The criminals watched with unusual patience.
When the managers walked through the office doors each morning, the criminals were watching. When the interns left for lunch, they were watching. When the CEO came and went with his small army of advisers, they were watching. And when the criminals noticed that employees often ordered dinner from the same lowbrow Chinese delivery restaurant, they struck.
Up to that point the criminals had been unable to penetrate the firms systems, which were relatively well built to withstand a ransomware or other cyberattack. The Chinese restaurants website was another matter. Built for pennies, it was basically a contact page with a PDF menu. For the hackers it was an obvious Trojan horse, admitted by any hungry employee needing to download the menu.
This tale of a watering hole attack, and many others, were detailed by former FBI agent David Chaves at a mid-May hedge fund conference in Austin, Texas. Chaves had been involved with insider trading and financial cybercrime investigations before retiring; he had been invited to the event to regale and inform Texass hedge fund elite on both topics.
His PowerPoint slides detailed the sordid particulars of past cases photos of the stripper girlfriend of David Pajcin, an exGoldman Sachs trader caught stealing copies of BusinessWeek magazine before they hit newsstands, for example. Chavess message was clear: Be hyperaware of danger, because youre where the money is.
He had excellent timing. Days before, starting on May 12, the WannaCry virus had rattled the world or, more accurately, more than 300,000 computers in 150 countries. Indiscriminately locking down computers for ransom, the virus took advantage of a basic flaw in Microsoft Windows, the operating system likely used by most of the audiences hedge fund founders and employees. Yet few in the crowd seemed concerned; they focused on the stripper, not the ransomware.
For a group obsessed with risk, the disinterest was striking. According to Chaves, just 0.04 percent of traders will deal in insider information. Statistics on hedge fund hacks are hard to come by, but few observers would argue that only 0.04 percent of traders computers are under assault from malware or data theft attempts.
Angelo Calvello, industry gadfly and Institutional Investor columnist, attended the event. After Chavess talk, Calvello scoffed when asked if his fellow audience members were taking cyberrisk seriously. Of course theyre not, he answered.
Research supports Calvellos dismissive attitude. According to a recent warning from the baroquely named Securities and Exchange Commission Office of Compliance Inspections and Examinations, 57 percent of investment managers do not conduct penetration tests or vulnerability scans on their most essential systems. And although only 4 percent of asset managers had a significant number of critical and high-risk security patches that were missing important updates, thats still one in 25 with exposure to viruses like WannaCry.
The apathetic Texas crowd had been warned of the potential consequences well before Chavess speech. Calvello himself wrote a column on the subject for II last November. What phone call would Ray Dalio, Larry Fink, or Steve Schwarzman never want to get? he wrote. The one, ringing late at night from a panicked underling, informing him that hed been hacked. Calling this the doomsday scenario, Calvello envisioned a breach that went beyond ransomware one that corrupted the most fundamental algorithms underlying these firms business. The affected manager would not only have to immediately cease operations, he wrote. He would likely be compelled to shutter the business.
Yet the audience in Austin remained unmoved. The problem, Calvello believes, is cultural.
If you still believe men and women are here to pick stocks, you dont think about technology as a big risk, he explains. Only a true quant firm one that uses some type of AI, not one still using Excel is likely to think of it that way. The National Security Agency itself was hacked. The weaknesses WannaCry exploits reportedly were stolen from the NSA, which means any firm in our business can be hacked. Well, maybe Two Sigma or Bridgewater cant be breached.
Except, of course, Bridgewater or at least one of its vendors had been breached. The firm announced in 2013 that, although it did not compromise Bridgewaters proprietary investment systems, a third-party breach had allowed access to former employees personal information. And if Bridgewater or Two Sigma, which has more people working on security than most hedge funds employ in total cant guarantee their own safety, what hope is there for the smaller funds that attended the Austin conference?
Chaves, perhaps inadvertently, got at least part of the answer from the group assembled in the JW Marriott ballroom. State-owned cell towers in some countries thats a danger, he warned. Even hotel Wi-Fi or bugged hotel rooms thats a danger. Yet none of the attendees, almost all of whom were using the hotels wireless because of a poor cellular signal, moved to disconnect.
Kip McDaniel is the Editorial Director and Chief Content Officer of Institutional Investor.