If, like Mark Cuban, you think high frequency trading is one big hack of an electronic system, it should be no surprise that the financial sector is also susceptible to more direct forms of cybercrime.
According to CNBC’s Eamon Javers, “Cybercriminals acting in late 2013 installed a malicious computer program on the servers of a large hedge fund, crippling its high-speed trading strategy and sending information about its trades to unknown offsite computers.” Ultimately, Javers reports that “the malware represented a multimillion dollar problem for the hedge fund” and “the intruders were able to reap significant profits.”
Contextualizing the previously undisclosed episode, Javers says “The new wave of attacks includes other assaults on hedge funds seemingly designed to uncover their trading strategies, and implies the existence of cybercriminals with the technical savvy to attack highly secure computer networks and, at the same time, the financial and market savvy to replicate intricate high-speed trading strategies.”
If this kind of thing was happening to a traditional bank, consumers would have less to worry about, because they would know their deposits are at least backed up by the Federal Deposit Insurance Corporation. But when it comes to most hedge funds, there is no such federal backstop. As Ameriprise Financial’s website puts it in its discussion about hedge funds, “Investment products are not federally or FDIC-insured, are not deposits or obligations of, or guaranteed by any financial institution, and involve investment risks including possible loss of principal and fluctuation in value.”
In other words, save for a few exceptions, if your money gets stolen from your hedge fund manager, there’s usually no government-guaranteed insurance for you.
Now sure, it’s easy to think there’s no need for regular old average consumers to worry about cyber criminals stealing from hedge funds. After all, hedge fund managers are some of the richest people in the world, and their individual clients are at the top of the overall income and wealth scale themselves. Indeed, Securities and Exchange Commission rules do not allow individuals to invest in hedge funds unless they prove that they have a net worth “that exceeds $1 million… income exceeding $200,000 in each of the two most recent years or joint income with a spouse exceeding $300,000 for those years and a reasonable expectation of the same income level in the current year.”
However, all of that should be false comfort to the average income earner because while those SEC guidelines are about individual investors, they are not about institutional investors — many of which manage average individuals’ money. As just one example, state and local governments are institutional investors that, by one estimate, now have $115 billion worth of taxpayer funds in hedge funds.
The point here is that because the American has become so financialized, there’s no escape from the financial sector. It touches so many parts of the economy that a cybercime threat against it poses risks way beyond the office towers on Wall Street – risks that, again, are not insured against by an agency like the FDIC.
Because of this systemic risk, the SEC recently announced it “will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.” Reuters earlier reported that “Inspections are designed to catch major problems before they bubble up; however, exams can also lead to enforcement action if the SEC uncovers egregious activity or repeat violations.”
No doubt, the exams and the fears stoked by this week’s news from CNBC may end up resulting in a serious business opportunity for the cybersecurity industry, as Wall Street firms frantically try to bulk up their defenses.
But that may not the only business opportunity. There’s also the new hedge fund being constructed by famed hacker Andrew Auernheimer – a hedge fund that whose strategy, he says will be “to identify a company that has [information security] liabilities that no one knows about yet.” In an interview with the New Republic after being released from prison, Auernheimer said: “When someone affiliated with our fund identifies negligent privacy breaches at a public web service, we will take a short position in that company’s shares and then tell the media about it.”
At least on the surface, the incentives seem constructive: either firms will get serious about their security infrastructure, or they will be publicly shamed (which has the added benefit of providing more fodder for investigative journalism, too!). If you think that sounds like a business model based on trolling Wall Street, you’re right: Auernheimer says he’s going to name his hedge fund TRO LLC.