WannaCry? WannaRun, WannaHide! Managing Cybersecurity Risk

June 7, 2017 |
3 minute read

Over the last year there has been no shortage of things to keep investors, asset managers, and risk managers concerned. Despite these exogenous shocks most equity markets have continued to shake off these events with measures of volatility remaining muted. There are always additional risks lurking and the WannaCry ransomware attack highlighted one of the largest.

The WannaCry cryptoworm, launched in May 2017, exploited a vulnerability within Windows to remotely lock computers and demanded Bitcoin payment to unlock them.  The vulnerability was first found by the U.S. National Security Agency who chose to exploit the weakness for its own use instead of reporting it to Microsoft.  Hackers released the vulnerability data in a breach of the NSA’s own servers, allowing Microsoft to issue a critical patch.  An estimated 230,000 computers in 150 countries had already been infected.

Cybersecurity is an increasingly important risk. In the past, due diligence trips to managers and vendors would focus on investment and operational process, depth of team, compliance, risk management, and would touch on a firm’s infrastructure and business continuity plan. Today, an increasing amount of time is spent understanding a firm’s data and systems as well as the policies and procedures in place to protect them. Similar attention is being paid to cybersecurity readiness by the financial market regulators.

An organization can best defend itself from threats like the WannaCry virus by implementing four elements of an information and cyber security plan.



It is imperative that organizations of all sizes seek to identify their most critical and sensitive information in order to construct stronger defenses around those “crown jewels.”  While a unified, standard approach to security for all data and systems may sound appropriate, organizations may be misallocating resources by over-securing lower priority elements and under-protecting the most vital information.  Classification and prioritization of key data is essential to implementing controls that are commensurate with the risk severity and level of potential impact to the business.  Outside resources can be utilized to augment the efforts of internal management and information technology personnel to audit and monitor this process and its results. 


A proper information security policy should be developed collaboratively to focus on the following areas: people and policy security, operational security, insecure Software Development Life Cycle (SDLC), physical security, third-party relationships, network security, platform security, and application security.  Implementation and enforcement of these policies and procedures requires defined processes for effective dissemination, ensuring that they are understood and available at all times, while enforcing compliance through audits and potential disciplinary actions.


Once an organization has identified their crown jewels and put a plan in place for securing them, the next step is executing the plan.  The focus is on people, process, and technology. Insufficiently trained personnel are often the weakest link in an organization’s security perimeter and are the target of sophisticated social engineering attacks.  It is crucial to provide adequate security awareness training to all new hires, as well as ongoing training to current employees. Process encompasses the day to day operational and technological steps that an organization takes, forming the intersection point of planning and testing.  Some of the practices involved include: third party risk management, compliance and audit, asset management, monitoring and operations, and vulnerability and patch management.  The technological environment within an organization itself needs to be built securely.  Secure network design, secure builds, authorization, and malicious code prevention help to create the proper backbone for security.


Even with the strongest protections in place, the continuous stream of real world attacks means that eliminating every threat is virtually impossible. Third-party specialists are used to leverage their expertise in stressing and identifying weaknesses.  Vulnerability assessments broaden and deepen awareness of threats, attacks, vulnerabilities, and the effectiveness of existing controls.  Penetration testing is the practice of probing a computer system, network or web application to find security weaknesses that an attacker could exploit.  These assessments and tests should be conducted on a recurring basis with the frequency dependent on the risk tolerances of the system being addressed.  Organizations should conduct table-top exercises and regularly test their incident response, disaster recovery, and business continuity programs internally.  Regular and routine phishing tests aimed at employees strengthen awareness and mitigate social engineering risks.

Cybersecurity risk is real.  Organizations that can properly leverage internal and external resources to identify their crown jewels, put a comprehensive security plan in place, protect their data and systems through sound execution, and continually test and improve their defenses are most likely to remain unharmed.  Institutions should seek the same rigorous security approach from each entity with which they conduct business.  The threat landscape is always evolving and organizations that fail to evolve with it will eventually be exposed.  Despite best efforts and intentions, people remain the biggest risk.  Educating employees is paramount.  As an information security officer from a global asset manager stated in a recent diligence meeting, “you can’t patch stupid or careless.”

David Young


David Young

Managing Director, Chief Technology Officer

David Young


Brian Rondeau

Chief Risk Officer

Stay connected with the Insights Blog

Popular Blog Posts

Market Commentary | Insights Blog

Chart of the Month | The Surprising Relationship Between Money Supply and Inflation

The potential for rising inflation is becoming a top concern for many investors and consumers. Many believe that inflation is already here as evidenced by price increases in commodities, homes,...
Perspectives | Insights Blog

The Case for Using the Higher Education Price Index® (HEPI) to Define Inflation for Colleges

When calculating return targets for an endowment portfolio, a conventional piece of the equation is often the Consumer Price Index (CPI). CPI plus 5% is the common short-hand formula for institutions...
Governance And Policy | Insights Blog

Endowment Management and the Three Primary Responsibilities of a Board

The fourth blog in the “Six Ps of Investment Stewardship” series addresses People, specifically how boards function within an organization. To learn more about the first four principles in the series...


Certain information contained herein has been obtained from or is based on third-party sources and, although believed to be reliable, has not been independently verified. Such information is as of the date indicated, if indicated, may not be complete, is subject to change and has not necessarily been updated. No representation or warranty, express or implied, is or will be given by The Common Fund for Nonprofit Organizations, any of its affiliates or any of its or their affiliates, trustees, directors, officers, employees or advisers (collectively referred to herein as “Commonfund”) or any other person as to the accuracy or completeness of the information in any third-party materials. Accordingly, Commonfund shall not be liable for any direct, indirect or consequential loss or damage suffered by any person as a result of relying on any statement in, or omission from, such third-party materials, and any such liability is expressly disclaimed.

All rights to the trademarks, copyrights, logos and other intellectual property listed herein belong to their respective owners and the use of such logos hereof does not imply an affiliation with, or endorsement by, the owners of such trademarks, copyrights, logos and other intellectual property.

To the extent views presented forecast market activity, they may be based on many factors in addition to those explicitly stated herein. Forecasts of experts inevitably differ. Views attributed to third-parties are presented to demonstrate the existence of points of view, not as a basis for recommendations or as investment advice. Market and investment views of third-parties presented herein do not necessarily reflect the views of Commonfund, any manager retained by Commonfund to manage any investments for Commonfund (each, a “Manager”) or any fund managed by any Commonfund entity (each, a “Fund”). Accordingly, the views presented herein may not be relied upon as an indication of trading intent on behalf of Commonfund, any Manager or any Fund.

Statements concerning Commonfund’s views of possible future outcomes in any investment asset class or market, or of possible future economic developments, are not intended, and should not be construed, as forecasts or predictions of the future investment performance of any Fund. Such statements are also not intended as recommendations by any Commonfund entity or any Commonfund employee to the recipient of the presentation. It is Commonfund’s policy that investment recommendations to its clients must be based on the investment objectives and risk tolerances of each individual client. All market outlook and similar statements are based upon information reasonably available as of the date of this presentation (unless an earlier date is stated with regard to particular information), and reasonably believed to be accurate by Commonfund. Commonfund disclaims any responsibility to provide the recipient of this presentation with updated or corrected information or statements. Past performance is not indicative of future results. For more information please refer to Important Disclosures.