Your Asset Manager Just Got Ransomwared....

Advanced Technology Ventures ("ATV"), a 40-year-old venture capital firm based in Boston and Silicon Valley, revealed in a filing with the Maine Attorney General’s Office that they’d been victim of a ransomware attack in July 2021. And it's not the only asset manager that Castle Hall is aware of that has been subject to ransom, although few other cases have (yet) been made public.

Per ATV's Notice of Data Breach:

What Happened? On July 9, 2021 the Company learned from its third-party information technology provider that there had been anomalous activity on two identical ATV servers (the “Servers”) on which the Company stored financial reporting information. The Company soon determined that the Servers had been encrypted by a ransomware attack. On July 26, 2021, the Company learned that there was evidence of both unauthorized access to and exfiltration of the contents of the Servers.

What Information Was Involved? Although the Company has not yet confirmed the precise categories of personal information that were accessed on a per-individual basis, the Company has reason to believe it included the names, email addresses, phone numbers, and Social Security Numbers of individual investors in the Company’s funds. We are not at this time aware of any fraud or misuse of your information as a result of this incident.

The question of investor details being leaked is very worrisome. Many venture capital firms are self administered and therefore gather know your customer information internally - so names and social security numbers could theoretically be expanded to copies of passports and other identifying information if hackers access underlying data.

The approach in ransomware attacks has evolved from when the technique first emerged – when the play was simply to encrypt files in-place, rendering them inaccessible to their owners, and demand a ransom in exchange for the decryption key. Recently, virtually all attacks have included a data exfiltration aspect, resulting in a two-pronged threat to businesses: encryption of the data stored in cloud and on-premises systems which immediately disrupts operations, and the looming threat of leaking sensitive data - presenting reputational, financial, and regulatory consequences.  

Ransomware has become a lucrative industry, and it is not uncommon to see entire software kits for sale on the dark web - the hackers and software engineers who develop these tools take their initial payment (and perhaps a cut of any earnings) and allow others to perpetrate the attacks themselves. Ransomware kits are available to individuals for less than $100, with progressively more advanced software tools available to larger criminal organizations with loftier ambitions and more capital. 

This year’s cybersecurity headlines have been dominated by these attacks – ATV take their place beside Colonial Pipeline, Brenntag, and JBS Foods, to name a few. In response to the surge in high-impact ransomware, the US Department of Justice issued internal guidance in early June, giving ransomware investigations a similar priority as terrorism, while Cristopher Wray, director of the FBI, compared the threat of ransomware to the 9/11 attacks.  

Our advice to due diligence practitioners? Continue to place emphasis on evaluation and discussion of the cybersecurity posture and culture within a firm. Managers should display an awareness of their risk profile, a coherent approach to implementing security controls commensurate to that risk profile, and a firm-wide, from-the-top security culture, consisting of robust cybersecurity awareness, training, and testing programs - with no exceptions. Allocators should incentivize managers to display that they take their cyber responsibilities seriously, and will not expose their client’s capital and data to avoidable risks.  

To learn more about Castle Hall's due diligence responses to cybersecurity and digital assets, visit cybersecuritydiligence.com.