Hedge funds confronted with a cyberattack have to answer two questions quickly: What happened, and what to do about it.
Finding out what happened — whether the threat was benign, for example, or resulted in a breach and the exposure of a lot of information — will often depend on the firm’s sophistication. It could take several days or longer.
The attack may have occurred some time before the firm discovered it. The average cyber breach goes undetected for seven months, according to the FBI.
Deciding what to do about a cyberthreat will be based largely on the firm’s contractual obligations to investors. Virtually all hedge funds contract to do certain things with regard to security and breaches.
Very important is a fund’s obligation to notify investors of an attack within a certain timeframe. But how quickly?
In these scenarios, hedge funds tend to err on the side of caution, and will probably notify investors early because it’s better to have people alerted and taking defensive measures, said Jamie Wodetzki, founder of Exari, which provides contract documents and stores and analyzes them.
But notifying investors of an attack early can damage the brand, he said. If the firm is confident, for example, that the threat was benign and didn’t result in a breach, it would not want to be broadcast it to the world at large.
“This is where if you understand your contractual obligations, you’re able to understand your very strict requirements to do things and to react quickly in a very informed way,” Wodetzki said.
He said hedge funds needed to understand their obligations potentially across tens, hundreds or thousands of contracts. And these may not all be handled the same way.
Most firms, however, although they understand most of their contracts when they sign them, aren’t necessarily focused on every stipulation within the contract.
Quickly discovering their obligations to individual investors in a cyber event may be difficult.
Wodetzki said Exari provides a system to help financial firms produce stronger contractual documentation, and ensures that they fully understand all their contractual relationships, obligations and protections. “If you put a contract in a system like ours, you can understand all your obligations quickly,” he said.
Clients include broker-dealers, insurance companies and, in a recent push, hedge funds.