Job No. 1 in 2019 for asset owners and managers must be reviewing and even spending money to fortify the cybersecurity of their institutions, both in-house and with all the firms that provide them with services, such as custodians, consultants, asset managers and brokerage houses.
Hackers have become more cunning, often not attacking a target directly but indirectly through a service supplier, sometimes a minor one. This was the case in a 2017 attack, allegedly by Russian hackers, on the U.S. power grid. The attack did not use sophisticated software, but simple phishing — sending emails pretending to be someone entitled to requested information, according to a reconstruction of the hack by The Wall Street Journal in a Jan. 10 report.
The hackers launched an attack against a 15-person excavating company in Oregon that works with utilities and government agencies involved with the nation's electric grid, seemingly an unlikely target for attackers aiming ultimately at the power grid. From there, they worked their way up a chain of the company's contacts at utilities and government offices for which it had worked, gaining access to the information they wanted.
What is to prevent a similar strategy used to gain control of the computer systems of major financial institutions and causing havoc in the capital markets? It's only intense concentration on cybersecurity at all levels of the industry — from the smallest research boutique or consulting firm to the largest index fund managers or custodians.
Institutions must first review their own internal cybersecurity practices and controls, continually updating anti-malware software. They must also constantly remind employees to beware of emails with attachments or requests for seemingly innocent information, even apparently from friends or contacts. In addition, they must carefully review who has access to key data. Data privileges, if spread too widely, can be a key point of vulnerability.
Then they must ask those firms that provide services for regular reports on the steps they are taking to ensure their systems are as hack proof as humanly possible, and what they are doing to ensure employees do not inadvertently breach data security.
The key to successful defense is constant vigilance, constant updating of anti-malware software, and constant reminders to employees that they are a key part of the defense.
The defense must be successful every time in warding off the attackers. The attackers have to be successful only once.