By Constance N. Hubbell, President, The Hubbell Group, Inc.
Asked why he robbed banks, legendary bandit Willie Sutton said, “Because that’s where the money is.” Today, many criminals steal with laptops, not guns, but they still go where the money is, and – with $3 trillion in assets under management – hedge funds are obvious targets. Yet the biggest losses could be reputational rather than financial. Hedge fund firms need to take proactive steps to protect their reputations in the event of a cybersecurity breach.
In fact, it’s possible that assets will be easier to recover after a cyberattack than a firm’s reputation. Just ask Home Depot, Target, Yahoo! or the Democratic National Committee. All suffered losses of trust and confidence after hackers invaded their databases.
The profile of hedge fund clients – typically high-net-worth individuals – adds even more risk for managers. Such clients value their privacy and do not want their confidential financial lives exposed. A manager whose databases are illicitly accessed may find clients – and assets – fleeing.
So, what should you do? First, assume you will be attacked. In today’s data-driven world, there are no perfect protections against hackers. Second, be ready should an attack occur. To prepare and protect your firm, consider the following steps:
1.Identify Your Vulnerabilities: In order to build a robust response plan, you need to identify where your firm might be vulnerable when it comes to a cyber incident. This intelligence-gathering requires that you dive deep into potential sources of pain, that you carefully consider every possible worst-case scenario. When looking at your vulnerabilities, you need to look internally as well as externally, such as your ties to trading partners and IT contractors. Even if a cyberattack is the fault of an outside third party, your clients will blame you if their data are stolen or compromised. Your vulnerabilities assessment should be as unsparing as the post-crisis evaluations that will come from investors, regulators, the media and others.
2.Assemble the Team: Building and maintaining a robust cyberattack response plan is an organization-wide effort and not just the responsibility of the IT, legal or PR departments. To foster success, active engagement from your money managers, legal, compliance, marketing, communications, human resources and information technology is required. You also need to appoint a dedicated leader who has the authority to act quickly and the credibility to immediately speak with stakeholders and other parties (investors, regulators, the media).
3.Prepare Your Scripts. In today’s Twitter world, you don’t have time to noodle around with what you are going to say, so it is important that you have scripts and language in place that is ready to go in an instant. This language should also be clear, concise and direct. Good communication is not about hiding information or avoiding questions. If you fail to comment, your competitors will fill the vacuum (most likely anonymously). Furthermore, anyone who could possibly communicate with a client or outside party should know what to say, what not to say and when to escalate a conversation.
4.Build a Contact Plan: Crisis preparedness should include up-to-date contact lists to ensure that you can reach every investor and key stakeholders such as institutional consultants and platform gatekeepers in a timely manner. They should hear the news from you first. Be prepared to reach out to them instantly from anywhere, at any time and in any way (voice, email, text). A good contact engagement plan should enable you to act if your own systems are down.
5.Build Ready to Communicate Across a Host of Channels: Although many alternative asset managers do not regularly engage on social media such as Facebook, LinkedIn, Twitter, Instagram or YouTube, you need to know how to use these channels as part of a crisis response. This is especially important given that your website and email could be shut down during a cyber-attack. During a crisis, people search everywhere for information, and you need to be ready to communicate via every possible channel. This also is a good time to acquire website names, Twitter handles, Facebook domains and LinkedIn tags that could be used to attack your firm or mislead investors.
6.Practice Your Plan: Test your crisis communications response efforts before a cyber-attack occurs, and then test them again. It is likely that even the best-designed plan will have gaps, flaws or other shortcomings that will be revealed only under intensive, real-time testing. While crisis circumstances can never truly be replicated in testing, it still is crucial to practice your plan. It also is worthwhile to consider retaining a third party to conduct a surprise test of your plan.
7.Listen and Refine: Once an attack has occurred and your crisis response is underway, don’t forget to listen to all your stakeholders. That feedback will allow you to improvise and refine your plan as needed, in real time, to ensure the best possible outcome.
Constance Hubbell is the CEO of The Hubbell Group, Inc., a strategic communications firm that specializes in financial services and crisis communications. The Hubbell Group, Inc. (main) 781-878-8882 (Connie Hubbell direct) 781-210-5011 firstname.lastname@example.org