How long should a hedge fund wait to tell clients about a cyber breach?

Hedge funds confronted with a cyberattack have to answer two questions quickly: What happened, and what to do about it.

Finding out what happened — whether the threat was benign, for example, or resulted in a breach and the exposure of a lot of information — will often depend on the firm’s sophistication. It could take several days or longer.

The attack may have occurred some time before the firm discovered it. The average cyber breach goes undetected for seven months, according to the FBI.

Deciding what to do about a cyberthreat will be based largely on the firm’s contractual obligations to investors. Virtually all hedge funds contract to do certain things with regard to security and breaches.

Very important is a fund’s obligation to notify investors of an attack within a certain timeframe. But how quickly?

In these scenarios, hedge funds tend to err on the side of caution, and will probably notify investors early because it’s better to have people alerted and taking defensive measures, said Jamie Wodetzki, founder of Exari, which provides contract documents and stores and analyzes them.

But notifying investors of an attack early can damage the brand, he said. If the firm is confident, for example, that the threat was benign and didn’t result in a breach, it would not want to be broadcast it to the world at large.

“This is where if you understand your contractual obligations, you’re able to understand your very strict requirements to do things and to react quickly in a very informed way,” Wodetzki said.

He said hedge funds needed to understand their obligations potentially across tens, hundreds or thousands of contracts. And these may not all be handled the same way.

Most firms, however, although they understand most of their contracts when they sign them, aren’t necessarily focused on every stipulation within the contract.

Quickly discovering their obligations to individual investors in a cyber event may be difficult.

Wodetzki said Exari provides a system to help financial firms produce stronger contractual documentation, and ensures that they fully understand all their contractual relationships, obligations and protections. “If you put a contract in a system like ours, you can understand all your obligations quickly,” he said.

Clients include broker-dealers, insurance companies and, in a recent push, hedge funds.

Achilles’ Heel

Cyberattacks raise another problem. Many hedge fund organizations outsource or contract out a large chunk of what they do.

They make certain promises to investors about the security measures they will take, but how well they pass that on contractually to their network of vendors or suppliers is a concern.

 “You may have a good information security policy, you may have made promises with great confidence when you contractually signed up with the investor,” Wodetzki said.

“You assured the investor you would meet all these levels of security, but if you now have a network of dozens of suppliers and they’re not under the same obligations, then you’re automatically in a precarious situation because you haven’t properly understood the weakest link.”

Only with visibility into all supplier contracts will the firm be able to sort out which suppliers and vendors have strong security obligations they’re required to provide and which don’t.

“You would want to discover the flaky ones well ahead of time, and do something about it. Because with these sorts of breaches,” Wodetzki said, “the weakest link is usually the thing that brings you down.”

Understanding the contracts with the investors tells the hedge fund what it has agreed to do. Understanding the contracts with the suppliers tells it what it has passed down the line, and allows it to plug any gaps quickly before something bad happens.

Investors

For their part, investors should ensure that they receive firm promises that the hedge fund will put in place very strong measures and will pass those measures to their whole network of providers and they will notify investors of security problems.

In other words, the investor’s obligation is to conduct proper due diligence on the firm before making an allocation.

— Check out SEC to Conduct ‘IT-Related’ Exams of BDs, Advisors on ThinkAdvisor.