Carla Price: The term Aristotle is used to represent a family of affiliates, which is comprised of Aristotle Capital Management, Aristotle Capital Boston, Aristotle Credit Partners, and Aristotle Atlantic Partners, which collectively operate under a unified platform known as Aristotle. Each firm is an independent investment advisor registered under the Investment Advisors Act of 1940 as amended.
Welcome to The Power of Patience, Aristotle’s podcast, where we share our reviews on topics actively explored by our investment teams and across our organization. I’m Carla Price, Director of Risk Management at Aristotle Capital, and I will be your host today. I have over 20 years of experience in the investment management industry. In that time, I’ve worked with over 50 registered investment advisors assessing these organizations’ internal controls, including cybersecurity. Additionally, I’ve led due diligence and remediation efforts resulting from actual cyber breaches and near misses across the industry. Coming up on today’s episode, we’ll be speaking with John Quan, Managing Director and Chief Technology Officer here at Aristotle Capital. If you enjoy this podcast, please like and share it on LinkedIn to help us spread the word. Today on the show, we’ll discuss what is cybersecurity, what are the threats today, and where are they coming from? How do small and mid-size organizations address the spending needs for effective defense? And lastly, what are some of the technologies companies are using to keep their data and systems safe? John, thank you so much for speaking with me today. To lead off the discussion, can you please introduce yourself and describe your role as Chief Technology Officer here at Aristotle Capital?
John Quan: Hi, Carla. First of all, I really want to take the opportunity to stress how important this topic is because it affects every individual, be it your personal life, your professional life, as well as affecting every company out there. We’re all fighting the same adversaries. So I think this type of knowledge sharing is going to be very beneficial to our listeners here as well as to those practitioners who are designing and executing on their own cybersecurity strategy. I’m John Quan. I’m the Chief Technology Officer here at Aristotle. I oversee all aspects of technology as well as cybersecurity. And before coming here, I was also the Chief Information Security Officer for a global asset manager where we led the development, the design, and the implementation of a comprehensive cybersecurity program while also dealing with numerous threats, potential attacks and investigations of potential breaches there.
Carla Price: Thank you, John. That’s helpful. You mentioned the current environment on cyber breaches being in the news on a regular basis for U.S. companies. Can you talk a little bit more about that for the listeners? What does the current environment look like for businesses and individuals today?
John Quan: Yeah, Carla. I think it’s important to talk about the who and the how when we consider what’s going on in the current environment around cybersecurity. So when you think about who, these are the range of attackers that are out there trying to penetrate various systems, companies and people, home, email. And so, on one end of the spectrum, we have very comprehensive and complex and well-funded nation states such as North Korea, Russia, India, as examples, who are deploying very complex attacks such as the one that we saw in the colonial pipeline. And then moving down the spectrum there, we’ve got criminal organizations and it’s very much as simple as just saying it’s organized crime behind cyber attacks because they appreciate the potential financial gain from these attacks that they’re conducting. And then finally, and this might be the one that people are most familiar with, but we just have bad individuals that are out there or people who are being opportunistic, trying to take advantage of a market, trying to take advantage of vulnerabilities out there and committing financial crimes and really for their own financial gain. One of the reasons why cyber is such an important topic is because there’s such a low barrier to entry. It’s about 50 bucks that you need to spend really to buy a ransomware type of package. And that just shows you how easy it is for anyone to get into the business of exploiting individuals and companies for their own financial gain. And then secondly, when you think about the how, how are these attackers like nation states and criminal organizations and individuals, how are they getting into these companies? It’s not going to be a surprise, but it’s 90% of all attacks originate via phishing email. So, when we think of phishing, this is not the click here and win a free iPad, those days are gone. Today, these are very sophisticated phish attacks that are utilizing social engineering to go and create a profile of their target. Where do they like to eat? Where do they go on vacation? Where do they work? Who are their friends? Things like that, that will help them craft an attack that will resonate with that individual.
Carla Price: What do you think the cyber criminals are trying to target at investment firms like Aristotle?
John Quan: Carla, that’s a great question because what you’re hitting on there is that these criminals, they don’t take one attack and believe that one size fits all, because it doesn’t. Our industry is different from any other industry, but there are very specific things that resonate with us, very specific lingo, for example, that when we hear, we go, “Oh, we know what that means.” That’s what they’re trying to target when they think about certain industries. So, with respect to the investment management space, I think there’s really three motivators for these bad actors. It’s financial gain, it’s disruption of operations, and it’s acquiring usable information. Let me give you a quick example there. Back in 2016, the Bank of Bangladesh suffered a hack. Hackers out there were trying to extract $1 billion from them via 35 swift transactions. Fortunately, many of them got stopped, but the hackers were able to walk away with about a hundred million dollars from that hack. And so, you would think, okay, was it a smash and grab type of attack? Well, no, it really wasn’t. I mean, for something as meaningful as that, if you’re going to try to steal a billion dollars, you’re going to take your time. You’re going to do your research. The organization that conducted this crime planned and prepared for years. In fact, they actually got into the Bank of Bangladesh in January of 2015. And so, you think, okay, January 2015, so they’re going to start hacking around that time, January, February, March. The answer is no. They actually stayed in their network for a year, and they were there quietly and they were there hiding, and they were there learning, and they were there trying to understand what is normal behavior for this institution, because if they are going to try to steal money, last thing they want to do is to, for example, try to send a wire of a hundred million dollars out from an account that generally sends out wires in the range of 10 to $20,000. That would raise a red flag immediately. So that’s why they had to hide so they could learn and ultimately craft such a large attack. And one other thing I want to point out too, and this might seem straightforward to many of our listeners, but I think it also just shows you the type of thinking that our adversaries are going through. The attack that they committed, they actually committed it on a Thursday night. And the reason they did that was because Thursday night in Bangladesh would then translate to New York opening on a Friday morning of which time Bangladesh would be on weekend. What does that mean? That means it gives them essentially three days of time before anyone potentially could have spotted this, before anybody potentially could have reached out to someone at the Bank of Bangladesh just to verify that these swift messages were indeed true. So, when you think about all that combined, these organizations going after companies like ours, they’re sophisticated, they understand swift, they understand how to comprise a swift message. They know thresholds not to go over. Financial gain is most likely the number one motivator for these attackers. But when you think about other aspects like disruption, so we’ve all heard of ransomware, what ransomware does, it will encrypt all your files, and without a secure key to unlock them, you’re not going to get access to those files ever again. And so, think about that from an investment management standpoint and frankly from a business standpoint. If your Excel models, if your financial statement, if your client records are all inaccessible to you, how do we expect to run our business? So, from a disruption standpoint, this is extremely, extremely highly disruptive. And then lastly, because we sit on so much information within the IM space, we’re also another target for information and secrets. So that could mean the research information that we have that we’ve been building to make investment decisions, they likely will want to get their hands on that.
Carla Price: Current cybersecurity buzzword, John, that I know is going around, and I’ve heard it and I’m sure some of our listeners have heard it, is Zero Trust security architecture. Can you explain for the listeners what this is, and describe the purpose of a Zero Trust architecture?
John Quan: Yeah, I’m happy to, and really glad that you brought that up too, because I think it really shows the maturing and the maturity of the cybersecurity industry. So, Zero Trust, it’s really a recent phenomenon maybe in the last five to seven years that has gotten a lot of traction out there. And so, what Zero Trust is, is a challenge to an outdated premise that everything within our network can be trusted. That is, if we have a sound perimeter, think of it as a circle. If we have a sound circle surrounding our building here and we keep all the bad guys out, that means everything in the building can be trusted. So, what Zero Trust is saying is we can no longer rely on that notion that if we have a sound circle out there that everything inside is safe. Because take the Bank of Bangladesh example again. They hid in there for a year. They hid in there for a year, so they could have been on a server watching activity and no one would be any smarter to it. So, can we trust that? No, that’s what Zero Trust is talking about. We can’t trust that. It’s really challenging, this premise of does a perimeter even exist as well? And so, in the past, before work from home, before the COVID situation occurred, we might all be in the same building, we might have a sound perimeter around us, but fast forward to where we are today and where we’re going to be going, you really have to challenge, do we have a perimeter anymore?
Carla Price: Thanks John. How would you say organizations can empower employees and create a culture where employees aren’t afraid to raise their hand or raise potential issues out to the cyber team or senior managers, which ultimately helped prevent cyber threats and identify them?
John Quan: That’s a great question because I think that building a culture of cyber awareness is critical to every organization. And when I say that, I’m not saying that cyber is the only priority within that organization. No, what I’m saying is it’s part of our culture, where you think about cyber, cyber first. You see somebody within your building and they don’t have a badge on, for example, that should make you suspicious. That should make you want to either report it or tell someone about it so that we can make sure that that’s not a person who’s unauthorized to be in that room. So, when we think about how do we empower our people, how do we put them in these positions to be our eyes and ears on the ground on a day-to-day basis, well, it’s very simple. Transparency about what’s happening in our industry. We also know that education and awareness and frequent testing, like testing our own employees when it comes to phishing emails is a good practice to give our employees a couple of at bats so that when the real phishing email comes, that they’ll be ready to identify it and to do something about it.
Carla Price: Yeah. Thank you, John, and thanks for all you do for our organization and the clients. Well, that brings us to the end of the episode. Thanks, John, for joining us today. We hope you enjoyed this podcast and learned more about Aristotle and cybersecurity. Thank you for listening to The Power of Patience.
Alex Warren: To learn more about Aristotle, please visit www.aristotlecap.com or follow the link in the show notes. If you enjoyed this episode, please rate and review us on Spotify and Apple Podcasts. Be sure to come back next time for discussion on uranium with Aristotle Capital’s Alberto Jimenez Crespo, Portfolio Manager and Senior Global Research Analyst. Until then, on behalf of Aristotle, thank you for listening.