FBI here to help funds with cyberattacks, agents say

‘Our primary goal is to provide relief,’ top cybersecurity official says.

Fund managers worried about their growing cybersecurity risks should know that the FBI is here to help, two top agents said Wednesday at the Private Fund CFO NY Forum.

“We’re not a regulatory agency. Our primary goal is to provide relief,” Amit Kachhia-Patel, assistant special agent in charge of the Bureau’s New York field office, told a packed room at the conference. “We may be in a position to provide you with an encryption key, we may be in a position to provide you with more fidelity into that particular threat. We’re happy to work with your third-party mitigators.”

If the “intrusion is severe enough,” Kachhia-Patel added, the FBI has a team of “packet ninjas – these are some of the most technical folks we have” to work on-site with fund managers under a memorandum of understanding to help fix the problem. Just last fall, “a large firm” in the New York area was crippled with a ransomware attack. The firm called the FBI out of the blue. Within 48 hours, the Bureau was able to provide an encryption key that got the firm back online, Kachhia-Patel said.

Joining Kachhia-Patel on stage was Paul Roberts, another assistant special agent in charge who focuses on financial crime. He urged fund managers to “think creatively” about how insiders in their own firms might try to profit on the information they help hackers uncover.

More than a decade ago, when JP Morgan suffered a hack, it wasn’t clear what the hackers were doing with the data on the 83 million-some accounts they had illegally accessed, Roberts said. It turned out the hackers were using customer email addresses to build their own pump-and-dump schemes. The case ultimately led to a Swiss asset manager who was profiting on the schemes, Roberts said. Criminal cases can take a long time to build, but the FBI can help long before an indictment comes down. Every second counts, though, Roberts said.

“It’s important to get in touch with the FBI as soon as possible,” he said. If a firm suspects that a hacker has authorized illegal wire transfers, for instance, and the firm alerts the FBI within 72 hours of the hack, “there’s a very, very high likelihood that we get that wire transfer stopped and get your money back to you.”

Barriers for entry

AI – for all its promises – has also magnified funds’ risks, the FBI men agreed. It’s allowed state-backed hackers in China and North Korea, for instance, to improve the English-language proficiency of their spear-phishing attacks, Kachhia-Patel said. (That’s just one reasons firms should consider segregating their networks if some of them run in countries where cyberhackers proliferate, he added.)

The barriers for entry for cyberhackers have also dropped dramatically. A would-be hacker can buy a spear-phishing kit on the so-called dark web for about $3, “less than most of us would spend on a latte here in New York,” Kachhia-Patel said.

A growing concern is the capacity of AI to create deep fakes, Roberts said. We’ve already seen examples of deep fake technology fooling people by the millions. The risk that a cyberhacker could create authentic-seeming audio or video clips of a fund CEO is growing. Roberts said he had a meeting just a couple of weeks ago with some of the Bureau’s top cybersecurity experts. They told him, “We’re in the advanced phase of AI now. The early phase was six months ago. Just imagine what it’s going to be like in five years, or even one more year.”

So how can funds help secure themselves against cyber-baddies? Kachhia-Patel and Roberts offered a few suggestions:

  1. Focus on your firm’s “cyber hygiene.” Insist that staff passwords of at least 16 characters, or even full sentences (to make them easier to remember), work with vendors that have been certified in cybersecurity defenses such as the Software Bill of Materials.
  2. Multi-factor authentication “should be a no brainer,” Kachhia-Patel said.
  3. Segment your networks
  4. Hire “red teams” to probe your network’s defenses, and then retest after each raid.
  5. “Encourage a whole of organization” approach to cyber-security, from the board to “the person who answers your phones,” Kachhia-Patel said.
  6. “Don’t forget the human element,” Roberts said. “If something doesn’t feel right, or someone on your staff thinks something might be off, trust yourself, or trust your people.”