We encourage you to engage in a structured dialogue with your investment managers, consultants, custodians, and anyone else who works with your funds. Encourage them to touch on the six most common aspects of information technology security:
- Network security
- Application security
- Endpoint security
- Data and database security
- Cloud security
- Identity management
These areas encompass the overwhelming majority of cybersecurity issues and should be raised with all your providers.
As a fiduciary, you should be asking your advisors to ensure they are doing everything they can to keep your organization's data and assets safe. Consider these questions:
What have you done to ensure business continuity?
Vanguard has data centers that run 24/7 year-round in three locations. The centers operate autonomously from each other. If one were to go down as a result of either a natural or man-made disaster, the others would take up the slack and are designed to keep our operations running.
How do you characterize the threat landscape?
Vanguard classifies attacks as high-rated (or critical), medium-rated, and low-rated. We actively mitigate over 1 million critical attacks per month, and many more medium- and low-rated attacks Threats come both from outsiders and from inside the enterprise, so firms must devote as much attention to mitigating internal threats as they do to external ones. The attacks are constant and always evolving. The bad actors develop new threats, the good actors counter them, and on and on.
How do you identify and classify the attackers?
Attacks come from around the world, from well-organized and well-funded nation-states, professional cyber criminals, and amateur hackers. Over the past decade, hacking technology that was formerly available only to deep-pocketed players such as nation-states is now broadly available.
The person or group always has a motivation and most often it is money. They may want to steal money or to steal information to sell for money.
Hackers who work for free tend to be those who wish to make a name for themselves in the hacker community or "hacktivists" who are motivated by global events, such as the BP oil spill.
Who do you work with on cybersecurity issues?
Many investment managers work extensively with government agencies, such as the FBI. In addition, they share information with other financial institutions who confront the same bad actors. The mantra is to coordinate, communicate, and collaborate. For example, Vanguard works with other financial institutions, such as Fidelity, BlackRock, HSBC, and others, to share information about emerging cyber threats.
It is common practice to hire outside firms (so-called "white hats") to attack investment manager systems and find vulnerabilities. In addition, firms complement these efforts with internal "red teams" who constantly search for new vulnerabilities.
What types of attacks do hackers attempt on your firm?
Broadly speaking, hackers attempt to penetrate firms through their servers (direct threats) or through devices and users connected to a firm's network (indirect threats).
Can you discuss the types of direct threats you receive and how you address them?
Many firms categorize three overarching types of direct threats:
- Network-based attacks
- Application-based attacks
- Out-of-band attacks that go after domain name systems, email systems, or other services that support the business
In terms of network-based attacks, most firms continually monitor their systems for unauthorized changes in network configuration. Vanguard gets millions of daily "reconnaissance attacks," where bad actors are trying to gauge the topography of our network. The next step is for them to try to find vulnerabilities. We monitor where the attacks originate. We try to identify the zones they are targeting: Are they going after the web servers, or are they trying to penetrate deeper?
Most managers evaluate third-party software before installing it and continuously check for malware. For example, Vanguard reviews source code in its native form to ensure we know what we are getting. If we don't see code in its native form, we have no way of knowing whether it contains malware.
We separate data that is stored from the applications that use the data. We don't back up the operating system, just the data. Then, we restore the client data and it must be reconstructed in the database. We don't restore applications but only restore data and the data is validated as it is imported back. We separate data that is stored from applications, to minimize the risk of malware.
What kind of indirect threats do your managers protect against?
Most investment managers have spent large sums to harden their environments, so increasingly bad actors go after end users, particularly as many have transitioned to working from home. This means end-point protection is more important than ever. Many firms have even adopted a "zero-trust" philosophy, which means any communication to a user is presumed to be from a bad actor until and unless proven otherwise.
If the investment manager makes the assumption that most household networks have weak security, how can they protect the information on a firm-issued computer? Most have chosen to continually monitor activity on employee computers and to employ lots of security software.
Increasingly, managers have instituted multi-factor authentication to enable both employees and clients to login. This requires users to have two of three factors (sometimes all three) to enable log-ins: either something you have (key fob or cell phone), something you know (password), or something you are (biometrics). Many also use geo-referencing to get some assurance that the device trying to log in is where it is supposed to be.
Many firms require anyone trying to connect to their virtual private network to have a certificate installed on their system. That certificate is bound to the firm, the device, and the user's credentials. All three must check out.
Are there other indirect threats of which we should be aware?
With many of us working at home, bad actors are going after end users as never before. Every year Verizon publishes a Data Breach Investigations Report, which is as close to an authoritative measure as exists in the cybersecurity industry.1 The number of confirmed data breaches increased by over 260% from pre-pandemic levels.
The use of third-party conferencing applications has exploded during the pandemic. However, the level of native security (encryption, for example) is not uniform across vendors and presents a real source of vulnerability.
The level of phishing attacks has skyrocketed and these attacks have grown in sophistication. Many users want to read about new COVID-19 vaccine efforts, anti-vaccine efforts, mask mandates, and the like, which have all become fertile ground for phishing.
Information security grows in importance every day. Cybersecurity breaches can cost nonprofits millions of dollars to repair and can also generate significant reputational harm. That's why we suggest you discuss your concerns with all your investment providers.