Cyber Attackers Hit Bond Giant TCW, MetWest Funds

The $212 billion asset manager had to revert to backup systems but kept trading.

Downtown Los Angeles, California. (Patrick T. Fallon/Bloomberg)

Downtown Los Angeles, California.

(Patrick T. Fallon/Bloomberg)

Hackers have hit TCW Group, a major Los Angeles-based investment firm and the parent company for Metropolitan West Funds.

TCW salespeople contacted clients Thursday about the breach, an email obtained by Institutional Investor shows.

“I am writing to inform you that TCW is investigating and working to resolve a cybersecurity incident,” a Florida-based employee wrote. “As part of this investigation, we have engaged third-party cybersecurity experts and law enforcement to address the incident. We have implemented a series of containment and remediation measures to resolve this issue.”

Spokesperson Doug Morris declined to elaborate on the nature or timing of the attack, noting that it is actively under investigation.

TCW managed $212 billion as of the end of March. But custody banks house the actual accounts, meaning that hackers who breached TCW did not get access to investor money. Client data wasn’t stolen as far as TCW knows, according to the email.

The attack pushed the company to revert to some backup systems, sources said. But TCW was able to “maintain critical business activity without interruption, including trading and portfolio management,” according to Morris.

“It sounds like ransomware,” said cybersecurity expert Erich Kron, who reviewed TCW’s client email at II’s request Thursday. “They’re talking about a disruption and redundant systems. But there’s really no telling without more information.”

“This email — it’s very vague. ‘Something-something happened,’” he went on. “I can’t fault them for it: they let people know, which is fantastic. A lot of companies don’t do that. Hopefully they will continue to share information once they learn more about what’s going on.”

Ransomware typically gets into systems when users fall for email phishing schemes — downloading a malicious attachment or clicking on a link. Remote desktop protocols are another popular avenue for attack, said Kron. He works at KnowBe4, which provides cybersecurity training products.

[II Deep Dive: Email Scammers Strike Prominent Hedge Fund, Endowment, and Foundation]

Hackers then encrypt critical data and demand payment for the key to unlock it. That’s when companies move to their backups. When those systems don’t work, which is common, “sometimes companies do pay the ransom,” Kron said. “Fortunately, in this case, it looks like their systems are continuing to work.”

He had prosaic advice for TCW’s many clients who now know that something happened, but not what. “If an account or company that you do business with has an incident like this, it never hurts to change your password. Keep an eye on future communications from the company, in case your data is breached.”

For companies like TCW, the reality is that cyberattacks are “not a question of ‘if’ but when and how bad it’s going to be,” Kron said. “It’s horrible. As if we don’t have enough going on with a global pandemic.”