Cybersecurity: how instos are defending themselves

Cyberware attack threats with names like ‘Meltdown’ and ‘Spectre’ sound like they belong in a James Bond movie. The reality is not so far off and Asia's largest asset owners are having to devise strategies to handle this latest threat to their security.

Meltdown and Spectre are two types of cyberware attacks recently detected on computers around the world, courtesy of a weakness in the very processing chips they use to operate.

Technology experts and asset owners are still weighing the implications of such cybersecurity threats. For example, Peter Costello, chairman of Australia’s A$120 billion ($96.17 billion) Future Fund, made clear earlier this year he saw cyber attacks as a "very major threat".

New Zealand Super Fund’s outgoing CEO Adrian Orr described cybersecurity as the number one risk facing the fund. Given the limited number of trained cybersecurity personnel available, his concern makes sense. Yet while cybersecurity is a hot topic among sovereign funds and pension funds in Asia Pacific, many institutions and custodian banks are uncomfortable talking about it.

Surprisingly few of the institutions AsianInvestor approached for this article were willing to put forward a representative to discuss this issue. Some were just being security conscious, but others may well know they have not sufficiently addressed this issue internally. This reticence needs to change, if asset owners in are to fully address real online dangers.

RISK OR REALITY?

To tackle cybersecurity, asset owners need to first understand the scale of the problem. That can be intimidating.

Stephen Watt is dean of the faculty of mathematics at the University of Waterloo in Ontario, Canada. He explained a few of the challenges facing organisations: “Online malicious attacks and botnets have become increasingly sophisticated and targeted as people share more and more personal data online.”

One of the most common forms of hacking involves data manipulation and the risk of lockdown, leading to blackmail and ransom demands. But cyber attacks can take many forms, including disinformation, disruption of infrastructure and pure data theft. Hackers don’t merely break in and steal assets; they often manipulate a system to corrupt an institution’s information flows.

The good news is that researchers are working on solutions beyond today’s cybersecurity infrastructure, encryption systems and computing capabilities. Specifically, they are focusing on post-quantum cryptography, a blend of pure mathematics and computer science producing a data encryption so strong even quantum computers cannot crack it.

That would be a step up from the most popular public-key algorithms available, which can be efficiently broken by a sufficiently large hypothetical quantum computer.

GETTING INSIDE HACKERS' HEADS

Across the world, financial institutions are marshaling their responses to cybersecurity concerns.

Royal Bank of Canada has taken the issue sufficiently seriously to fund a new cybersecurity lab at the University of Waterloo. It has invested C$1.78 million ($1.43 million) into research to develop advanced cybersecurity and privacy tools.

The biggest risk for many funds is that they are unaware they have been penetrated. To minimise this danger, organisations need to build strong digital ramparts, and then constantly monitor and upgrade them.

NZ Super’s head of IT, Greg McHugh told AsianInvestor the fund’s main concerns revolve around any system that moves money. It works with third party service providers, including global custodian Northern Trust, to refine systems.

Effectively buttressing IT defences involves psychology. It is necessary to get inside the head of the hacker, said McHugh.

“You have to consider: why would someone try and breach us, to lock us down and hold us to ransom? There is also the potential for these hackers to manipulate our workflow or business flow so they could then manipulate any transactions that are moving money around.”

The sovereign wealth fund’s in-house team works with its custodians to assess such risks, he noted.

Few other institutional investors are as public or vocal about their willingness to address cybersecurity. A spokesman for Japan’s $1.3 trillion Government Pension Investment Fund (GPIF) would only say its over-arching environmental, social and governance (ESG) philosophy encompasses cybersecurity.

“We entrust asset managers with considering the materiality of ESG issues, as mentioned in ‘Stewardship Activities’ (on the fund’s website),” he said.

However, the fund’s published Stewardship Principles do not address cybersecurity at all. The spokesman declined to elaborate on his comments.

China Investment Corporation was more forthcoming. The $750 billion Chinese sovereign fund’s spokesman declined to offer detailed comment on its concern about cybersecurity risks, but pointed out that under the fund’s ‘investment supporting functions’, CIC has an internal IT committee working as part of its strategic plan to 2021. Part of this involves a twice-yearly risk evaluation report that includes an assessment of possible cyber threats.

CIC has also just built a remote backup data centre, the second of its kind after the existing one at the fund’s headquarters in Beijing. This is directly related to the sovereign wealth fund’s desire to prepare against external attack, said the spokesman.

TESTING, TESTING

CIC’s approach mirrors that of other sovereign funds, such as NZ Super.

McHugh believes there are many practical things funds and their custodians can do to protect against cyber-attack. “We work closely here in New Zealand with the National Cybersecurity Centre. We have a quarterly briefing from them and what they are seeing. We share information with our suppliers. Northern Trust are good at giving us cyber updates and potential market disruptions.”

Major institutional investors such as CIC, the Future Fund, NZ Super, Canada Pension Plan Investment Board, Singapore’s GIC, Malaysia’s Kwap and Adia in Abu Dhabi are understood to discuss the issue of cybersecurity amongst themselves in some detail. CPPIB in particular is seen as a leader in the conversation among these investors, but a spokesman for the fund declined to answer questions about its approach to cybersecurity. 

“We have a network of other sovereign funds to discuss about cybersecurity,” noted NZ Super’s McHugh. “There’s a great desire, amongst all these institutions, to protect the financial industry. No one is holding back on their own proprietary expertise; there is a sharing of information. We swap notes on phishing attacks, dictionary attacks, that sort of thing. It’s a team effort.”

McHugh says it’s a constant struggle to keep ahead of the hackers when technology is changing so fast.

“What everyone has seen, particularly over the last three years, is that the cost of launching one of these attacks has gone down significantly, which means the attackers are able to launch them more broadly. So you are seeing more attacks—not necessarily more sophisticated but you are getting more of them,” he said.

The next front of this ongoing digital war could focus on the growing use of cloud-based technology.

“When you’ve got a lot of third parties providing services through the cloud, you’ve got less confidence about where your data is stored and what kind of access rights to give them, and how far do they push into our networks,” noted McHugh.

“[The cloud is] a fantastic resource, and it enables good functionality to be delivered easily to fund managers. But the other side of that is making sure that you’re not exposing yourself to any undue risk.”

In a time of changing technology and Bond-sounding cyber threats, asset owners need to face two realities: they are ripe targets, and they cannot be complacent.