The following article originally appeared in FundFire and was written by Mariana Lemann.
In this exclusive interview with FundFire, John Araneo, Managing Director, Align Cybersecurity, and General Counsel of Align, discusses recent data breaches and fundamental elements that are the sine qua non of an unimpeachable cybersecurity program.
State Street CEO Scolded by Pension Over Data Breaches
By Mariana Lemann August 8, 2018
State Street’s CEO Jay Hooley has been called to account by the Los Angeles County Employees’ Association (LACERA) for three data security incidents that took place since January.
LACERA CIO Jonathan Grabel raised the issue in an email to Hooley on July 27 demanding a comprehensive response from State Street, which has been the $56 billion pension’s custodian for more than five years.
“Since the beginning of 2018, … there have been a series of significant data security incidents that create concerns for the management team at LACERA as to the adequacy of State Street’s security processes,” Grable wrote in the email.
The most recent incident, which LACERA considers serious, resulted in a fixed income investment manager not affiliated with the pension gaining unauthorized access to LACERA’s data through State Street’s client portal, meeting documents outline. A State Street employee received a request for access from the fixed income manager and granted access to the firm, who was able to view the position and trade activity of one of LACERA’s fixed income managers. The access was revoked on June 7, when the user contacted State Street.
State Street contacted LACERA’s CEO and CIO about the incident on July 2, 2018 (with a letter dated June 22, 2018), according to pension documents. The company also reminded employees about client information safeguards and user access request procedures and implemented a secondary review by a member of its management for user access requests.
Although LACERA found no evidence that the information has been misused, the data included sensitive trade information. Therefore, LACERA will ask State Street to notify the manager whose data was accessed to ensure that all parties involved are aware of the incident, according to the documents.
“It is notable that there have been three separate incidents since February originating from different departments within State Street,” Grabel writes in a report to the pension’s boards of investments and retirement dated July 30. In addition to the email to Hooley, Grabel informed the board that he would request an in-person meeting to directly address the security lapses.
The issues related to LACERA started in January with an employee in State Street’s performance and analytics team sending LACERA’s performance data to a third-party consultant unaffiliated with LACERA. Whereas the information is considered public, Grabel writes in the report, it should not have been disseminated. State Street notified LACERA of the incident on Feb. 16, 28 days after it happened, and requested that the information be deleted from the consultant’s network server. State Street also reported that it enhanced its data transmission controls and procedures.
In March, a State Street employee on the client onboarding team sent a file of LACERA information intended for internal use, containing demand deposit account numbers and client contact information, to one external email address. LACERA was notified of the incident on May 10, 69 days after it occurred, but the firm’s response to the incident is still pending.
“Such incidents are unacceptable and raise a variety of concerns,” Grabel wrote in the email to Hooley. “State Street was extremely slow in reporting these matters to LACERA.” The quick succession of short falls and the various areas where they took place add reasons for concern.
“The gravity associated with our fiduciary duty is of paramount importance to us. We expect the same standard of care from our global custodian…[A]re these incidents indicative of three random and unrelated events or are they representative of fundamental flaws in State Street’s data security or a declining risk management culture?” Grabel wrote.
Although the State Street team assigned to LACERA’s account worked to “mitigate relationship damages,” those efforts fell short of reassuring the pension that it was in safe hands.
Grabel also referenced charges against State Street’s portfolio solutions group of conspiracy, securities fraud and wire fraud, noting that, to date, four former executives have been charged with adding secret commissions to transition management clients.
The review of the relationship with State Street is part of LACERA’s fiduciary responsibility, Grabel wrote in an email to FundFire. “As a fiduciary, LACERA conducts active monitoring and diligence for all key vendors including State Street, the Fund’s custody bank. LACERA is working with State Street to better understand the background of these incidents, their data security systems, client communication protocols and service level commitment.”
State Street executives were not made available for a call, but the company provided a statement through a spokesman. “We take our role as a trusted provider extremely seriously. We continue to devote significant time and resources to improving the governance and controls of our information security processes. This is, and will continue to be, a top priority.”
However, State Street might have an uphill battle to mend fences with LACERA and others that might question the controls in place.
“When these incidents become public, and when they represent so many kinds of data compromises or alleged compromises, they become harder to respond to,” says Johnny Lee, principal and national practice leader of Grant Thornton’s Forensic Technology Service. “The fact that there was such a variety of control breakdowns makes it very hard to make an argument that the internal controls are strong.”
Overall, asset managers and service providers have fallen behind other areas in financial services cyber security issues are at hand.
“It has been well stated in the industry that the cyber security risk is a systematic risk in the asset management space. It has created a new paradigm for risk management and service providers and fund managers, institutional investors, pensions funds, and the like, have all been somewhat slow to react comparative to other financial institutions as far as understanding what it takes to create an unimpeachable cyber security program,” says John Araneo, managing director and general counsel at Align Cybersecurity.
“The typical vulnerabilities are being exploited through vendors that do not have cyber security controls in place [and] also employees for being phished or hacked or manipulated through social engineering seems to be the weak link, time and time again.”
Align CybersecurityTM offers tailored, layered and advanced cybersecurity solutions encompassing Vulnerability Assessments/Penetration Testing, Cybersecurity Risk Management as a Service (Align Risk CSR), Customized Cybersecurity Programs, Third Party Management, Managed Threat Protection (Align Guardian), Cybersecurity Training and more.