Screen full of alphanumerics depicting encryption and the word password emphasized by a magnifying glass

Hedge funds are a weak link in the US financial system’s defences against hackers and terrorists, the Obama administration has warned the industry.

The Department of Justice has also told hedge fund investors that their data could be at risk or they could face losses if hackers breach trading systems, and it urged them to put pressure on managers to beef up cyber security.

The administration sent John Carlin, assistant attorney-general for national security, to a hedge fund conference last week to demand that managers pay more attention to cyber threats and to share more information with the government when hackers attempt to penetrate or disrupt their systems.

Whereas large banks have woken up to the risks after a string of high profile cyber attacks, hedge funds have barely begun, Mr Carlin told the Financial Times.

“Hedge funds hold a tremendous amount of capital, incredibly sensitive proprietary information, and valuable algorithms, but they are small shops and they often have very weak IT,” he said.

At a closed-door meeting on the sidelines of the SALT hedge fund conference in Las Vegas, Mr Carlin told managers that they needed to share more information if they were to beat the threats from criminal gangs looking to steal money and data, and from foreign governments who may want to disrupt the financial system.

The failure to report incidents, Mr Carlin said, is a “payday” for hackers. “It means they can conduct their activities cost-free, they can keep getting better at stealing information, and no one is improving on our end by sharing information to prevent it from happening.”

By also taking its message to hedge fund investors, the DoJ is aiming to bring further pressure on funds to act. Investors should demand funds set out their cyber security policies, Mr Carlin said.

Hedge funds, for their part, are looking for greater protections from legal liability, including on antitrust concerns, when they share security information.

Cyber crime experts say there have already been a spate of targeted attacks aimed at stealing the code that underlies hedge fund trading strategies, as hackers home in on financial companies’ intellectual property.

Meanwhile, many large US financial institutions were targeted last year in a broad-based attack that compromised the names, phone numbers and email addresses of 76m JPMorgan Chase customers.

Cyber security has also moved further up the agenda as a result of the recent attack on Sony, identified by the Obama administration as originating from North Korea.

Anthony Scaramucci, founder of hedge fund of funds SkyBridge Capital, said Mr Carlin faced a tough sell.

“You do not feel insecure until you are breached,” he said. “The average person in the financial sector — myself included — is not as focused on these threats as they need to be.”

John Carlin, assistant attorney-general
John Carlin, assistant attorney-general

Earlier this year, the Securities and Exchange Commission examined 100 broker-dealers and asset managers to judge their readiness to deal with an attack, and is likely to draw up new guidelines.

As well as discussing their own cyber security, hedge fund managers at the SALT meeting also debated how they might factor in such risks to the companies in which they invest.

Get alerts on Cyber Security when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article