In late June, BAE Systems revealed that it had stopped an ongoing cybercrime whereby cybercriminals had installed a malicious computer program on the servers of a large hedge fund, crippling its high-speed trading strategy and sending information about its trades to unknown offsite computers.
While BAE Systems’ claims were later revealed by the Department of Homeland Security to have been a hoax intended to drum up business (the executive who made the claims in a televised interview is apparently “taking some time away from the business”), the scenario contemplated and threats represented highlight the evolving sophistication of cybercriminals over the past few years. Consider also that financial firms aren’t eager to publicize, particularly to the general media, that they have been victimized by cybercrime due to loss of investor and client confidence, litigation risk, and reputational damage…even through a third party like BAE Systems.
The primary threats that cyber attackers pose and have posed for a number of years have been identity theft and/or system disruption. Identity theft typically involves breaching or intercepting systems containing or receiving sensitive data which the attacker could use to access funds or more sensitive information. A system disruption might be used to create the security breach that enabled such information to be compromised or alternatively, to damage the network or organization. The primary thread in both of these threats is that the attack occurs at a time proximate to the breach or attempted breach.
The “Advanced Persistent Threat” or “APT” is a term used to describe a newer, more pernicious, threat wherein an unauthorized person gains access to a network and stays there undetected for a long period of time. Once inside the network, the attacker infects a number of the target’s systems and hijacks one of target’s servers to act as its “command and control” server to feed information back to the cyber-criminal for further analysis. Through gathering this information, the cyber-criminal is able to further explore the system’s vulnerabilities and penetrate with additional malware customized to the target’s processes. The goal of the cyber-criminal is not to disrupt the systems of the organization…in fact, they are very interested in keeping them up and running, perhaps even protecting the organization from other security breaches. The goal of the cybercriminal in this case, is to remain undetected within the organization’s systems for an extended period of time so that it can continue to benefit from the information it is gathering. Lastly, once an APT is detected, it may not be simply enough to remediate the issue on the identified and impacted server or network component as the APT may have entrenched itself in multiple components of a target’s systems and simply alter its activities as necessary to continue to operate within the network. Such a threat is a threat to the business processes of any organization and should be of grave concern to any financial services organization. So, instead of the criminal breaking into your house to vandalize or steal your valuables then endeavoring to leave unnoticed, the criminal is now taking up residence in your house, observing your daily activities and choosing his opportunities to take advantage of when you expose yourself through your routines.
In the case of BAE System, the hedge fund was apparently sophisticated enough to program their own algorithms, deploy a proprietary OMS and use internal IT to determine improper file transfers. Perhaps enhancements to their information security program could have prevented the breach or enabled them to detect their vulnerabilities sooner. On the other hand, there is a limit to what an organization can and should do to protect itself from such risks. Any information security program must prioritize protections and responses for the greatest enterprise risks first and even then, eliminating all vulnerabilities associated with such priorities might be too costly in terms of resources expended and the impact on other business operations. I often note in my presentations on cybersecurity that it is not a question of if you are going to be breached, it is merely a question of when. Nonetheless, organizations without the capabilities of BAE’s hedge fund client or, even more so, a best practices approach to cybersecurity, may be exposed more frequently, for longer periods and be slower to react to such breaches.
In a blog I wrote respecting cyber security a couple of months ago (Significant Developments in Cyber-Security and Their Impact on the Financial Services Industry), I concluded with a six point high level outline for addressing cyber security threats within your organization. The first step was to assess the risks within your organization. Part of that assessment must include mapping of the systems and processes within your organization that handle confidential and sensitive information. That assessment must include not only internal systems and processes, but dependencies that your organization has on third party providers. Armed with that map (and hopefully, an ongoing process for keeping it up to date), an organization should prioritize in accordance with its greatest risks and then ensure that it has the resources to tackle the task of building a program, filling any gaps in its capabilities, testing and monitoring the program and ensuring organizational buy-in. It is important to emphasize that the risks identified with regards to your third party providers will require a different approach and there may be a tendency to naturally focus more on what the organization has within its immediate control, irrespective of priority. That is a mistake.
By way of example, the vast majority of advisers, brokers and funds deploy third party order management systems(OMS’s) to access a myriad of trading venues as the basic business of trading venue connectivity and reconciling FIX messaging can often be an inefficient use of resources. What if, however, the cyber criminals that attacked BAE’s client had instead infiltrated the systems of its third party OMS provider? Perhaps the OMS provider had a large number of investment adviser, hedge fund or broker clients and, over a series of months, found ways to trade ahead of those clients, but not so much that any of them noticed. How would IT personnel within each of those clients gain the requisite visibility to determine that something was going on? Moreover, how would the broker dealer, investment adviser or fund know whether their provider had adequate security measures with unless they were able to verify the efficacy of such measures on an ongoing basis? Many advisers, brokers and funds shy away from such questions because either they assume that there is safety in the masses, that other clients will address these issues for them or that they are not big enough to get any meaningful response. Worse still is the self-serving assumption that their third party provider will be properly motivated to incorporate all the necessary controls as part of the license fee the client already pays.
Years before I worked to deploy a best practices information security program in my role as a General Counsel for an exchange under the watchful eye of the SEC, I worked with a number of OMS providers on security issues, largely on a re-active basis. Back then, the terms “information security” and “cyber attack” were not standard terms in everyone’s lexicon and our response was to fix the “bug.” In one instance, an employee of a customer who had administrative access to their licensed OMS discovered the ability to view the trades of a number of other customers by logging in as a “Super User.” By accident, the OMS provider had replicated a security access profile across all customers on the server that effectively treated all customers on that server as a separate office of the same company. I also discovered that “fix the bug” did not mean that there had been a comprehensive undertaking to assess whether other servers were similarly affected. Scattered SAS 70 requests from customers, not even specifically related to security, were seen as necessary evils but our initial responses to such requests were “no one else is requesting that” or “this is how everyone does it” and this usually sufficed to disarm the requester. ..and this point isn’t reserved just for OMS providers. Simply put, organizations cannot afford to be naïve about the threat to their organization and processes when it comes to their most sensitive information. Put another way, don’t wait for your assumptions to be dismantled by a breach to wake to the potential threats that cyber criminals pose to your organization.
Organizations need to rethink the way they approach vendor risk management in light of the today’s cybersecurity threats. Simply hiring a contract lawyer to incorporate security clauses into your contract (although I don’t want to minimize the importance of that) may not sufficiently address the risk to your organization. If your or your clients’ confidential or sensitive information is being processed by a third party provider, your lawyer either must be sophisticated in assessing the information security processes and procedures that your vendor employs and/or must be working alongside a technology adviser who can perform such an assessment. Further, having liability provisions built into your contract is meaningless (or at least in the context of breach with significant ramifications for your business) if your provider does not have the ability to absorb such a cost. This touches on a related point, which I will cover in a future blog, respecting the need to consider requiring insurance for information security breaches for your vendor (and your own organization as well for that matter).
Ultimately what is required is that your organization: exercise the requisite due diligence with your third party providers handling confidential or sensitive information, develop a more fulsome understanding of your third party provider’s information security practices and how such practices tie into yours. This means an initial technology risk assessment and an ongoing process for monitoring such risk on a periodic (presumably, annual) basis.
Lastly, make sure that you have an understanding with your vendor respecting what they must do in the event of the inevitable breach. This should flow from your organization’s obligations either under contract, law or your own policies and procedures in the event of such a breach, particularly under state law if third party personally identifiable information (PII) is involved. If PII is involved, the last thing you want to address following a breach is your vendor’s inadequate or non-existent forensic analysis when the clock is ticking on your legally mandated notification that will have significant ramifications on your client base, reputation, and ability to manage the breach, never mind the litigation risk involved.
The growing sophistication of cyber criminals presents increasing risks to the financial services industry. The vast majority of financial services organizations will experience one or multiple cyber security breaches during its existence; many of those will initially be undetected. Organizations must continue to adapt to the risks of this ever evolving menace and we all need to become more literate in the risks presented, as well as the methods for prevention and response.