For investors, 2017 will be remembered as the year in which cybersecurity due diligence moved from a nice to have to a must have. While WannaCry hit the news in the first half of the year, the latter half of 2017 has seen disclosure of ever more serious cyber breaches, from breaking news stories to delayed disclosures of previously concealed cyber events.
Several incidents made headlines in 2017, all of which outline different areas of vulnerability, gaps in response procedures, and approaches to disclosure and the repercussions thereof. The stories have their variances, but in every case, the moral is the same: the landscape is changing, threat actors are becoming more sophisticated, and there is no longer any question as to whether the threat of a cyberattack is real. Asset management firms can no longer cross their fingers and hope for the best – they must be prepared to implement and maintain security controls, and they must be prepared for the possibility that those controls may fail.
As always, we encourage investors to complete specific cybersecurity due diligence when onboarding and then maintaining an allocation to each external asset manager in a portfolio. For more information on Castle Hall’s cybersecurity diligence framework, our white paper “Evaluating an Asset Manager’s Cybersecurity Environment” - wonderful holiday reading! - is available here.
Perhaps the most shocking cyber event of 2017 was the Equifax breach. A server vulnerability - for which there was a published patch - was exploited, giving attackers access to the credit records of 145 million individuals. Testifying before Congress, Former CEO Richard Smith claimed he didn’t ask for a briefing on the incident for almost two weeks, and that he still didn’t know the scope of the problem another week later. He placed blame on the head of a single, unnamed employee for not applying the missing patch, while simultaneously maintaining that adequate institutional security procedures were in place and had been followed appropriately. There were other missteps - a temporary breach notification site was riddled with its own security flaws, and the official Equifax Twitter account even briefly directed consumers to a look-alike phishing site.
Not only does this incident remind us of the responsibility inherent in the collection and storage of personal information, but it underlines the importance of planning, communication, and expertise in incident response protocols. It is alarmingly easy to exacerbate an already critical situation with inadequate and ill-considered measures.
Deloitte, a ‘Big 4’ auditor, also revealed this year that they had fallen victim to a data breach. The compromise of their e-mail infrastructure was traced back to a single administrator account, which had not been secured via two-factor authentication. It is assumed that Deloitte became aware of the incident in October of 2016, based on the timing of an internal communication mandating password and PIN resets for all US-based employees, but further details have been thin on the ground, even a year later. It is still unclear whether the administrator password at the root of the breach was obtained via social engineering or compromised in a brute force or pivot attack.
The takeaway: no organization is too big or too small to be targeted and breached. The chink in Deloitte’s armour would have had the same effect on an organization of any size – all firms must ensure that they have established, and can maintain, a consistent baseline of technical and procedural controls.
Perhaps the best example that anyone can be hacked was the disclosure from the SEC that their electronic filing system was likely exploited for illicit gain. The extent to which the EDGAR system may have been abused is still not clear.
An intriguing incident was the ‘Paradise Papers’, wherein the story wasn’t just the breach, but the data itself - a trove of documents leaked to media detailing the offshore tax strategies of wealthy individuals and multinational organizations. News outlets analysing and reporting on the data defended the confidentiality of their sources, considering the disclosures to be in the public interest – however, offshore legal firm Appleby, who were the largest single source of content within the Paradise Papers, staunchly maintained there had been no insider leak, and that materials disclosed were obtained illegally, a result of the efforts of ‘professional hackers’.
Rightly or wrongly obtained, once confidential information is in the public sphere, there’s no stuffing the genie back in the bottle. Once a firm’s private data has been compromised or disclosed, in the digital age, there is no limit to how many copies can be made and how far that information can travel. Understanding not only why your data is valuable, butto whom may help implement protections to prevent breaches from occurring – would-be attackers could be any combination of financially, politically, ideologically, or otherwise motivated.
Finally, Uber only revealed publicly in late 2017 that they had been the victim of a breach fully one year prior, when attackers accessed a private code repository and pulled administrator credentials for the ride-sharing service’s cloud computing platform. Once they had access to those cloud servers, hackers were able to locate and exfiltrate an unencrypted archive of rider and driver information. Uber paid out $100K, disguised as a ‘bug bounty’ payment, for a promise that the attackers would delete their copy of the data. The decision to pay the ‘ransom’ is reported to have come directly from then-CEO Travis Kalanick and his chief security officer, Joe Sullivan. At least four states are currently investigating the matter, and there are expected to be serious legal ramifications for Uber’s failure to immediately disclose the breach.
While instinct may be to conceal the occurrence of a data breach for fear that disclosure could negatively harm an organization’s image – the moral of the Uber story is that the truth always comes out. Attempting to cover up an incident that, again, involves the PII of millions of individuals is a ‘penny wise, pound foolish’ strategy that will ultimately do an organization more harm than good.
Each of the five security incidents we’ve chosen to highlight from 2017 comes with a lesson, and each reinforces the notion that no organization is immune. The highest profile firms and the largest breaches will of course make the headlines, but for every Equifax, there are countless other organizations who are materially harmed by compromises of the confidentiality, integrity, and availability of their sensitive data. For asset managers – just as in any other industry – adoption of a standardized and tailored set of controls is a necessary step to reducing an organization’s attack surface. A comprehensive risk analysis and incident response plan will provide an established playbook and a procedure to follow should those protections be subverted, and should a breach occur.
Regulation: NYCRR 500
From the regulatory side, this year saw a set of rules come into effect in New York regarding cybersecurity requirements for Financial Services companies. NYCRR 500 includes provisions requiring the implementation of a cybersecurity policy, the appointment of a Chief Information Security Officer (CISO), auditing requirements, access control guidelines, and mandates regular risk assessments and penetration/vulnerability testing. The new law also imposes a requirement that any covered entity must notify the superintendent within 72 hours of cybersecurity ‘events’ “that have a reasonable likelihood of materially harming any material part of the normal operations” of that entity.
We are optimistic that these new regulations will serve to further maturity in the area of cyber security. In particular, the requirements of NYCRR 500 provide a solid foundation for any asset management firm’s security posture.
What will 2018 bring? Unfortunately, there is no question as to whether there will be another high-profile data breach in the months to come. Between the increasing sophistication of private criminal enterprise and the reality of state-sponsored interference, the question is, rather, who will be targeted, will they be breached, and if so - how will they respond?
1080 Côte du Beaver Hall, Suite 904
Canada, H2Z 1S8
84 Chain Lake Drive, Suite 501
Canada, B3S 1A2
1 Pancras Square, Kings Cross
London, N1C 4AG
+44 20 3036 0828
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
Floor No.15 Al Sarab Tower,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Level 36 Governor Phillip Tower
1 Farrer Place Sydney 2000
+61 (2) 8823 3370