ArchiveOODA Original

Can Hacker SIGINT Help Buy-Side Firms Generate Alpha?

As buy-side firms increasingly consume alternative data to glean the next trading edge, options strategies that accurately predict the cyber-risk of investment targets could unleash a wave of alpha for short sellers, threat-intelligence experts say.

Short sellers, or investors that place bets on the price of an asset declining, trade by purchasing ‘put’ options or borrowing securities to sell ‘calls’ on margin. 

But while over a dozen studies have been conducted to examine the impact of cyber-events on corporate share prices, research into how investors might position themselves to profit from the anticipated disclosure of enterprise breaches is virtually non-existent on the surface web.

With cyberattacks rising in frequency, reportedly tripling over the last decade, according to the International Monetary Fund, it is a generally accepted security principle that enterprise breaches have become an inevitable cost center for enterprises.

Even FireEye, one of the most venerable cybersecurity firms in the world, announced last week that it had been the target of a cyberattack “by a nation with top-tier offensive capabilities.” If FireEye can get hacked, it’s safe to say that no enterprise is safe today.

Furthermore, data-breach costs, which technology firm IBM pegged at an average of $3.86 million in a 2020 report, may be on the upswing during the pandemic, as enterprises have rapidly migrated the bulk of their operations to remote online environments. The new normal of remote work has only expanded the attack surface.

Given the rise of the crime-as-a-service economy, which has commercialized hacking tools for technically non-sophisticated actors, and the proliferation of digital attack vectors birthed by the pandemic, the enterprise has thus never been more vulnerable.

Increasingly retaliatory regulatory regimes like Europe’s General Data Protection Regulation, California’s Consumer Privacy Act, and New York’s SHIELD Act have further amplified cost concerns for cyber-deficient organizations.  

As organizations face an unprecedented threat environment, global non-government organization World Economic Forum noted the growing importance of cyber-resilience for investors in a security framework it published last Spring. 

“The fiduciary duty for investors increasingly involves assessing the cyber risk of their target investments, monitoring and mitigating the cyber risk of portfolio companies,” said the WEF in its report. 

Hacker SIGINT

According to Jeremy Samide, the chief executive officer of Ohio-based, threat-intelligence firm, Stealthcare, “the data we uncover in very dark corners of the internet can be used as a tactical advantage by hedge funds and others.”

There are two ways to decipher breach ‘signal.’ First, Samide points to posts in hacker forums, found on both the dark and surface web, where threat actors advertise enterprise data dumps. 

The second signal can be established “by applying sentiment analysis on hacker forum posts to better understand hacker behavior,” according to a 2018 research paper published by the University of Southern California’s Information Sciences Institute.

Sentiment analysis, or ‘opinion mining,’ “can be linked all the way back to Freud’s 1901 paper on how slips of the tongue can reveal a person’s hidden intentions,” according to USC. Since its early use in computational sciences back at the dawn of the Millennium, it has been “applied to our social networks, comments (such as on news sites) and reviews (either for products or movies),” USC said.

Specifically, USC researchers applied sentiment to undisclosed forums from both the dark and surface webs that promote the discussion of “computer security and network vulnerability topics.”

Kristina Lerman, a project leader at USC’s ISI and a co-author of the study, said that no investment firms had contacted her or her colleagues about the hacker sentiment study. “I can honestly report that we did not talk with anyone outside of academia about this project,” she said.

Still, taken in concert, market signal tuned from hacker posts that solicit data dumps and hacker chatter, in general, are adaptable to the growing appetite for alternative data by buy-side investment firms. This category includes hedge funds, mutual funds, pension funds, and private-equity firms.

Alt-Data Bull Run  

 Last year, corporate law firm Lowenstein Sandler LLP reported that over 80 percent of hedge funds are already using alternative data, which encompasses everything from satellite imagery, social media chatter, consumers’ purchasing behavior, and other exotic inputs to inform trading decisions.

What’s more, buy-side firms are projected to spend $1.7 billion on alternative data this year, according to AlternativeData.org, an industry trade group backed by data provider YipitData.

This number represents a 70-percent, year-over-year spending increase above 2019 for buy-side firms. In this market, some financial data vendors have already begun to factor the importance of cyber-risk into their ratings criteria.

According to a recent report authored by credit-rating agency Standard & Poor’s, cybersecurity “is a key risk that S&P Global Ratings embeds, as relevant, in its overall assessment of an entity’s creditworthiness.”

“Although it is crucial to learn from previous attacks and strengthen cyber risk frameworks in real time, the appropriate detection and remediation of attacks takes precedence as the nature of threats will continue to evolve,” says the S&P report.

But rating credit is different from trading derivative securities like stock options. The primary SP credit analyst who authored the report, Simon Ashworth, said “given our focus on fundamentals, I think it would be more appropriate to get the view directly from asset managers and hedge funds on this topic.”

Emily Schillinger, the vice president of public affairs for the Washington DC-based American Investment Council, a trade organization that represents hedge funds and private equity firms, said “we have nothing to add.”

Immediate Impact

Most recently, the immediate impact of a cyber-attack disclosure was evident in the FireEye breach. 

After announcing on December 8 that a likely nation-state actor stole the company’s “Red Team assessment tools,” which they use to test customer security, the stock dropped from $15.52 at the market open, to $13.49 by the market’s close the following day. That’s a significant one-day drop of over 13 percent. 

According to two 2019 studies authored by tech research firm Comparitech, and by the Massachusetts Institute of Technology, the immediate impact of a cyber-event always results in the stock price of a compromised company taking a plunge.

But the MIT report noted that the impact is most pronounced in the financial sector. MIT researchers also said that stock price reactions for cyberattacks that impact “industrial, information technology, and health sectors” are actually “insignificant.” 

MIT concluded that short-term, hack-related, stock price reactions “can be impacted by different factors such as industry, type of cyber breach and response strategy.”

Meanwhile, Comparitech analyzed the closing share prices of 28 publicly traded companies, all of which were traded on the New York Stock Exchange, starting the day prior to a public data-breach disclosure. All of these breaches resulted in at least one-million records being exposed, and some exceeded 100 million, according to the study.

Some of these companies were breached more than once, for a total of 33 breaches analyzed, said the Comparitech report. The study found that affected stocks generally “hit a low point approximately 14-market days following a breach.”   

Within three weeks of a breach disclosure, the share prices of affected companies “fall 7.27% on average, and underperform the NASDAQ by -4.18%,” at the trough of the selloff, reported Comparitech.

The MIT study, meanwhile, aggregated 13 different studies that explored the relationship between cyber-incidents and stock performance. Like Comparitech, MIT researchers acknowledged the tangible immediate impact of a breach on an affected company’s stock.

MIT cited a 2003 study that measured an average “2.7% decline in their stock price relative to the overall market on the day following the attack.” However, the next-day percentage decline noted by MIT stems from an era that pre-dates the mass-adoption of high-frequency trading.

Frequency Amplifiers

HFT is a short-term, algorithmic wagering model predicated on the split-second “turnover of positions as well as its implicit reliance on ultra-low latency connection and speed of the system,” according to a 2012 report from consultants Capgemini.

These algorithmic programs enhance trading velocity “through colocation at an exchange or hyper-fast connections between different exchanges (such as microwave towers),” according to a 2018 report on news analytics published by the Federal Reserve.

Hedge funds and others use HFTs to submit large orders to the market, rapidly entering and exiting positions. Also, HFT trades generally take place intraday, with no fund manager holding positions overnight. In the U.S., Capgemini found that HFT as a percentage of Wall Street equity turnover grew from 21 percent in 2005, to 56 percent by 2010.

Despite HFT use in traditional capital markets plateauing over the last decade, it still accounts for over 50 percent of equity-trading volume in the U.S., according to a University of Chicago study published last month.

Furthermore, while the trading bot “race” was measured in milliseconds (thousandths of a second) a decade ago, UChicago researchers say it is “now measured in microseconds (millionths) and even nanoseconds (billionths).”

Circling back to the theme of sentiment analysis, the Fed report found “evidence that high frequency traders rely on the information from news analytics for directional trading on company-specific news.”

The FED even said that HFTs “are the type of trader most likely to use news analytics to avoid adverse selection.” The largest news-sentiment analysis tool in the market is RavenPack, according to the Fed. 

With an August SEC report citing certain instances where algorithmic trading and HFTs can “exacerbate price movements during periods of high volatility or market stress,” it’s likely that news-sentiment-driven reaction to a data breach could be even steeper today than it was 17-years ago.

Still, it’s important to note that a 2018 study published by the University of Dublin’s School of Computer Science and Statistics, said that  “negative sentiment extracted from formal media was not significant” in “ in explaining returns of an asset.” 

However, the Irish study noted that a “first-order lag of article volume” did cause a meaningful impact on stock price. “This suggests that article volume could be used as a proxy for investor sentiment instead,” said the study.

Regardless, a 2013 study published in the Journal of Economic Perspectives found that “under certain market conditions, automated execution of large orders can create significant feedback-loop effects that cascade into systemic events” like the infamous “Flash Crash” of 2010.

The Flash Crash was a market meltdown where “major equity indices in both the futures and securities markets, each already down over 4% from their prior-day close, suddenly plummeted a further 5-6% in a matter of minutes before rebounding almost as quickly,” according to a 2010 SEC report.

One popular account of the event immortalized in the 2020 book Flash Crash attributes the selloff to a mass-HFT short circuit after a 36-year-old British trader and math prodigy spoofed the market, “with billions of dollars of fake orders,” according to a Financial Times report. But he was not the only spoofer in town, notes the FT.

Long-Term Outcomes

While Comparitech and MIT largely agree on the short-term impact of cyber events on an affected company’s share price, they reach different conclusions on how they affect long-term stock performance.

Comparitech’s findings are more bearish than the latter. “In the long term, breached companies underperformed the market. After 1 year, share price grew 8.38% on average, but underperformed the NASDAQ by -6.49%,” they said.

By year two, Comparitech said, “average share price rose 12.78%, but underperformed the NASDAQ by -12.88%. And after three years, average share price is up by 32.53% but down against the NASDAQ by -13.27%.” Still, Comparitech noted that the “impact of data breaches likely diminishes over time.”

MIT’s outlook, on the other hand, was more sanguine. While the report authors acknowledge that it is uncertain whether the stock of credit bureau Equifax, which was the target of a 2017 hack that leaked personal information of some 147-million people, will make a full value recovery, they noted that Target and TJ Maxx, which suffered similar high-profile breaches, “are seeing record profits today.”

MIT researchers speculated that the unexpected increase in these firms’ profits could be due to Target and TJ Maxx “aggressively implementing new technologies, which made them vulnerable to attacks. But in the long run, any damages from the attack dissipated under the economic benefits of their technological innovations.”

MIT concluded that any long-term impact of cyber-incidents on stock price is indeterminant. But “the mostly negative, if not significant, impact indicates that those organizations do not effectively turn cyber incidents into opportunities to improve and optimize their business,” said MIT.

But the main takeaway from the MIT study is that investor sentiment towards a data breach can differ from consumers’. While the bots might get spooked, customer purchasing behavior at retailers like Target and TJ Maxx, for example, may be unaffected.

Thus any lasting cyber-related price fluctuation in stock price has, instead, generally proven to be ephemeral, according to, MIT.  

Can Hacker SIGINT Generate Alpha?

Regardless, in a capital markets ecosystem flooded with alternative data and HFT bots that continue to accelerate in speed with each passing microsecond, the question remains if hacker signal can give the cyber-savvy fund manager a trading edge.

The MIT report did note that there is “even a negative market reaction to firms prior to the announcement of the attack, suggesting the existence of insider trading.” So why not hedge funds and other buy-siders, asks Stealthcare’s Samide?

“Our research indicates that with the amount of data we collect on a daily basis from our sources, you can identify the losers that will have to make public disclosures when they realize they have been breached,” said Samide. 

“This typically can take up to nine months before they discover, react, and disclose the breach,” he added. 

Samide said that Stealthcare has “built a system that can collect, index and monitor the darkest corners of the internet and identify the next breach before the organization does.”

Generally, enterprise data leaks and new cyber-attack tradecraft first become visible on underground hacking forums, some of which are only accessible via onion sites on the dark web. Samide declined to name any of the sources he monitors, citing security concerns.

But the USC study noted that, as of 2018, researchers were able to recognize over “over 140 hacker forums on the public web.” On Twitter, one anonymous tech activist, who claims to manage public relations for radical political organization ANTIFA, and who has been monitoring these cybercriminal forums for the last eight years clarified the nature of this ecosystem. 

“It’s typically smaller Russian and Eastern European forums that specialize in carding – carding forums are more or less beacons for other types of fraud, so seeing new, unreleased database leaks being sold there is pretty common,” said the user.

But the USC study found that “Dark Web conversations were shown to provide earlier insights than Surface Web conversations by indicating potential predictive power for cyber events.”

Andrei Barysevich, the co-founder of fraud intelligence firm Gemini Advisory, which keeps tabs on Russian carding forums and the cybercriminal underworld in general, also declined to provide forum names, saying, “it would be imprudent to the bad guys any more ideas.”

But Barysevich acknowledged it’s “totally possible” that data-leak signal could be used by investment firms to strategically position themselves for the impending disclosure of a cyber-incident. Still, he cautioned that “not only hedge funds can trade on the signal. Criminals can trade on it too.” 

Case in point, the SEC and the Department of Justice brought charges against an “alleged Ukrainian hacker and other suspects in a scheme where nonpublic information was taken from the commission’s corporate filing system and used for illegal financial trading.” Traders minted at least $4.1 million in illegal profits, according to the SEC.

“Cyber-threat intelligence is the next frontier for the hedge fund industry in determining the future shareholder price or enterprise value of an organization,” said Samide.

Tim Lloyd

Tim Lloyd

Tim Lloyd is a risk analyst and threat-finance reporter at Shadow Banker Media, where he is also the CEO. He was previously a financial advisor at Morgan Stanley. Now, he writes about the private fund industry, AML compliance, and cyber-threat intelligence. He has reported on issues such as FBI concerns over laundering risks in private equity and hedge funds and emerging cyber-enabled financial crime risks for Thomson Reuters Regulatory Intelligence, Vice Motherboard, and many other media outlets.