Fighting Cyberattacks Requires Top-Down Approach

Speaker at CIO livestream says security has to be responsibility of the whole organization, not just the IT department.



Mitigating cybersecurity threats requires organizations to reassess their approach to technical vulnerability, advised an internet security expert and author at the “Cybersecurity Threats and Concerns: An Overview”session of CIO’s Cybersecurity livestreamon October 12.

In 2023,economic lossesfrom cybercrime are estimated to cost entities $2 trillion annually, and projections are that costs will increase to $10.5 trillion by 2025, according to figures from the Internet Security Alliance, a nonprofit dedicated to integrating technology with economics and public policy to promote cybersecurity.

Prevalent cybersecurity threats demand that every organization employ “a completely different approach to cybersecurity from the top down … that every board of directors should be following,” said Larry Clinton, president of the Internet Security Alliance.

Organizations must move away from the posture that their IT division owns responsibility for safeguarding against cyberattacks, Clinton said.

Want the latest institutional investment industry
news and insights? Sign up for CIO newsletters.

“The original view was [threat protection] would bubble up from the IT department through the organization,” which has not happened, Clinton said. Instead, “what we really need is for cybersecurity to come down from the top of the organization … into the departments so that we have an enterprise-wide culture of security. It is the board’s responsibility to work with the executive team to s. It is not just an IT-centric issue.”

For public and private entities, Clinton advised designing a cybersecurity roadmap using six core principles adopted by the National Association of Corporate Directors, the Internet Security Alliance and the World Economic Forum:

  • Recognize cybersecurity as a strategic business enabler;
  • Understand the economic drivers and impact of cyber risk;
  • Align cyber-risk management with business needs;
  • Ensure organizational design supports cybersecurity;
  • Incorporate cybersecurity expertise into board governance; and
  • Encourage systemic resilience and collaboration.

Businesses and governments must also delve further into the low cost of entry for digital criminals and the high probability they will profit, Clinton said.

“We have focused too much in the past on blaming the victims, and not so much on stopping the attackers: We’ve tried to apply basically 20th-century and 19th-century regulatory methods to a 21st-century problem,” Clinton said. ”The problem really has its stem in the economics of the problem, [because] the fact is that all the economic incentives in the cybersecurity world favor the bad guys.”

For entities to effectively protect against cybersecurity concerns, Clinton advised developing a greater understanding of the problem, focusing on why the attacks occur instead of acquiring greater technology to prevent one. Cybercriminals are able to access dark web cyberattack wares at low cost, with the potential to reap costly damage.

On the dark web, “you can buy or outsource a distributed denial of service attack for about $500; you can buy access to corporate mailboxes for about $250; you can buy fake Instagram or [the platform formerly known as] Twitter addresses for $100; you can get a tutorial on how to conduct email attacks for $25; and you can purchase a template to show you how to do the attacks for $3,” Clinton said. “You can’t buy a Starbucks [drink] for $3.”

“We need to do more than be aware of cybersecurity,” he said. “We need to have understanding and action with regard to cybersecurity.”

For investment advisers and retirement plan members, Clinton advised:

  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments;
  • Conduct periodic cybersecurity awareness training;
  • Implement and manage a secure system development life cycle program;
  • Have an effective business resiliency program addressing business continuity, disaster recovery and incident response; and
  • Encrypt sensitive data when it is stored and in transit.

The best practices tocomply with recentlyenacted Securities and Exchange Commission rules include:

  • Incorporate cybersecurity in comprehensive risk assessments and make sure risk assessments are done often, are updated and include internal and external third parties;
  • Specify cybersecurity issues with specific roles and responsibilities;
  • Routinely update security/anti-virus software, passwords and access;
  • Routinely communicate and work with cybersecurity and IT professionals in the company and at any third-party vendor; and
  • Have a plan in place for when a cyberattack occurs and know who notifies authorities and clients.

Tags: , , ,

Harvard Endowment Returns 2.9%, Outperforming Many Peers

Venture capital investments dragged down returns in a muted year for alternatives. 



Harvard University’s nearly four-centuries-old endowment returned 2.9% in fiscal 2023, which ran through June 30, according to the
university’s annual financial report. The value of the endowment stood at $50.7 billion, the largest of any U.S. university.  

But muted returns in alternative investments, which make up a majority of the endowment portfolios of Harvard and many peers, resulted in the endowment underperforming its benchmark, while still outperforming some of its peers.  

Harvard Management Co., which manages the endowment, allocates 39% of its endowment portfolio to private equity and another 31% to hedge funds. Public equity accounted for 11% of the asset allocation. Real estate had an allocation of 5%, bonds made up 6% of the portfolio and cash was 5%. Natural resources and other real assets had allocations of 1% and 2%, respectively.  

Narv Narvekar, the CEO of HMC, wrote in his letter within the annual report that the endowment is in the process of adding more risk to the overall portfolio.  

For more stories like this, sign up for the CIO Alert newsletter.

“Looking back over many years, a main constraint on Harvard’s endowment returns has been that the portfolio was structured to take less risk than what was likely prudent,” Narvekar wrote. “HMC built an analytical risk framework and partnered closely with the University to help determine the University’s risk tolerance. After several years of rigorous conversation and analysis, the University agreed to a measured increase in the portfolio’s risk level, which HMC began implementing over the last two years. … We note that we continue to operate, even after the risk increase, at a somewhat lower risk level than many peer endowments.” 

Narvekar also addressed the issues of sustainable investing and gender and racial diversity in the financial industry in his letter.  

“HMC has started investing in innovation related to mitigating greenhouse gas emissions,” he wrote. “While we have been early in investing in this area over the last few years, we believe that a decade from now it will be accretive to endowment performance. … In addition … there were two other specific initiatives that we are proud to have incorporated into our operations: addressing gender and racial diversity in the financial industry and expanding our sustainable investing practices to meet the University’s pledge to have the endowment net zero of greenhouse gas emissions by 2050.” 

HMC did not provide a breakdown of returns for each asset class. The university’s annual report noted that private equity returns were “slightly positive,” while venture capital and growth investments were “mildly negative.”  

Harvard’s 11% exposure to public equities was not enough to enable the overall portfolio to benefit from the equity-market rally in the second half of the fiscal year. The annual report cited the limited long-only public equity exposure as mitigating the impact of equity-market performance on the portfolio as a whole.  

Fiscal 2023 returns trailed the university’s long-term return of 8%. 

In fiscal 2022, Harvard’s endowment returned negative 1.8%, well below the double-digit declines in public equities. Narvekar’s letter attributed the FY 2022 performance to private managers not reducing the value of investments consistent with the decline in equity markets. Likewise, the university says private asset managers did not increase the value of their investments against the backdrop of rising equity markets.  

“While we are deeply appreciative of the capable navigation of complicated markets by CEO Narv Narvekar and his colleagues at Harvard Management Company, the 2.9% return on the endowment this year is below our long-term target return of 8%,” wrote Ritu Kalra, Harvard’s chief financial officer, and Timothy Barakett, the university’s treasurer, in their financial overview. “Narv expressed caution about forward-looking returns in private portfolios last year, noting that ‘private managers have not yet marked their portfolios to reflect general market conditions.” 

The endowment optimized its asset allocation during the fiscal year by pivoting “in a risk-neutral manner” to private equity from private real estate, agriculture and timber, Narvekar wrote. It also built up a large portfolio of equities separate from its allocation to hedge funds. The endowment also diversified into biotech within public and private markets and significantly increased its allocation to venture capital investments in technology companies.  

Harvard’s returns are in line with a study from Markov Process International’s Transparency Lab, which predicted that university endowments would underperform due to poor venture capital returns. MPI estimated Harvard’s endowment would return 2.75%. 

For fiscal 2023, the endowment received gifts of $486 million from alumni and foundations.  

Related Articles: 

4 Ivy League Institutions Release Fiscal 2023 Endowment Results 

MPI: Venture Capital, Technology Investments Will Define 2023 University Endowment Returns 

Academic Endowments Post Sluggish Returns for Fiscal 2023 

Tags: , , , , ,

«