The criminals watched with unusual patience.
When the managers walked through the office doors each
morning, the criminals were watching. When the interns left for
lunch, they were watching. When the CEO came and went with his
small army of advisers, they were watching. And when the
criminals noticed that employees often ordered dinner from the
same lowbrow Chinese delivery restaurant, they struck.
Up to that point the criminals had been unable to penetrate
the firms systems, which were relatively well built to
withstand a ransomware or other cyberattack. The Chinese
restaurants website was another matter. Built for
pennies, it was basically a contact page with a PDF menu. For
the hackers it was an obvious Trojan horse, admitted by any
hungry employee needing to download the menu.
This tale of a watering hole
attack, and many others, were detailed by former FBI agent
David Chaves at a mid-May hedge fund conference in Austin,
Texas. Chaves had been involved with insider trading and
financial cybercrime investigations before retiring; he had
been invited to the event to regale and inform Texass
hedge fund elite on both topics.
His PowerPoint slides detailed the sordid particulars of
past cases photos of the stripper girlfriend of David Pajcin, an
exGoldman Sachs trader caught stealing copies of
BusinessWeek magazine before they hit newsstands, for
example. Chavess message was clear: Be hyperaware of
danger, because youre where the money is.
He had excellent timing. Days before, starting on May 12,
the WannaCry virus had rattled the world or, more
accurately, more than 300,000 computers in 150 countries.
Indiscriminately locking down computers for ransom, the virus
took advantage of a basic flaw in Microsoft Windows, the
operating system likely used by most of the audiences
hedge fund founders and employees. Yet few in the crowd seemed
concerned; they focused on the stripper, not the
For a group obsessed with risk, the disinterest was
striking. According to Chaves, just 0.04 percent of traders
will deal in insider information. Statistics on hedge fund
hacks are hard to come by, but few observers would argue that
only 0.04 percent of traders computers are under assault
from malware or data theft attempts.
Angelo Calvello, industry gadfly and Institutional
Investor columnist, attended the event. After
Chavess talk, Calvello scoffed when asked if his fellow
audience members were taking cyberrisk seriously. Of
course theyre not, he answered.
Research supports Calvellos dismissive attitude.
According to a recent warning from the baroquely named
Securities and Exchange Commission Office of Compliance
Inspections and Examinations, 57 percent of investment managers
do not conduct penetration tests or vulnerability scans on
their most essential systems. And although only 4 percent of
asset managers had a significant number of critical and
high-risk security patches that were missing important
updates, thats still one in 25 with exposure to
viruses like WannaCry.
The apathetic Texas crowd had been warned of the potential
consequences well before Chavess speech. Calvello himself
wrote a column on the subject for
II last November. What phone call would Ray
Dalio, Larry Fink, or Steve Schwarzman never want to get?
he wrote. The one, ringing late at night from a panicked
underling, informing him that hed been hacked.
Calling this the doomsday scenario, Calvello envisioned a
breach that went beyond ransomware one that corrupted
the most fundamental algorithms underlying these firms
business. The affected manager would not only have to
immediately cease operations, he wrote. He would
likely be compelled to shutter the business.
Yet the audience in Austin remained unmoved. The problem,
Calvello believes, is cultural.
If you still believe men and women are here to pick
stocks, you dont think about technology as a big
risk, he explains. Only a true quant firm
one that uses some type of AI, not one still using Excel
is likely to think of it that way. The National Security Agency
itself was hacked. The weaknesses WannaCry exploits
reportedly were stolen from the NSA, which means any firm
in our business can be hacked. Well, maybe Two Sigma or
Bridgewater cant be breached.
Except, of course, Bridgewater or at least one of
its vendors had been breached. The firm announced in
2013 that, although it did not compromise Bridgewaters
proprietary investment systems, a third-party breach had
allowed access to former employees personal information.
And if Bridgewater or Two Sigma, which has more people
working on security than most hedge funds employ in total
cant guarantee their own safety, what hope is
there for the smaller funds that attended the Austin
Chaves, perhaps inadvertently, got at least part of the
answer from the group assembled in the JW Marriott ballroom.
State-owned cell towers in some countries
thats a danger, he warned. Even hotel Wi-Fi
or bugged hotel rooms thats a danger. Yet
none of the attendees, almost all of whom were using the
hotels wireless because of a poor cellular signal, moved
Kip McDaniel is the Editorial Director and Chief Content
Officer of Institutional Investor.