Could a cyberattack spark the next financial crisis?
Following the calamitous, widespread SolarWinds attacks in April, that’s exactly what the New York State Department of Financial Services (DFS) has suggested.
“This incident confirms that the next great financial crisis could come from a cyberattack,” superintendent of financial services Linda A. Lacewell said in a press release following the DFS’ investigation of New York’s financial services industry’s response to the supply-chain attack. “Seeing hackers get access to thousands of organizations in one stroke underscores that cyberattacks threaten not just individual companies but also the stability of the financial industry as a whole.”
We’re not talking about banks. As a whole, banking cybersecurity has been tight for a long time. Rather, the slice of the finance industry that causes experts to lose sleep over is the asset management industry: All the private equity and hedge fund firms that control trillions of dollars of notional value. It’s an enormous part of the economy that’s all too often guarded by little more than duct tape and prayers.
“A large majority don’t even have dedicated cybersecurity staff,” lamented Bart McDonough, CEO and founder of Agio, a hybrid managed IT and cybersecurity services provider specializing in the financial services, healthcare and payments industries. “You’re talking about all these organizations that manage a tremendous amount of money that don’t have dedicated staff.”
McDonough has deep institutional investment knowledge, with more than 20 years of experience working in cybersecurity, business development and IT management within the hedge-fund industry. Last month, Agio announced that it had teamed up with Point72 – a firm that uses applied artificial intelligence (AI) in private-equity investments. After an 18-month collaboration, the company launched an AI-enabled service platform with new algorithms that use applied AI to help predict, find and fix issues faster, for less money and with less labor: Essential to finance industry players who don’t have the cybersecurity staff to do it on their own.
To hear McDonough’s thoughts on how AI can help the industry escape the next SolarWinds, you can download the podcast here, listen to the episode below, or scroll down to read a lightly edited transcript.
Lightly Edited Transcript
Lisa Vaas: Welcome to the Threatpost podcast, Bart.
Bart McDonough: Hi, Lisa. My pleasure.
Lisa Vaas: Bart, if you don’t mind I wanted to start by having you give us an update on the financial industry and the cyber security strains it’s facing right now.
Bart McDonough: I think when people hear the term financial services? I think that the lay person thinks of banking, and they’re right to be concerned about cybersecurity at banks, but candidly, those organizations are really well-equipped. To handle a lot of the cyber threats today where I’ve focused my career, and my firm focuses, is really on kind of the other side of financial services. The asset management industry. We work a lot with hedge funds and private equity firms, and there’s literally trillions of dollars of notional value there that’s being exchanged, being managed in most of these organizations.
A large majority don’t even have dedicated cybersecurity staff. Which we’ll, we can certainly talk about the strain on cybersecurity staffing domestically and globally. But so you’re talking about all these organizations that manage a tremendous amount of money that don’t have dedicated staff.
And so I think that right there should be a wake-up call to the regulatory bodies, certainly to the industry about the risks that are facing these kind of other financial services.
Lisa Vaas: I’ll say it’s a wake up call and actually yeah, that’s surprising. I tend to lump money altogether into a bigger lump and of course it’s more than banking. I didn’t know that there was this aspect of the industry that is really behind the times with cybersecurity. But you said wake up call, and that made me think of this recent European report that said that the next financial crisis could be cyber.
And that is a concern to all industries, especially private equity and mutual funds. And the report referred to the SolarWinds supply chain attacks as a wake up call for all organizations. And private equity firms in particular. What’s that in particular all about? Is it because they’ve ignored these things for a while?
Bart McDonough: Yeah. You know, I think what’s so interesting about the SolarWinds attack and other kind of supply chain attacks is they really test the cybersecurity fundamentals of a firm because it’s not like you can just buy a piece of software and detect this, the best organizations in the world. The most sophisticated didn’t detect this.
That’s what makes these so difficult, but the well architected, the well-organized machines, companies really responded well to these kinds of attacks. And this goes back to my earlier comment, when a private equity firm doesn’t even have a single person. Dedicated to cybersecurity or the person that has that, that kind of title is actually the chief compliance officer doesn’t really have any domain experience.
They’re probably not doing the fundamentals. Well, they’ve probably done a few things to check the box to appease, maybe some diligence person or some kind of regulation, some compliance. And I’m going to say kind of a little C there. For compliance. And so I think when we think about the next big wave of threat and the reason why I think that article and articles like that, that tied this back to the, the SolarWinds attack is because it really stresses the foundation of cybersecurity in these firms.
And so I think that’s where, you know, if the foundation is compromised, I think you can start seizing up funds. And we saw in the last financial crisis, what really happened there is whole sectors of the market frozen and it couldn’t move. And you know, it’s a flywheel effect. These things kind of work off each other.
And when one sector is frozen, it really impacts others. And so if you had a sector frozen by cyber, it could really cause an overall freezing of the entire city.
Lisa Vaas: I know Aigo had a big announcement last month about introducing an AI-enabled service platform to bring new algorithms to the table, to use applied AI, to help with these issues, with people who don’t have a robust cybersecurity Infrastructure now. What occurs to me is there are a large number of security platforms that incorporate artificial intelligence these days.
What made you believe that the financial world needed a new version instead of one such as SentinelOne or any of the other AI platforms?
Bart McDonough: You know, there’s great technology out there. Actually, I don’t think that solution is going to be on technology. That might sound odd coming from someone who just launched an AI platform around, you know, improving our ability to solve issues and minimize risk. What we’re trying to do is elevate the humans that we have, and we have really excellent cybersecurity professionals. As I had mentioned earlier, that’s a real drain on that market, right? There’s more jobs open than there are people to fill them.
And so how do we find leverage. To use these great individuals that we have to really help our firms make risk- adjusted decisions. And if they are spending all their time trying to find the needle in the haystack and find these attacks, they’ve probably not been spending their time, really educating and working with our clients on making risk-based decisions. And so that’s why we created the platform we did is to really elevate our humans. If you will, and let the robots do what they do really well. And that’s to find anomalous data and find suspicious and malicious data and elevate that up to the individuals that they can handle it. But really we want our individuals working with our clients and making the risk-based decisions because threats are very asymmetric right now. Yet I think a lot of firms apply these very blanket, broad solutions, and we need to tailor and tweak our defenses to these asymmetric risks. And so that’s why we built it. We think there’s a lot of good technology out there. We built it on top of other good technology, that’s the short answer.
Lisa Vaas: What do you mean by asymmetric risks?
Bart McDonough: W henwe think about a risk profile, and it depends on the type of firm, if I was looking at a 200 person private equity firm, you know, I would take my cyber budget, my cyber activities, and disproportionately allocate it towards the remote workforce, those working with what we call unstructured data.
Those are things like Excel files and Word documents, as opposed to trying to put all of my eggs around the firewall. And so right now, what we’re seeing is a disproportionate amount of risks. Like in the 96, 97 percent [range] of successful breaches start with exploiting someone’s email. Yet, if you look at budgets and you look at activities, email receives about 20 to 25 percent of the budget.
I actually think you need to disproportionate that so that it mirrors the risk and maybe not one for one, cause these things evolve. But right now we see areas where they’re highly exploited, but are under- invested.
Lisa Vaas: So you’re talking about an AI- enabled platform that automatically knows that there’s more risk with email than is typically taken into account.
Bart McDonough: Yeah, we balanced that, that human insight, and that’s human, what we call just intelligence. And that’s the threat landscape and all of that. And we direct our technology to those areas that we deem greater risk. AI is not great at evaluating risk right now in the sense of macro AI cyber risks.
And so we think humans still use judgment better in those instances. So we then aim the AI at those areas, if that makes sense. And this is where there’s still such a good balance between human judgment and AI’s incredible precision and predictability.
Lisa Vaas: Now is your time to brag. What are these clients experiencing with an AI-enabled platform?
Bart McDonough: Overall the AI platform is more than just around cyber. What we’re really trying to do is improve the IT experience they’re having, or the experience that they’re having with their IT systems. If you think about the inverse of that, terrible experiences, whether that’s caused by a system going down because a machine crashed or because of a cyberattack. What we’re trying to do with our AI is really predict outage, predict blockage, predict needs, and then do that proactively behind the scenes. And so what we’re seeing is firms that used to spend, you know, kind of an hour per FTE [full-time equivalent employee] dealing with the IT department, you’re going down to 15 minutes to 10 minutes per month. And that’s giving them time back to do their job, right? No one comes to work, to deal with the IT department, as much fun as I think it is. That’s not why they go to work. They go to work to do their job. And so we want to reduce that time.
And if we can do that behind the scenes, by being proactive, then we think we win and they win.
Lisa Vaas: It sounds like this is really a solution for businesses that already have some kind of cybersecurity team protecting them. T hey just need more help, right?
Bart McDonough: Yeah. I mean, we have clients that are as small as five, seven people. And then we have clients that are 1,500 people, so it really scales extraordinarily well. And some of it, we do everything for a firm and sometimes we might just help them with their help desk or support their databases or something like that.
So it really scales across the school.
Lisa Vaas: Your press release talked about those clients, how they’re feeding into your network and how solving their problems feeds the greater industry good. I want to hear about some success stories. What are some of the issues that they faced and how has this platform helped them?
Bart McDonough: There’s a couple of cool stories, just recently. One of the things that we’ve discovered is in AI, that bias is a real problem, but we’ve kind of embraced a form of bias and it’s recency bias. So one of the things that’s happened is we started seeing some interactions with our clients that use Microsoft Teams on a new version of the iPhone.
And what that was able to detect was that this was a new problem that was showing up with increasing frequency. That kind of bubbled up to like, we think we have a more systemic problem here. We were able to proactively go out to our other thousands of clients and get ahead of this with them and solve this problem.
And that’s what we mean by this network effect. We’re able to start seeing it in, in slow amounts, but then learn from that and really help our clients at large. And then just the other day, there was a series of attacks that occurred on about five or six of our clients. And it was almost as if the bad actors were going door to door to a variety of clients.
We saw what was happening. And then we were able to get in front of it and put in some defensive measures for our other clients to prevent them from being impacted by that. And so those are just a couple of examples. We think, you know, that our ability to predict these problems and these issues is growing daily.
And so those stories are going to continue to grow as well.
Lisa Vaas: I like your stories. It sounds like crowdsourcing of issues you’re facing and their solutions as well. Excellent. Well I think we’re running up against our wall of time. I want to thank you so much Bart, for coming on. Is there anything else that you’d like to cover? Any takeaways you’d like to leave us with?
Bart McDonough: The last thing I would say is, you should be demanding a great experience. You shouldn’t be suffering from outage no matter what the cause. Don’t accept that. And then the last thing: We’re always publishing interesting stuff. You can find me at @bartmcd on Twitter or on LinkedIn. And then Agio on LinkedIn. We always publish some really good information.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.