Hedge funds deal in risk: it’s how they make money for their clients, it’s how they build and prosper. But while hedge funds and asset managers may be experts in managing financial risk, they must come to grasps with the new and evolving risk that threatens their entire business model: the risk of a hack.
Our fearless founder, Jamie, was recently interviewed by online magazine ThinkAdvisor, a self-described “thought leadership destination for financial advisors,” about what hedge funds must do to prepare for cybersecurity threats. Cybersecurity is a topic we at Exari are quite familiar with: our products are designed to provide the contract visibility financial firms need to prepare for and recover from hacks and breaches. We’ve written about it before and we’ll write about it again, as long as threats continue to jeopardize the information and wealth of companies and their clients.
As cyberattacks continue to evolve (see: the recent hack of up to 100 banks), it is increasingly difficult to remain ahead of the threat. The best way for financial firms to prepare is to know as much as they can before an attack occurs, both so that they know where their weaknesses are so they can be remediated, and so that recovery is a reality, not merely a plan. Indeed, FINRA’s executive vice president and chief information officer, Steve Randich, said at a cybersecurity conference held recently in New York by the Financial Industry Regulatory Authority (FINRA) and the Securities Industry and Financial Markets Association (SIFMA) that firms must accept “that breaches will happen,” and that they should focus “not just on prevention but the response” to cyberattacks.
Hedge funds and other financial institutions require complete contract visibility to combat cyberattack for three key reasons:
Firms must know where risk lives in their client contracts so that they know where to look to satisfy customer and regulator obligations in case of breach. After all, the firm’s response to a threat will depend on their contractual obligations to clients. In order not to expose themselves to the further risk, firms must be aware ahead of time of the level and timeframe necessary for disclosure in the case of breach. Firms must also be able to instantaneously assess the reach and consequences of a threat so they can avoid unnecessary – and potentially devastating – disclosures to clients and the public where they are confident the threat was benign.
Firms must have full visibility into their supplier contracts, because no matter how well they may attempt to defend against hackers, the third parties they engage may not have such stalwart measures in place. Firms must be able to identify which of these vendors lack adequate data security, and fix the issue before it becomes as disaster. “You assured the investor you would meet all these levels of security,” says Jamie, “but if you now have a network of dozens of suppliers and they’re not under the same obligations, then you’re automatically in a precarious situation because you haven’t properly understood the weakest link.”
Regulators will come after un- or under-prepared firms. “Understanding the contracts with the investors tells the hedge fund what it has agreed to do,” according to Jamie. “Understanding the contracts with the suppliers tells it what it has passed down the line, and allows it to plug any gaps quickly before something bad happens.” This ability to quickly assess client obligations across hundreds or thousands of individual, negotiated contracts, can only come from having a Contract Lifecycle Management (CLM) system in place that collates all contracts and contract data in one central, searchable online repository so that the information firms need is just a few clicks away.