Sovereign funds face up to cyber attack risks

Technology advances have raised the stakes in the fight against cyber attack. State investment funds see cybersecurity as a key priority in their long-term business strategies.
Sovereign funds face up to cyber attack risks

Cybersecurity is high up on the agenda for many of Asia’s biggest investors—and all the more so after security flaws affecting most everyday computer devices, dubbed Meltdown and Spectre, were recently discovered, highlighting the risks of costly cyber attack, data manipulation and lockdown. 

These have brought the cyber-risk issue to the forefront of the security agenda for institutional asset owners and central bankers and reminded them of the huge scale of the potential problem.  

“We see this as a very major threat, so we have a very sophisticated programme to deal with it and to protect ourselves,” Peter Costello, chairman of Australia’s $120 billion Future Fund, told AsianInvestor.

The Future Fund board has spent a lot of time on cyber attack and cybersecurity discussions, he said.

“We acknowledge that no matter how sophisticated you are at dealing with them, the offensive attacks are becoming even more sophisticated all the time. Of all the risks that could affect our portfolio, I would put this in the top three. It is something you have to work on continuously.”

In his recent exit interview with AsianInvestor, the New Zealand Super Fund’s outgoing chief executive, Adrian Orr, echoed that view, describing cybersecurity as the number one risk facing the sovereign fund in the years to come.

A report by BNY Mellon released last Friday (February 9) confirms that with the expansion of investment and trading activities by central banks, operational risks have come to the fore through the rise in information security threats.

“Rising concerns over cybersecurity and other operational threats to central banking functions have contributed to an even more intense focus upon infrastructure resiliency, including investment in remote backup facilities to support business continuity and disaster recovery capabilities,” the report states.

Indeed, the $814 billion China Investment Corporation (CIC) has just built a remote backup data centre, the second of its kind after the existing one at the fund’s headquarters in Beijing. This is directly related to the Chinese sovereign fund’s desire to prepare against external attack, said a spokesman. The internal risk processes also include disaster simulation drills and business disruption and continuity drills.

That approach has been adopted by other sovereign funds, including NZ Super.

“What we have done over a number of years is to go through scenarios of testing, to see if someone would be able to breach our systems—what would they try to change?" NZ Super’s head of IT, Greg McHugh, explained. "Then we look at any weaknesses we may have within that transaction flow, to try to provide greater protection, or stopping access to those critical systems.

"We’ve had a couple of examples recently with Meltdown and Spectre and [we examined] what that might mean for us if that vulnerability was exploited."


Many of the largest and most prominent asset owners—including CIC, Future Fund, NZ Super, Canada Pension Plan Investment Board, Singapore’s GIC, Malaysia’s Kwap and Abu Dhabi Investment Authority—discuss the issue of cybersecurity amongst themselves, and in some detail.

“We have a network of other sovereign funds to discuss about cybersecurity,” McHugh said. “There’s a great desire amongst all these institutions to protect the financial industry. No one is holding back on their own proprietary expertise; there is a sharing of information. We swap notes on phishing attacks, dictionary attacks, that sort of thing. It’s a team effort.”

This story forms part of a special feature on cybersecurity that appears in the forthcoming edition of AsianInvestor magazine.

¬ Haymarket Media Limited. All rights reserved.