Funds Fear Cyber Attacks on Banks

Following recent cyber attacks on J.P. Morgan and other banks, hedge fund lawyers are reviewing their clients’ contracts with prime brokers and administrators.

The lawyers want to ensure that managers have recourse in the event a service provider suffers a cyber-security breach that leaks sensitive hedge fund portfolio or client data. In some cases, lawyers are seeking to amend contracts with prime brokers and administrators to give fund operators more options to pursue damages. At the very least, they want to insert language stipulating that hedge fund clients are promptly notified of a cyber attack on a service provider.

In addition, some fund-management firms are insisting that their prime brokers and administrators conduct periodic cyber «audits»; disclose changes to cyber-security policies and practices; and seek managers’ consent before releasing data to third parties.

J.P. Morgan and at least four other banks were the targets of a sophisticated cyber-espionage operation that came to
light in August. Earlier this month, J.P. Morgan disclosed that some 76 million households and 7 million small businesses were affected by the attack, though the bank said the hackers were unable to access client accounts.

Prime brokers and custodians – including those operated by the biggest banks – possess valuable information about
their hedge fund clients. Virtually every aspect of a manager’s trading operations can be gleaned from its prime brokers’ computer systems, while administrators maintain records on funds’ limited partners.

One cyber-security expert said managers have to be especially careful when dealing with smaller fund-administration firms. «The big administrators and those with a real compliance focus – they have in-house lawyers and insurance,» said Jorge Rey, director of information security and compliance at accounting firm Kaufman Rossin. «Smaller ones, not as much.»