Firms at risk as their clients begin a thorough examination of all data security practices
Recent cybersecurity breaches affecting financial services firms often share a common thread: risks caused by a human element.
These risks can encompass a number of threats, from phishing attacks — personalized scams that are not limited to email and are used to spread malware or obtain sensitive information — to simple employee errors that expose client data.
As such, institutional investors are increasingly checking the data security practices of their service providers to make sure their data doesn't fall into the wrong hands, as is the case with the $57.1 billion Los Angeles County Employees Retirement Association, Pasadena, Calif., which is examining its relationship with its Boston-based custodian State Street Bank and Trust Co. after it experienced three documented data security incidents last year, board meeting documents reveal.
As a result of the incidents, a State Street representative will be attending LACERA's Jan. 9 board of investments meeting to provide more information on the events, according to documents.
Moving into 2019, cybersecurity also is an examination priority for the Securities and Exchange Commission. And this comes as the number of security breaches is continuing to grow, according to an October report from Campbell, Calif.-based data security firm Bitglass Inc.
From January 2018 through August, financial services firms recorded 103 breaches, compared to 37 over the same eight months in 2016, the report said. Bitglass aggregated data from the Identity Theft Resource Center and the Privacy Rights Clearinghouse.
Firms should take note that the weak link within an organization's cybersecurity efforts is often the end user, with phishing campaigns being among the most common attack vector for entry, said Johnny Lee, an Atlanta-based principal and national practice leader of forensic technology services at Grant Thornton LLP, in a December telephone interview.
There have been "attempts when an asset manager is asked to reroute a wire transfer that was already in the midst of being approved or a recurring payment over the span of a deal or transaction," Mr. Lee said.
Intruders typically infiltrate ongoing communications, spoofing the email address of an actual employee or point person — or in some instances, sending the email from a hacked account — and then directing future transactions to be sent to an account of their choosing, he explained.
"If there was one trend that we've seen at asset managers more than any other in 2018, it's definitely (phishing attacks). We get more calls on that than any other (attack)," Mr. Lee said.
"For these kinds of scams, often very low-tech compensating controls are the answer," such as two-factor authentication or implementing other security controls that don't rely on email as the main confirmation for a transaction, he said.
Financial services firms must also implement security controls to mitigate, or minimize the impact of, other human errors that aren't prompted by a scam or cyber intruder, but result in a breach.
In 2018, State Street Bank experienced three data security incidents caused by human error, which strained its business relationship with LACERA, public board documents reveal.
State Street has served as a global custodian for LACERA for more than five years, board documents published on the pension fund's website show.
In July, LACERA Chief Investment Officer Jonathan Grabel sent an email to State Street's then-CEO Jay Hooley, writing that the data security incidents were "unacceptable and raise a variety of concerns." The email was among the documents posted on the pension fund's website.
State Street was "extremely slow in reporting these matters to LACERA," and, "secondly, the quick succession of data security shortfalls in various areas of our multidimensional relationship with State Street raises questions about our systemic dependence on State Street," Mr. Grabel wrote.
"Thirdly, are these incidents indicative of three random and unrelated events or are they representative of fundamental flaws in State Street's data security or a declining risk management culture?" he asked in the email.
LACERA determined the most recent incident, which was brought to State Street's attention in June 2018 by an unnamed third party that was granted access to LACERA's data, was the more serious of the three, since it exposed LACERA's sensitive trade information, according to a separate July 30 memo Mr. Grabel wrote to LACERA's retirement and investment boards.
After a State Street employee received a request from a fixed-income manager not affiliated with LACERA to access the pension plan's data via State Street's client portal, the employee granted the outside firm access, the memo said. State Street was contacted on June 7 by an unnamed user at the outside firm and then revoked the user's access.
"In response to this incident, State Street reminded employees regarding client information safeguards and user access request procedures. In addition, user access requests now require a secondary review by a member of State Street management," Mr. Grabel's memo said.
This incident followed two other incidents caused by human error at State Street in January and March of 2018, which resulted in LACERA's performance and market value data being exposed to an investment consultant, and its demand deposit account numbers and client contact information being emailed to an outside party, according to board documents.
As a result of the incidents, Mr. Grabel in his email to Mr. Hooley asked that LACERA's management team meet with senior executive management at State Street to discuss their business partnership.
This month, a State Street spokesman said in an emailed statement that the firm takes its "role as a trusted provider extremely seriously" and that it will "continue to devote significant time and resources to improving the governance and controls of our information security processes."
The company declined to comment beyond the statement.
Working with State Street
Board documents from December state that LACERA is "working with State Street to re-onboard the custodial bank relationship." LACERA officials declined to provide information about what re-onboarding entails.
Additionally, at LACERA's Jan. 9 board of investments meeting, Hemant Bhide, State Street senior vice president and head of the U.S. asset owner business, is expected to provide further information to LACERA about the incidents, a December memo by Mr. Grabel noted. In September, Andrew Erickson, executive vice president and head of Global Services worldwide, also discussed the data security incidents, the memo said.
LACERA's board of investments secretary Linda El-Farra declined to provide further information ahead of the Jan. 9 board of investments meeting but directed P&I to its recently published materials.