In March, we were warned.
Just as the reality of the Covid-19 pandemic was setting in for many Americans, the Treasury Department’s Financial Crimes Enforcement Network issued an admonition advising “financial institutions to remain alert about malicious or fraudulent transactions similar to those that occur in the wake of natural disasters.”
That was March 16. The same day, Bloomberg reported that cyberattackers had hit the U.S. Department of Health and Human Services and overloaded its servers.
The asset management industry is being targeted too.
“Since the pandemic started, we’ve seen a significant increase in cyberattacks,” says Thomas Holly, asset and wealth management leader at PwC, by phone.
In the beginning, firms were clambering just to get employees online.
For some, that meant simply getting reacquainted with their firm’s VPN, or virtual private network. But for others, according to Danielle Tierney, senior adviser at Greenwich Associates, the process was more intensive.
Tierney says that “power users” — traders, supervisors, heads of compliance — need more than just laptops to do their job. Setting up monitors and servers at home was “the source of the most scrambling” for the companies she works with.
“You had to mobilize to just get yourself connected, and then the bad actors descended,” Holly says. “They saw the firms dislocating. Those bad actors began to intensify.”
When the pandemic began, companies hesitated to update software with the same regularity, according to Bart McDonough, founder of cybersecurity and managed IT firm Agio. “There was a concern about breaking things,” he says.
But this left some organizations open to cyberattacks. Software updates often fill in gaps in a security system. When they’re not filled in a timely manner, hackers see opportunity. “At some point, that lack of change is exposing some vulnerabilities,” McDonough says.
And investment firms can be especially vulnerable. According to Tierney, there are two types of data at risk for money managers. The first: customer information like Social Security numbers, investments, or account details. The second, she says, is a firm's proprietary investment data. In other words, the special sauce that a manager uses to make money.
Hackers have been specifically targeting institutional investors for years.
Since September 2019, attackers have successfully hit executives at Angeles Investment Advisors, Vontobel Asset Management, the Kansas University endowment, Community Foundation of Texas, hedge fund Arena Investors, and financial public relations firm Hewes Communications with similar phishing schemes, Institutional Investor previously reported.
“The most common thing that we’re seeing is phishing,” Holly says of pandemic-era breaches. “Phishing allows access into these systems, creates fraud and the opportunity to drop malware, and then bad actors can gain personal or investor information.”
The attacks against some industry executives prior to the pandemic involved hackers taking over an executive’s email account, then using it to send viruses to their contacts.
Now fraudsters create fake email addresses that appear to be from a company’s human resources department. Then they send an email with a subject line like “COVID-19 Updates.” This is called spoofing.
As Covid-19 “has us all on pins and needles,” as McDonough puts it, some are more likely to click on links in emails without verifying the sender’s email address. The fraudster then distributes malware, which can infect an entire company’s computer system.
Both types of attacks, according to McDonough, are easier to defend against in an office. He calls it “community defense.” If a whole company gets a phishing email like this, workers in the same room often warn each other about the email.
“You have less of that now,” McDonough says.
These attacks have real consequences for money managers.
Last year, investment managers mistakenly wired money to fraudsters at least five times that McDonough’s firm knows of. Although he has yet to see an uptick in this particular activity during the pandemic, he says “the environment is ripe for it now.”
“It’s one thing to get a bunch of malware,” McDonough says. “It’s another thing to wire hundreds of thousands to bad actors.” He suggests that asset management firms make small wire transfers first, just to verify the receiver’s identity.
“I think it’s really important for these asset management firms to be extra vigilant around the usage of their own wire transfer policies,” McDonough says. “Make sure you’re verifying things by phone, and not just the amount being transferred, but also the account numbers.”
Video calls, too, pose a threat. PwC’s Holly says he has seen security breaches in video calls with some of his clients. And others, even outside the investment management industry, report falling victim to “Zoom bombing,” in which outsiders gain access to a Zoom call, then use the chat function and screen sharing to post offensive content. Those who are Zoom bombed often experience the phenomenon repeatedly, which in turn makes it difficult to meet online.
“The stuff with Zoom is pretty tragic,” McDonough says. “I’m highly against firms using it right now for a variety of reasons, but we have had a couple of clients report being interrupted by Zoom bombing.”
Holly says firms have started to reassess their software providers as they begin to work out security vulnerabilities like this. But they can’t solve for every potential threat.
“Firms can provide employees with all of the tools they need to do their jobs securely, but they can’t account for other risk factors that come from working from home,” Tierney says.
McDonough agrees. “If your only defense is, ‘I'm going to teach my users what not to click on,’ you’re setting yourself up for disaster,” he says.
Holly says he views the move to work from home as an expansion of a “perimeter” to protect. Prior to the pandemic, the perimeter surrounded the office buildings. Now that so many are working from home, that perimeter has expanded, which means that a cybersecurity program has more to protect.
According to McDonough, work devices have now become “home devices,” which children may use to complete schoolwork or play games. This, too, increases that perimeter.
“There is a greater threat surface area for firms now because they have these devices being accessed 24/7 by not only the employees, but also their employees’ families,” McDonough says.
Companies have made it over the initial hurdle of getting their employees online. And despite spiking, cybersecurity breaches have been low relative to the risk level, according to Tierney.
Holly adds that although investment firms are under pressure to cut costs, cybersecurity is one area where they’re still spending money.
“This is one of those things where overkill is good,” Tierney says.