When a Breach is a 'Good Thing'

In April, Waters is planning a comprehensive issue about cybersecurity and the technology, processes, and talent required to guard against what many CTOs now believe is their top operational risk.

The list of firms that have been hacked—either externally or internally—in the last year is lengthy, featuring some of the largest corporations in the world and at least a couple of mainstay investment banks as well.

Of course, when the topic is raised, many minds (including my own) visualize a malicious 'blackhat' actor holed up in a dark room somewhere halfway around the world, toying with systems and stealing information either for the fun of it, or because a state or quasi-state entity is paying them to do so behind some kind of ideological justification.

But particularly in finance, the job is often far more simple, and the reasons are sometimes much more benign.

For example, the theft of client data from Morgan Stanley's wealth management unit in December 2014 by a recently-promoted adviser at the firm had many hallmarks of a contemporary cyber event: a shadowy data-download service, even a request for payment in cryptocurrency. But as of yet, none of the typical reasoning.

Internal Leaks
Things can be simpler still, as this week's revelation of HSBC's Geneva office engaging in all sorts of lurid and tax-evading conduct surely suggests.

In this case, as The Guardian has reported, it was physically a matter of a systems engineer, Herve Falciani, prepping tens of thousands of client accounts right at his desk, fleeing to France (from where he, as a French citizen, can't be extradited) and downloading them to five hard disks. What's now being called the biggest bank leak in history was just that easy, and the standard maelstrom of condemnation and calls for investigation has followed.

To some extent, I suspect this style of threat—and not foreign hackers spoofing their location and IP eight times over—could become the norm for financial services. Indeed most technologists we speak to, particularly on the buy side, continue to argue that their greatest worry in terms of data security is their own staff either opening malware in an email without knowing it, or walking off with information they shouldn't be permissioned to because of a change of heart about the business they're in.

Fogginess
This danger, like the HSBC files, raises some interesting practical and even ethical questions—far more so than the Target or Sony hacks that have a clear antagonist, and were clearly avoidable.

To the former issue, locking down every last piece of data would make life for a typical investment management firm operationally difficult, if not impossible. All the more so if you're personnel-constrained or have aspirations to provide serious mobile functionality, as many do. It's a matter of expectations creep and technical lag.

While I'm not exactly as strong as Glenn Greenwald on the latter issue, far from it, from an ethical standpoint there might well be legitimate reasons, in very specific instances, to heist information from one's own firm and hand that data to governmental authorities or the press, as well. I doubt any CTO would admit to that priority being on his or her mind, quite the opposite actually, though deep down we can all imagine such circumstances.

Whether Mr. Falciani—who, like Edward Snowden, is a colorful character—had reasons rising to that level of compulsion is debatable. But the HSBC breach certainly adds a new twist to a topic that was already front-of-mind in 2015.

In any case, we look forward to examining this area, both with technical nuance and from a business standpoint, in April. Any firms looking to contribute their outlook should certainly give a shout, at [email protected] or on 646 490 3968.