Exploitation of MOVEit software demonstrates the criticality of vendor due diligence

This can be a hard truth for alternative investment managers to stomach: It’s not a matter of if you’re attacked, but when.

Several investment managers learned this the painful way when a method exploiting MOVEit, a third-party file transfer software, was used to attack their firms.

We know that securely transferring files between businesses can be a challenge. For many alternative investment firms, the default method for sending files is email, which results in mistakes and a loss of control once the send button has been clicked. Using a solution like MOVEit makes the file transfer process easier, and presumably safer. But unless a vendor due diligence procedure was performed on a third-party tool like MOVEit, there is no way to know if this file transfer method is truly secure.

Over two-thirds of attacks that resulted in a loss of confidential data were due to third-party service providers 1. While around 10% of the victims were related to the finance industry, once you include potential service providers those numbers rocket up to about 1,000 businesses affected and a large portion of the 50 million total individuals whose sensitive data was exposed 2.

Here lies the most difficult part for the IT, operations, and compliance departments within a fund (or for your outsourced providers of those services): How can you ensure that your corporate cybersecurity standards maintain a comparable level at the service providers? Case in point, until this incident occurred with MOVEit, using this third-party vendor would not have raised any red flags.

If you have performed vendor risk assessments and as part of that process, you have highlighted the technology involved in service delivery and you are better equipped to respond to an incident swiftly.

Imagine the scenario:

Cybersecurity Officer – “There is new threat intelligence to suggest the software MOVEit might be compromised. I’ve looked through our vendor due diligence and we use it with the fund admin provider.”

Operating Officer – “Great, thank you. Let’s pull our files off the server until our back-office team can discuss with the fund admins and send files another way.”

The above is a far smoother process than:

“The back office has reported our fund admin was breached last week and we might have lost some data, we don’t know how or what might have happened yet.”

Any good cybersecurity program begins with highlighting the key risks for a business. With over 60% of breach incidents 3 coming from third parties, addressing cybersecurity risk in your third-party vendors is paramount to keeping your firm and your investors’ assets safe.

[1] https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html#:~:text=All%20details%20below-,How%20affected%3F,-Affected%20overall

[2] https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html#:~:text=MOVEit%20breach%20victims

[3] https://www.verizon.com/about/news/ransomware-threat-rises-verizon-2022-data-breach-investigations-report#:~:text=62%20percent%20of%20System%20Intrusion%20incidents%20came%20through%20an%20organization%E2%80%99s%20partner