Hackers can spend months inside a financial firm’s systems, diverting money. As Alex Rolandi reports, this is a concern to all funds industry actors, from custodians to private equity firms.
“It’s a vulnerable time,” says Kevin Alameida, chief information security officer at specialist fund administrator IQ-EQ. “SolarWinds is the hot topic on everyone’s mind.”
After hackers infiltrated business software firm SolarWinds’ systems in early 2020, up to 18,000 of its clients were exposed to malware via a compromised software update. Victims ranged from US state departments to investment funds.
The breach – unprecedented in its reach and scale – wasn’t discovered until December when US cyber-security firm FireEye was attacked separately. It was a stark reminder of the ever-growing sophistication of cyber-crime.
SolarWinds says it spent $18-19 million in the first quarter of 2021 to investigate and rectify “the cyber incident”. Meanwhile, the insurance costs of the hack continue to rise.
The key message here, Alameida tells Funds Europe, is that the SolarWinds attack wasn’t the first major supply chain compromise, and it certainly won’t be the last.
“This lightly state-sponsored warfare spilling into the private enterprise space has – thinking optimistically – served as a wake-up call for all organisations, and private equity firms in particular, to understand the potential for what might be lying around the corner,” he says.
Software powerhouses such as Microsoft and Cisco – both affected by the cyber attack – were previously seen as difficult targets for hackers, explains James Tedman, partner at cyber-risk firm ACA Aponix. “It was acceptable to ‘trust’ them, which negated the need to perform due diligence or think about how adopting their products might introduce vulnerabilities.”
Many funds and several industry service providers using the SolarWinds Orion platform were inadvertent victims of the hack, notes Tedman.
The world’s largest sovereign wealth fund – Norway’s Government Pension Fund – was one such victim. It downloaded compromised software as part of a routine update in July. According to a spokesperson, there are no indications that the malware ran in the environment or was utilised by a threat actor for further exploitation.
“The [SolarWinds] attack has really moved the goalposts and forced firms to consider how they could be vulnerable through their supply chain, including through the use of trusted brand name software and hardware,” says Tedman.
In May this year, the state-backed Russian hackers allegedly behind SolarWinds were at it again, launching a widespread phishing campaign using the compromised email account of the US Agency for International Development. Around 3,000 email accounts at more than 150 organisations were targeted, according to Microsoft.
When cyber criminals are state-sponsored, their budgets can be almost unlimited, says IQ-EQ’s Alameida.
“For private equity firms, the cyber-security challenges are clear,” he adds, citing “large sums of money, often modest cyber-security capabilities in the PE firm itself” and “access to portfolios of companies with potentially wide-ranging and valuable assets”.
“There is also the potential for PE firms to be hesitant of reporting attacks out of fear for reputational damage. And criminals are, of course, aware of these vulnerabilities.”
Cyber crime against the financial sector has soared since the onset of Covid-19 as remote working became the norm. Attacks increased by 238% from the beginning of February to the end of April 2020, according to data from tech firm VMware.
Hackers may target process or system vulnerabilities in third parties such as fund administrators or custodians, explains ACA Aponix’s Tedman.
The most common target against investment managers is payment infiltration, he says. This is “often the most impactful, with many successful attacks taking place that have resulted in significant losses”.
An attack targeting the Norwegian Investment Fund for Developing Countries (Norfund) in 2020 saw hackers divert $10 million destined for Cambodia to an account of the same name in Mexico. The fraudsters had spent months inside the fund’s networks after an “advanced data breach”, allowing them to monitor emails and patiently gather information. The theft took place in March but wasn’t noticed till April.
Olaug Svara, chair of the board of directors at Norfund, said in a statement that the wealth fund would introduce further measures and “strengthen routines” to prevent it happening again.
Cybersecurity ranked fourth in a list of ESG concerns last year in a survey by RBC Global Asset Management (RBC GAM) of more than 800 institutional asset owners. In 2019, it was the top ESG concern for institutions.
“Investors know what they don’t know,” says Melanie Adams, vice president and head of corporate governance and responsible investment at RBC GAM. The advent of machine learning, she adds, has made cyber crime increasingly sophisticated.
“Machine learning can really amplify the risk of how smart hackers are now, how sophisticated their methodologies are, and it’s hard to track. It’s exponential how much further they’re getting these days,” Adams tells Funds Europe. “With the SolarWinds case, we saw how something can be hiding in plain sight. You can have very robust policies and procedures, but the nature of cyber security is that you can’t always foresee these things.”
IT security firm Sophos estimates that the average cost of recovery from a ransomware attack stands at $1.85 million, or nearly twice what it was a year ago.
A ransomware attack that hit the headlines recently involved US oil pipeline operator Colonial Pipeline. The firm, which had to cease operations for several days in May, confirmed that it paid $4.4 million to the hacker gang responsible.
The frequency and severity of these kinds of attacks on critical infrastructure appear to be increasing, says the World Economic Forum. In June, the Swiss-based organisation, founded by Klaus Schwab, held its third annual 'Cyber Polygon' - a combined conference and cybersecurity 'training exercise'.
Not surprisingly, investment in cybersecurity is increasingly attractive. Data from Preqin shows that between 2016 and 2020, venture capital deals with US-based cyber-security companies rose by an average of $1.9 billion a year. By May, nearly $6 billion worth of deals had taken place in 2021.
“For investors, the constant rise of cyber attacks implies both opportunities – investments in cyber-security companies – and threats, if companies are attacked,” says Jan Nießen, portfolio manager at Union Investment. “Data-security issues are essential evaluation criteria for an investment decision.”
The next financial crisis?
Towards the end of April, in the wake of the SolarWinds attack, the New York State Department of Financial Services warned that the next major financial crisis could arise from a cyber attack.
“Seeing hackers get access to thousands of organisations in one stroke underscores that cyber attacks threaten not just individual companies but also the stability of the financial industry as a whole,” said superintendent of financial services Linda A Lacewell.
For Tedman at ACA Aponix, the chances of this happening are significant – which is why regulators are focusing on operational resilience.
“If the attacker is a nation state, it is absolutely feasible that critical industry infrastructure could be compromised,” he says. “For example, imagine nation-state hackers were able to breach exchanges and/or industry market data providers to disrupt trading or infect the data the market participants rely upon.”
IQ-EQ’s Alameida says strategic changes are needed across all organisations – including private equity firms and tech vendors – to better understand the level of third-party risk. Firms need these changes to improve their chances of “preventing or at least quickly detecting and containing incidents”, he says.
Though cybersecurity is already a high priority for watchdogs, increased oversight can be expected in the years to come. “Regulators are taking more active interest in how organisations address cyber risk, including responding to these high-profile incidents”, says Alameida. “Boards are responding to that regulatory pressure – we can expect greater scrutiny in recognition of the rapidly evolving cyber-threat landscape.”
Researcher Cybersecurity Ventures estimates that cyber crime costs will grow year-on-year by 15%, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. Meanwhile, global spending on cyber security will continue to rise. Research firm Gartner predicts it will hit $150 billion this year – a 12.4% increase on 2020.
It often comes back to fundamentals, however. Sometimes, at a fund manager with the best systems in place, all it takes is one person to click on an email link and unleash a virus.
© 2021 funds europe