Data Sabatoge Might Be the New Cyberattack

An asset manager’s doomsday scenario.

2016-11-angelo-calvello-col-cyberattacks-large.jpg

What phone call would Ray Dalio, Larry Fink, or Steve Schwarzman never want to get?

The one, ringing late at night from a panicked underling, informing him that he’s been hacked.

I’m not referring to “common” cyberattacks like denial of service, the electronic theft of data or money, or even hacks that might lock down a manager’s computers. All of these are certainly unsettling events, yet they represent a relatively antiquated perspective.

The hack I foretell isn’t the effort of a malicious actor to steal proprietary data. Instead, this hacker’s aim is to manipulate a manager’s digital information and systems — for many firms, the very core of their value proposition.

Data sabotage might sound surreal. It’s not: Intelligence leaders consider it the next iteration of cyberattacks. No less an authority than James Clapper, director of national intelligence, made this clear to the Senate Armed Services Committee in February, stating, “Future cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity.”

These and other members of the intelligence community consider data manipulation a paramount concern because it disrupts the fundamental premise of our entire digital world — in the words of admiral Mike Rogers, National Security Agency director and head of U.S. Cyber Command, “that whatever we’re looking at, we can believe — whether it’s the balance in your personal account . . . or the transactions you make in the financial sector.”

Rogers recently gave a military example at a Defense Forum in California. “As a military commander, I’m used to the idea that I can walk into a darkened space with a lot of sensors coming together and look at a visual image that uses color, geography, and symbology and quickly assimilate what’s going on and make very tactical decisions,” he said. “But what happens if what I am looking at does not reflect reality [and] leads me to make decisions that exacerbate the problem I’m trying to deal with [or] make it worse?”

The analog for asset managers is that they trust the accuracy of what they see on their computer screens — trading instructions, position ledgers, performance reports, NAVs, customer balances, risk reports, and more. If their screens fail to reflect reality, they cannot make Rogers’s “tactical decisions” and, because the attack occurs stealthily over time, they cannot be sure of the veracity of historical information.

This is why such a cyberattack is asset managers’ doomsday scenario. It transcends the loss of their biggest clients, wholesale changes in personnel, or even adverse regulatory action. The affected manager would not only have to immediately cease operations, he would likely be compelled to shutter the business.

Allocators I spoke with unanimously confirmed the terminality of such an attack. The paralyzing nature of what the SEC would clearly view as a material event requiring disclosure, coupled with the ensuing loss of trust expressed through wholesale redemptions and the extirpation of all prospective investments, the certainty of multiple legal actions against the manager (especially for those handling 401(k) assets), and governmental scrutiny would force the manager out of business.

The consequences of a data manipulation attack would reverberate throughout the asset management industry. Asset allocators and investment consultants would immediately scrutinize every current and prospective manager’s cyber-integrity and –resilience. Distrust would become the norm. Managers, in turn, would engage in a wholesale review of their own systems. Regulators, governments, and watchdog groups would almost certainly use this attack to reevaluate current safety measures and explore new regulations that better protect institutional and retail investors — all in the name of quelling the subsequent widespread fear and restoring trust in the financial services industry and the financial markets themselves.

I venture to say that such an attack and the resulting cascade of actions is a certainty. If the NSA itself can be hacked — which it was this August — then asset management stands little chance of avoiding this fate.

However, the question of “why” remains. I posit two possible motives for a data manipulation attack on an asset manager.

The first is financial: The hack is used to extort payment (probably in a cryptocurrency) from the manager in exchange for restoring its data and systems to their proper condition (and not making public the sabotage). This is ransomware, the modern equivalent of a Mafioso shakedown.

The second is ideological: Some men simply want to watch the world burn. This is cyberterrorism. And what better target than the asset managers charged with safekeeping trillions of dollars of assets for the benefit of retirees, universities, foundations, insurance companies, and sovereign nations?

Related