Cybercrime – its a $3 trillion industry now and affects everyone from Joe Q Public to the government to even the hallowed firms that populate Wall Street.
While the public and government might be more resource constrained to fight this new 21st century threat, what about the firms which control our money and run the financial system? We are after talking about an issue that has ballooned in cost from $100 billion in 2013 to an estimated global cost of cybercrime will grow from$3 trillionin 2015 to$6 trillionannually by 2021.
Yikes.
So, how is Wall Street protecting itself now that the stakes went from already high to – stratospheric? John Manganiello, Head of Business Development at Richard Fleischman & Associates, a firm that specializes in IT security, told Traders Magazine that the stakes in preventing a cyber-attack have grown exponentially as technology and data have moved from physical servers at distinct locations to the cloud.
Weve been doing this type of work for over 25 years and from a buy-side and sell-side perspective a lot has changed, Manganiello began. From a top down view, there is no single Holy Grail of security that covers everything. Instead, we look at and think of security in terms of layers a firm has.
Manganiello added that the buy-side is very aware of cyber risks – and not just from protecting against an attack against a trading desk. Now firms are thinking of protecting middle- and back office operations, data networks, delivery networks and even disaster recovery plans. And its the major buy-side asset managers that are driving the rest of the institutional investors to pay heed to threats.
When I go to peer group dinners, from our standpoint, there is the need to protect entire firm and not just the trading desk, he said. Also, firms are adopting a risk policy. When it comes to cyber security firms look at how their reputational risk could be at stake, what is the cost of a hacking, etc. Now there is even cyber insurance.
And cyber crime and security is on the mind of regulators too.
I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues, said Securities and Exchange Commission Chairman Jay Clayton, during a panel discussion at New York University. Id like to see better disclosure around that.
Reuters reported that one concern for the SEC relates to a rise in cases of information being stolen by hackers to gain some sort of market advantage, said Stephanie Avakian, co-director of the SECs enforcement division, who joined Clayton on the panel along with co-Director Steven Peikin.
Manganiello told Traders that cyber security is the next battlefield and where future economic warfare will take place.
The buy-side needs to be not just diligent about its own house and procedures but also in who they choose in this day of third party providers and risk, he commented. They need to vet these providers thoroughly.
Allan Goldstein, Chief technology Officer at Trade Informatics, told Traders Magazine that the recent event of hurricanes Harvey and Irma combine with the Equifax hack of 150 million consumer records are a reminder that the urgent technology risks facing both the buy and sell side only continue to become more urgent, business continuity and cybersecurity.
“So, how prepared has the industry become over the years considering these are not anomalous events but a reality of everyday business risk,” Goldstein asked. “I would suggest its a mixed bag. Buy side firms have a significant and precious resource, that being the historical trading data. The potential for this data to be compromised and reconstructed for the purpose of replicating investment strategies, particularly quantitatively driven strategies is a top concern. Also, the potential for tapping and monitoring of real-time trading carried over potentially insecure FIX connections allowing for monitoring of trading patterns should be of concern.”
He noted that the response to these threats typically come in the form of traditional approaches such as enterprise firewalls, timely OS patching of all systems and encryption techniques. However, keeping up with these labor intensive and costly techniques is giving way to the public cloud. Amazon AWS, Microsoft Azure and Google Cloud, he added, are all being leveraged by buy side O/EMS vendors for hosting of trading systems.
“Among the many advantages of these environments is cybersecurity on a massive scale, one that can not be matched by individual firms managing their own environment,” Goldstein said. “Other middle and back office operations are also migrating to vendors operating in the public cloud looking to take advantage of not only convenience of SaaS delivered software but cybersecurity techniques deployed en mass.”
Finally, as a result of the trend toward SaaS and public cloud, Goldstein agreed with Manganiello that buy side firms are having to perform significant due diligence on those vendors entrusted with this vital task.
“The emergence of AITEC and ACA Aponix is a result of the demand for transparency of vendor capabilities typically with respect to their IT security posture. These tools are used to deliver and facilitate review of security questionnaires. AITEC is specifically geared to help smaller asset managers and hedge funds facilitate their need to ensure those firms trusted with their most prized proprietary information are up to the task.”
This article originally appeared in the September 2015 issue of Traders Magazine
How Secure Is the Buyside?
By Phil Albinus
It was a ploy as brazen as it was ingenious. A team of rogue traders from the U.S. teamed up with clever hackers and traders in Ukraine to break into the servers of major media firms. The plan was to steal soon-to-be announced reports of earnings and other business dealings connected to HP, Boeing, Ford, Bank of America, Home Depot and others, and make trades ahead of the news.
Early one morning last month, the traders were arrested in their homes in the U.S. while arrest warrants were issued for hackers in Europe. U.S. authorities also seized $6.5 million in bank and brokerage accounts, and plan to charge 30 defendants with stealing information from two newswire services. According to the U.S. Securities and Exchange Commission, the hackers and traders stole $100 million in their insider trading scheme.
The hacked information? Press releases.
The traders are alleged to have used this nonpublic information in a short window of opportunity to place illicit trades in stocks, options and other securities, sometimes purportedly funneling a portion of their illegal profits to the hackers, said the SEC.
Once a source of agita mainly for commercial banks and credit card companies, hackers are now training their sights on investment firms, broker-dealers and hedge funds. News of hack attacks, dedicated denial of service (DDOS) attacks that take down a business servers, and cyber-threats by so-called white hat hacktivists have been gaining in urgency in the past year. According to industry observers, hedge funds are ripe for cyber-attacks. As a $2 trillion industry, U.S. hedge funds boast high-net-worth clients, have leaner operations that rely on vulnerable technology such as cloud computing, and must deal with broker-dealers and third-party IT and financial services providers.
In what ultimately might be their weakest link, hedge fund managers deal in a world of high risk and near anonymity. Even if they are hacked, many hedge funds would not come forward to admit that their servers have been breached and their client data compromised.
Hedge funds hold a tremendous amount of capital, incredibly sensitive proprietary information and valuable algorithms, but they are small shops and often have weak IT, Assistant Attorney General John Carlin told an audience of hedge fund professionals at a conference in Las Vegas in May.
Carlin urged hedge fund managers to share information about attempted hacks and phishing schemes. He called the managers traditional refusal to report these violations as payday for hackers. It means they can conduct their activities cost-free, they can keep getting better at stealing information, and no one is improving on our end by sharing information to prevent it from happening, he said.
A Wave of Hack Attacks
If you thought last year was a never-ending slog of racial strife in the U.S. and unrest in Ukraine and the Middle East, it was a banner year for hackers. In the summer of 2014, Bloomberg reported that hackers stole passwords from the CFO and treasurer of a major U.S. hedge fund. The hackers were able to siphon roughly $1.5 million in less than two minutes using three wire transfers – each just under $500,000, the amount that would have set off an alarm at the unnamed fund. (It is worth noting that Bloombergs source for the story was a leading cyber-security solutions firm.)
Also that year, hackers exploited vulnerabilities in the software code of Nasdaqs servers and allegedly stole 160 million credit cards from the market-maker as well as from Dow Jones, JetBlue, 7-Eleven, JCPenney and other corporations. The FBI, which alerted Nasdaq to the hackers presence on its network, noted that they had left a so-called digital bomb to wipe out the market-makers computers if they were detected. Vladimir Drinkman, 34, of Moscow has pleaded not guilty to the theft as he awaits trial.
Last year, JPMorgan Chase announced that the names, addresses and emails for an estimated 76 million households and 7 million small businesses may have been compromised in a wide-ranging data breach. Investigators believe the hackers responsible for this breach hailed from Russia and also targeted Citigroup, HSBC and E*Trade.
The Target on the Buysides Back
Why did famed bank robber Willie Sutton rob banks? Because thats where the money is, he allegedly told a reporter. (He denied saying this, but its still known as Suttons Law.). The same goes for hedge funds and client credit card information. Knowing that they have information from high-net-worth investors, hedge funds have bank account numbers, personally identifiable information and wire transfer information for these investors; they are a target, said Brian Lozada of Abacus, a financial security solutions provider.
Aite Group analyst Denise Valentine agrees. Credit cards may be the low-hanging fruit, but hackers cannot resist this lure despite the security that banls and investment firms put in place. Every firm has their own unique infrastructure like firewalls, but the culprits are as smart and have as much experience as you, she said. Its a quite a race to the finish to see who will come out on top.
According to Valentine, third-party vendors could be the weak link in the buysides chain of security. Further, hackers can break into a hedge funds network via the most mundane and least sexy of avenues: human resources or accounts payable services, for example. When employees travel, they use their own credit cards and submit expenses internally. Sometimes the employers are giving their credit cards to a company that is authorized to book and reimburse the travel, she said. Or sometimes credit cards are submitted to attend conferences or payment for research.
For Valentine, it all comes down to stringent due diligence. Vendor risk management means asking, What information am I giving? What are benefits and travel agency vendors doing with the information? Blue Cross Blue Shield is a major provider to financial services firms and they were a big target this year, she said, referring to a cyberattack in which data of 80 million clients were stolen.
Abacus has roughly 270 hedge fund and private equity clients on its platform that range from small firms with 10 to 12 employees on up to larger funds. According to Lozada, larger investment firms like Goldman Sachs and Credit Suisse have invested in network security lately. That said, they can still be vulnerable via the smaller hedge funds and boutique investment firms. If I was doing recon, I would target hedge funds, he explained. Why? Because they are weaker, they dont have the funds to protect themselves against organized crime, and if I am able to get into one of these funds that uses Goldman or Credit Suisse as a prime broker, thats a way to get to them.
So far, the attacks in the asset management space have been twofold, according to Mark Clancy of Soltra. First are the run-of-the-mill operations where a hacker finds a hedge fund employees LinkedIn or Facebook account and emails him or her a malicious software with clickable links; the hacker then steals the employees credentials or encrypts the hard drive.
In other cases, there have been targeted attacks in the hedge fund space where the employees credentials are used to move client funds. This is called an account takeover, where hackers attempt to rob the funds actual bank accounts. To do this, hackers obtain the credentials of more than one person in the hedge fund because these transactions require the approval of multiple managers.
Hackers have moved from mom-and-pop retail accounts and business accounts. They realize that financial firms like hedge funds have large-balance business accounts, and conveniently send money to all types of places, Clancy said. If youre a hedge fund that trades in commodities, wiring money to an oil-rich nation outside the U.S. is probably not an unusual transaction for you.
These incidents have spurred growth in the burgeoning identity and access management sector. Research firm IDC predicted that the investment in ID and access management solutions will increase from $4.8 billion last year to $7.1 billion in 2018. Financial firms are seen as primarily behind this push due to their enthusiastic adoption of ID management technology.
Exploiting a Managers Strength
Hedge funds are notoriously secretive and do not shy away from risk. Getting a hedge fund manager to admit vulnerability to his or her high-net-worth clients – many of whom entrust hedge fund managers with tens and even hundreds of millions of their personal fortune – is anathema to them.
Tony Amicangioli from Hyannis Port Research, maker of Riskbot, works with hedge funds and broker-dealers, and he knows the concerns of hedge fund managers firsthand. The sensitivity to information leakage is extreme.
Lozada agrees. If a hedge fun admits that it has been breached and had little to no security in place, he said that the damage will be extensive and would take years to recover. He added, If a fund goes out of business when it gets hacked, would you ever recover from that? A compromise can follow you for the rest of your career.
This fear of failure could make the buyside even more vulnerable to theft – and resistant to change. One outspoken member of the hedge fund community admitted that the alternative investment industry is more concerned with returns than cyber-security. You dont feel insecure until you are breached. The average person in the financial sector, myself included, is not as focused on these threats as they need to be, said hedge fund manager Anthony Scaramucci in response to the comments by Carlin, the assistant attorney general, at the Las Vegas hedge fund conference.
The Regulators Act
Regulators are not taking the threat to hedge funds and other smaller asset managers lightly. Last April, the SEC issued its first-ever Cyber-Security Guidance recommendations. Why? Because of the rapidly changing nature of cyber-threats, the [Security] Division will continue to focus on cyber-security and monitor events in this area, the SEC report stated.
Likewise, the DTCC issued a white paper entitled Beyond the Horizon: A White Paper to the Industry on Systemic Risk to warn that financial institutions face considerable threat from malware that can be sent by hacktivists through email attachments or compromised Websites. It added that [t]hese hacktivists are likely to use social networking tools to identify and attack the machines of targeted individuals within financial companies.
Clancy calls these measures a good first step but warns that they might not be enough for fast-moving hackers and online thieves. The challenge is that regulatory frameworks tend to be fairly static by the nature of how these rules get propagated, and these problems are very dynamic, he said, adding that regulators are using a carrot-and-stick approach. I think regulation is a lagging indicator because of the nature of how it is produced.
At the end of the day – or the middle of the night – the odds are in the hackers favor.
As Lozada put it: Being a chief information security officer, I have to be right 100 percent of the time, but a hacker has to be lucky just once.