeavors are becoming more proactive. Chief technology officers and chief risk officers have always understood the importance of robust cybersecurity set up; now this knowledge is permeating throughout organizations.

Tom Bowles, CTO & Co-founder, Liberty Road Capital, observes: “It’s about the importance of culture; of everyone within the firm really understanding the need for cybersecurity.”

In building an effective cybersecurity infrastructure, experts in the field identified seven key areas which represent best practice and help prevent data breaches and regulatory fines.

CYBERSECURITY

PRACTICES

Multi-Factor

Training

Endpoint

Security

Vulnerability Assessment

Security for Office

Incident Response

Hedgeweek conducted research among hedge fund managers to identify how ingrained these practices are within the industry. The results detailed below demonstrate areas of strength and those which need further bolstering.

Considering the results overall, we see that a majority of managers have implemented the seven best practices listed above. Phishing training and testing is the one which most respondents have fully implemented (63%), followed by endpoint security (62%). Security for Office 365 and incident response documentation are also very well embedded, with 61% saying they do this in their firm.

Somewhat worryingly, more managers say they do not carry out vulnerability assessments; at 10% this was the option for which the highest number of respondents registered ‘no’ as a response. Also concerning is the fact that one in 10 managers do not know whether they have vulnerability assessments, infrastructure security monitoring, or security for Office 365.

When considering the results by size of manager, mid-sized firms outpace their peers in their adoption of incident response documentation (80%), phishing training and testing (80%), and endpoint security (70%). Such firms might feel they have most to lose if they fail to lock down their cybersecurity measures. Larger firms on the other hand are most likely to have infrastructure monitoring in place. These groups have deeper pockets and often form part of a larger organization, making this element of cybersecurity critical to their survival.

Smaller organizations are more likely to have introduced security for Office 365 (68%). This is likely because certain measures are included in these productivity tools and therefore implementation of the security around them tends to be straightforward.

Taken by region, hedge fund managers in North America tend to outpace their European counterparts in terms of the cybersecurity best practices they have in place. Infrastructure security monitoring is the only area in which a higher percentage of European respondents gave a positive response (57% vs 50%). The gap between regions is greatest when it comes to phishing training and testing (85% vs 57%). The results suggest cybersecurity is more deeply embedded in the North American business model while Europe may still be catching up in this regard.

Respondents were also asked why they had not (yet) implemented certain best practices. Sixteen percent of those who do not run vulnerability assessments say these exercises are too costly. Phishing training and testing is not considered a priority for 20% of those who do not currently do this. Over a quarter of the managers who do not have incident response documentation set up say it is not necessary for their type of business.

Figure 3: Do you have the following seven cybersecurity best practices in place? By region

Source: Hedgeweek

Figure 4: For those practices you do not fully have in place, why not? Overall

These results indicate the need for further education and training around the cybersecurity needs of hedge funds. Duclos, at Linedata, notes that many times phishers target hedge funds for their money directly. After executing a successful business email

compromise attack, they lurk in your inbox waiting for an opportunity to submit a false invoice to accounts payable or to divert a wire transaction.

One manager interviewed for this report notes: “You have to bring people up to speed

and constantly reinforce it. There are certain traders who might shoot from the hip and who want to just get on and do their job; they don’t want anything getting in the way.

“They get very frustrated when they have to go through a two- or three-step

authentication or some sort of other security check. So it’s about education and constant monitoring. We need to make sure they are still doing what they said they’re going to do.”

EDR: Endpoint Protection/Detection and Response solution. Endpoint monitoring

MDRR: Managed Detection, Response and Remediation solution. Managed cybersecurity service including 24/7 threat detection, response and remediation

vCISO: Virtual Chief Information Security Officer. Board-level Chief Information Security Expertise retained as a thirdparty service

The Covid-19 pandemic saw working from home become ubiquitous and as a result, the need for endpoint security became more acute. Among hedge fund managers, this awareness is growing as the majority have either purchased endpoint protection detection and response (EDR) from a third party (46%) or built such a solution inhouse (23%). This service is also the one earmarked for greatest future uptake with over a quarter of managers (29%) saying they are exploring their options even though they currently do not have this solution in place.

Managed detection response and remediation is slightly more prevalent among respondents as two-thirds of managers say they have this, either through an external partner (49%) or sourced internally (20%). Having a virtual chief information security officer (vCISO) is less common as only 36% of managers have such a solution in place. Around a quarter (24%) are exploring their options in this regard, while a significant percentage (41%) are not considering it. All of the mid-sized firms under review have an EDR solution in place. The majority of this group have also implemented MDRR. Takeup of a vCISO solution is lowest among this group and also lower within smaller firms, with only a third saying they have this in place, either in-house or externally.

It comes as little surprise that larger organizations are more likely to have such

place.

“The more you hear about these things [cybersecurity threats], the more open the management is to do something about it,” comments Adrian Iosifescu, chief technology officer at CIFC Asset Management. “You can never be 100% secure. Although you’re always behind the innovative hackers, you try to stay as close as possible to the latest developments.”

Security solutions are necessary to protect hedge fund firms; however a balance needs to be struck to ensure these measures do not encroach on the managers’ core strengths.

“Part of our challenge is figuring out which of the cybersecurity measures can mediate a real risk, as opposed to merely an optical risk. Then we need to weigh the implementation of optical measures against the business impact,” explains Douglas Hepworth, chief operation officer and chief risk officer, Gresham Investment Management.

He believes as cybersecurity measures get stricter, managers need to be mindful of these not impacting productivity.

Bowles agrees: “Security must always be easy to use. If it’s difficult to use, people will find ways around it. So, it’s about striking a balance.”

FRONT LINE

1: MULTI-FACTOR AUTHENTICATION

• Managers consider MFA a key step in securing their business

• MFA can prevent simple mistakes from being made

• Implementation tends to be smooth

“It’s an obvious, simple but effective security step,” says Tom Bowles, CTO & Co-founder, Liberty Road Capital, when describing his firm’s approach to employing multi-factor authentication (MFA). The firm implemented MFA at the outset and continues to do so any time a new email address or account is created, ahead of anyone using said account.

MFA consists of a layered approach to securing data and applications. The system requires the user to input a combination of two or more credentials to verify their identity.

“Implementing MFA makes it more difficult for a threat actor to gain access to business premises and information systems, such as remote access technology, email, and billing systems, even if passwords or PINs are compromised through phishing attacks or other means,” writes the Cybersecurity and Infrastructure Security Agency (CISA) in a fact sheet.

For Jeff Schachter, President and Chief Operating Officer of Crawford Lake Capital Management, MFA provided peace of mind: “It was a great experience [setting up MFA]. Everyone was happy and relieved we had greater protection. The uptake was simple and smooth. We had no complaints and no pushback that I can recall.”

MFA is often one of the foundational cybersecurity functions, one that most hedge fund managers now implement across their business. “We feel MFA is the

real deal. We are fans of password complexity, but there’s a cost to that. We are also in favour of mandatory password changes, but that too, has associated costs. So, from our perspective, MFA is almost pure gain. When forcing passwords to be changed every 90 days, the gain outweighs the cost, though not by much. This is not the case with MFA,” outlines Hepworth at Gresham.

2: PHISHING TRAINING AND TESTING

• A significant area of risk for managers

• Testing and training can be a challenge

• Constant review of potential threats is critical

As phishing attacks develop and hackers become ever more creative, hedge fund managers are learning how to navigate and mitigate this threat in different ways.

At Liberty Road Capital, a phishing training programme has recently been built. “It’s a significant area of risk and we have started regularly training,” says Bowles. The program was designed by an external team and is applicable and adapted to all staff, across different levels of expertise and knowledge.

Bowles expects there to be some teething issues until the programme is fully embedded, adding: “It is something that has to be done until it becomes a routine. We have to make it as easy to do as possible; if it’s complex it’s not going to work. It will obviously add another level

of security to what we do.”

One hedge fund manager tells of a near-miss event when a junior member of staff received an email with instructions from her line manager to buy certain items. The “manager” replied with further instructions, which she followed. Another employee noticed something strange and questioned what was going on. The junior employee had bought some items, but no irreparable damage had been done.

At Gresham, phishing training is also undergoing a significant shift. After running phishing testing exercises through an external partner, Hepworth explains why this didn’t work well and outlines how the firm is now bringing its phishing testing and training in-house.

“Part of the problem was that with the protections we have in place, the external team’s phishing efforts weren’t getting through to the employees. We tried to make it work by whitelisting a small number of IP address just so some of these things could get through to the employees. But the emails were still being prereported as phishing attempts and blocked.”

The notion of whitelisting was slightly worrisome, Hepworth says, since it creates a vulnerability, which could not only expose Gresham, but also its $980 billion parent company, Nuveen. The firm is now in the process of finalising its new, in-house phishing testing and training and Hepworth expects to run the first test within the coming month.

Schachter outlines how training on phishing has been mostly welcomed by Crawford Lake employees: “They all want to learn and none of them wants to be the one who gets hacked. It takes time to not get fooled and there’s always a new bag of tricks out there. For now

I feel like we’re pretty safe. But we can’t let our guard down…. You always have to evolve or evaporate.”

Adrian Iosifescu, Chief Technology Officer at CIFC Asset Management acknowledges the importance of training staff: “The weakest link in everything we build is the human element, i.e. people. We’re doing phishing tests every month because when we did it once a year, or even every six months, many people failed, because they don’t pay attention, even with the mandatory training.”

Iosifescu’s aim in this has been reached, which was to get to a point where all staff are aware of these phishing tests: “We sometimes get valid emails being sent through to the help desk because they are afraid to open a link or attachment they’re unsure about. Our security levels go hand in hand with how educated our users are.”

3: ENDPOINT SECURITY

• Work-from-home practices increase risk to end users and the organization itself

• Further investment in secure remote work solutions and endpoint security is warranted

• Firms seek balance between protection, compliance, and practicality

The Covid-19 pandemic saw work models being turned on their heads, with work from

home becoming ubiquitous across many, if not all firms. This has led to exponential growth in the number of external devices being used by staff and the more widespread use of non-secured Wi-Fi systems, all of which pose additional cybersecurity challenges.

Some firms have prepared for this by implementing technology solutions to mitigate these concerns. Bowles says: “Our entire system exists within a VPN. We have multiple layers of security which cannot be accessed without a special physical key which you have to put inside your computer and press a button. The firm all runs inside a virtual network.”

Liberty Road Capital handled endpoint security by buying brand new computers which had never been used before: “Our security team installed them, removed a whole load of random bits of software and locked them down with this VPN. After that, we installed our proprietary trading software on those machines within the VPN.” Bowles adds that the firm’s staff do not use mobile devices for work.

Hepworth outlines how, although investing in endpoint security makes sense, many of these endeavours are largely driven by regulatory authorities, especially in light of employees working from home. Sometimes however these measures can be restrictive, for example, employees working from home are not allowed to print or copy anything, meaning even a simple phone number has to be written on a piece of paper in order to be of any use.

“This is a beautiful example of something which is more heavily weighted towards optics than real risk, and where the costs outweigh the gains. Measures like these [restrictions on printing for example] are a cost on

productivity.”

For Tristan Toomey, Chief Operating Officer, CDT Capital Management, the endpoint security offered by Microsoft was a key factor in the firm’s choice of partner. The agreement facilitated additional security in relation to transferring files. Toomey explains: “We try not to send any true file, which contains client specific information, across in an email. Instead, we have a link sent out to them. This is a unique link that connects only to that file which allows them to view that file and nothing else. This is a way we have tried to limit the amount of private information that is going across unsecured channels.”

4: INFRASTRUCTURE SECURITY MONITORING

• Mostly an outsourced function across hedge funds

• Needs to be constant

• Helps managers feel prepared for a potential incident

Many hedge fund managers outsource this function to a third party. Iosifescu outlines how CIFC has built a strategic relationship with Secure Works, a third-party security company. The firm monitors all CIFC’s traffic, looking out for patterns that would reflect potential penetration.

“They take the action together with us and we run forensics, together, if we were to have an incident. We also benefit from their

research in this space…they have a separate unit that does research in terms of the latest trends, and they share that information with us. This way we can be better prepared. We will always be a step behind the hackers but at least we won’t be two steps behind.”

Toomey says this security monitoring is also part of the service CDT Capital Management gets from its third party providers: “We worked with a couple of the support experts at Microsoft and others to select the best option we could reasonably implement without having to go to some sort of high-level enterprise version which would run costs that would be untenable for us.”

In Hepworth’s case, Gresham sits at the other end of the scale: “We have the benefit of a parent company that cares about this [infrastructure security monitoring] a lot. So, they have been running tests on us for more than five years and that’s been a very good exercise. From our perspective, this is a pure win because we don’t have to do it all.”

5: VULNERABILITY ASSESSMENT

• Critical in testing a firm’s resilience

• Needs to be in-depth but also not disrupt to the business

• Exercises and tests need to be consistent

Consistent and continuous assessment and testing of a hedge fund’s cybersecurity infrastructure is critical in building operational

resilience. Pushing the system’s boundaries in the form of vulnerability assessments is an elemental part of this exercise.

Bowles explains how his firm hired an external hacking team tasked with attempting to break into Liberty Road Capital’s digital infrastructure. “This team worked with high profile, international institutions and through them we are constantly auditing our entire technology, infrastructure and security.

“We run proprietary software on proprietary networks. The VPN set up allows us to lock down different parts of our system if necessary. We also do regular audits of emails, and everything within our accounts, making sure there aren’t any passwords or security certificates to be found anywhere. We know we’re a target so we need to be very aware of being exposed.”

The Global Information Assurance Certification Paper says that penetration testing is a way to “stress the attack surface that an organization presents to the outside world.”

In some organisations, introducing regular penetration testing was a journey. One hedge fund technology officer describes how cybersecurity was not a priority when they first joined the firm, until the risk gradually grew into more of an issue: “People started becoming aware of the potential damage which could be done to organizations. When they saw some of the largest organizations in the world being affected by cyber threats, including the potential financial and reputational damage a breach could cause, then budget began to flow my way.”

This team slowly, but surely, implemented

a cybersecurity framework which included regular penetration testing. The technology officer explains how greater awareness encouraged more decisive action within the firm: “We started performing once a year penetration tests. But then, when a big oil company hit the headlines after being penetrated, we were tasked with doing this more often.

“The evolution of the cybersecurity measures we have in place went hand in hand with education [about] cybersecurity issues through the media.”

Consistency is key in assessing an organization for vulnerabilities. Schachter talks of his firm’s experience: “We started doing regular penetration tests and crisis management drills. We thank God, we have not had any incidents as we also do regular training alongside this. It’s a minefield out there and you have to be at the top of your gameevolving and adapting all the time.”

6: SECURITY FOR OFFICE 365

• Not always considered a top priority

• Managers tend to rely on Microsoft itself for security

• A challenge to have nonMicrosoft security for Office 365

The use of Microsoft Office 365 is popular among hedge fund managers and other financial firms. However, there are potential risks they need to safeguard against in order to

further protect their firm. Issues like data leaks, privilege abuse and credential theft.

“We have a couple of layers of control within our Microsoft Office 365 set up,” says Iosefescu. “One is at the network level, where we filter all the emails through a third-party product called Mimecast. Through this we control the nature of the email, the attachments, and so on, and so forth. We also have a piece of software that resides on every desktop which performs a second level of control once the email shows up in somebody’s inbox.”

He believes Microsoft “should do more” and although he says the firm does a good job, it could do better in providing security measures. In fact, he adds that Mimecast acts as a backup solution, in case of a collapse of Office 365.

Hepworth observes: “Microsoft has a preference for using Microsoft products. And the philosophy is ‘we’ll make it both affordable to use them and problematic to not use them’. In fact the implementation of it has actually been pretty seamless. We did the actual migration incrementally as we think it’s a very high risk to be binary on this stuff.”

In Toomey’s view, using Office 365 is a bit more of a “leap of faith”. “We do use Office 365 as part of our work productivity tools. To be honest there wasn’t an in-depth thought process around the security of Office 365 and its vulnerabilities. Given our size and where we’re at as a firm, we need to believe it is going to work for what we need. In the end, we are leveraging Microsoft’s repuation as a trusted partner when we use Office 365.”

7: INCIDENT RESPONSE

• Swift, decisive action is vital to limiting the damage of a breach

• Communication with management and investors is a crucial part of an incident response plan

• Incident response plans need to be reviewed and refreshed regularly

Hedge fund managers are highly cognizant of their vulnerability and are aware they can be popular targets for cyber-attacks. Although their cybersecurity infrastructure should prevent breaches, the likelihood that an attack is successful is also high. Therefore, they need to be well-prepared for when that happens to ensure they take swift and decisive action and mitigate any damage.

Schachter tells of a time the firm was subject to a breach back in 2018: “One of my colleagues was lured into putting her credentials into Microsoft Office and we did not have MFA at the time, so we had an issue. Luckily, only a little bit of information was leaked; they only got into her addresses.”

He says the damage was limited because the firm dove straight into crisis management and communication mode. They also switched IT management to a larger, more well-known firm. “We started being extra careful after this, having MFA on everything, every device was managed by the IT management firm and we

started doing regular penetration tests and crisis management drills,” says Schachter. Even managers who have not had this experience say they are well-prepared for a breach, should it happen. “We have an incident response plan that takes into account how we detect the issue, how we isolate the issue from the rest of the network, how we communicate that to management and how we communicate to our investors and external third parties that may be affected by us being corrupted,” says Iosifescu. This plan is reviewed on an annual basis.

An interesting observation here is that although these plans can be reviewed, it is difficult to truly test them since doing so could disrupt the organisation.

Bowles outlines vulnerabilities the external hacking team identified and explains the steps taken to eliminate them: “A simple one was people forgetting passwords. They were sending them via email and not deleting the emails afterwards. We also stopped using WhatsApp within the company as some people would be sending passwords over it. We now have PGP encryption so we know that we can send these kinds of things securely and they are always deleted afterwards.”

Within Liberty Road Capital, the incident response will depend on the threat level, Bowles concludes: “If it is something important it is handled immediately while if it’s not so urgent, we’ll push it. For example, there was one instance where we found something suspicious on someone’s laptop. We unplugged it and delivered a new one by Monday, with new software. This kind of thing is important, because that’s a key threat. With

other things like companies or exchanges, we deal with changing their APIs, we evaluate it and decide whether we need to do it now or do it later.”

The focus of managers’ incident response plan needs to be risk mitigation and clear communication. The primary aim is to mitigate the event; to make sure the damage is minimal and critical information is not dissipated throughout the web.

“The only thing we can do is try to do the best we can to fence the firm and make sure we minimise the impact when it [a breach] happens.”

Investors are putting a lot of pressure on hedge funds to demonstrate the right level of security controls

CONCLUSION

Hedge funds – and regulators – are clearly taking cybersecurity measures more seriously, especially as the Covid-19 pandemic and growing hacker sophistication made threat levels and vulnerabilities very clear.

“Regulators have raised the bar for regulated firms in terms of preventive cybersecurity measures, documentation, and reporting requirements, when breaches occur,” observes

Anup Kumar, EVP and Head of Global Services at Linedata. “Investors are also putting a lot of pressure on hedge funds to demonstrate the right level of security controls and are taking note if firms have had an incident or a breach. It has now become part of their due diligence checklist and investment agreement or side letter.”

Regulatory and investor pressure is therefore driving more investment into cybersecurity as hedge fund managers are keen to protect their endpoints and their organization.

But although more firms are aware of the need for cybersecurity and are taking action to strengthen their defences, challenges remain.

One of these is the regional difference in the penetration and adoption of cybersecurity best practices identified in this report. Don Duclos,

CISO at Linedata, comments: “I believe it comes down to a level of regulatory push in the US. The regulators have always been fairly aggressive and hands on here. While, in my experience, the regulators in Europe have typically been more reserved and are willing to take the institutions at their word.”

In addition, Girish Khilnani, Linedata Technology Services notes: “Many managers struggle with knowing what they should have in their environment. Both start up and mid-sized firms face the dilemma of not really having enough in terms of cybersecurity and also not knowing how much is enough.”

The importance of training has been clearly delineated throughout this report, but Khilnani points out that many firms do not have the knowledge, tools, or expertise to know what training needs to be done or how to deliver the training.

“It comes down to cost vs risk,” Duclos adds. “Cybersecurity costs firms money, but they are in better shape and more secure because of it. Plus, there is the regulatory angle. Ultimately, the cost and risk of getting cybersecurity wrong is much higher than the cost of doing it right the first time,” Duclos concludes.

Published

©Copyright 2022 Global Fund Media Ltd. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publisher.

Investment Warning: The information provided in this publication should not form the sole basis of any investment decision. No investment decision should be made in relation to any of the information provided other than on the advice of a professional financial advisor. Past performance is no guarantee of future results. The value and income derived from investments can go down as well as up.

HEDGE