Estimate Time6 min

Fidelity's defense against cyberattacks

Key takeaways

  • Russia's attacks on Ukraine extend to the digital realm with hackers working to disrupt essential services.
  • The US government has warned that there is a risk that Russia could target the US for cyberattacks.
  • Fidelity's cybersecurity team has been closely monitoring the situation and the attacks playing out in Ukraine match familiar playbooks.
  • For individuals, the best way to prepare for the potential of any cyberattack is to exercise good cyberhygiene which can start with using strong passwords, enabling multi-factor authentication, and ensuring contact information is up to date.

The Russian invasion of Ukraine has been unsettling. In addition to the traditional weapons of war, Russia is allegedly waging cyberwarfare against the Ukrainian government, service providers, and the digital infrastructure of the country. Experts have warned that the US could be targeted for cyberattacks as well.

Fidelity's chief information security officer, Adam Ely, sat down with Viewpoints to explain what that means for Americans, how Fidelity prepares for cyberattacks, and what investors can do to protect themselves.

When we talk about cyberattacks, what does that mean?

Ely: We see a wide range of cyberattacks across the internet and the motives behind them can differ. Some cybercriminal organizations are trying to steal data to use. Others are trying to ransom data to get paid. There are some cyberattacks meant to cause destruction.

Fidelity Viewpoints

Sign up for Fidelity Viewpoints weekly email for our latest insights.

That is what we’re seeing now in Ukraine—attacks meant to destroy computer systems and data to really take things offline in an effort to slow that country and its economy down.

In today's ecosystem, the threat is that the US will see these destructive attacks that are meant to harm our economy, a particular sector, or specific companies. Financial services, especially the brokerage sector, is not traditionally one of the primary targets.

What are the specific ways that cyberattacks could be used against a country?

Ely: In times of war and conflict, the biggest targets are those affiliated with the energy sector because if you can take a gas company offline, for example, you can disrupt the power supply for areas of the country. This has the biggest impact on a country’s operations. Second, attackers would try to disrupt other critical services, such as food distribution.

There are many ways to create mayhem and destruction from thousands of miles away: launching a cyberattack against a power grid, as I mentioned; causing a nuclear reactor to go offline as we’ve seen in the past; or disrupting a large food company’s distribution and logistics system. These could all cause large-scale disturbances.

We know some of that is playing out in Ukraine now, but we have not seen this happening outside of that immediate area.

Is there anything surprising or unexpected in the actions you've seen Russian cyberattackers taking against Ukraine?

Ely: Part of our normal, day-to-day operations involves watching the tactics and techniques of cybercriminal organizations around the world.

We've seen activity that we believe shows the current Russian cyberattacks against Ukraine. Those attacks match the same techniques we’ve seen in the past. So not really anything new or novel. The only thing that has changed is the intended outcome. The goal is not to steal data or to ransom data for monetary gain. The goal is destruction.

How does Fidelity defend against cyberattacks?

Ely: We run a 24/7 cybersecurity operation with people staged in multiple countries, constantly watching what's happening across the threat environment and analyzing attacks we see—including those happening to other sectors and companies.

Our cyberintelligence team is constantly taking in this information from a variety of sources, including the cyberintelligence-sharing community, government agencies, and peer companies, both from within financial services and other sectors, foreign and domestic.

We're constantly analyzing the data in order to understand trends and patterns. We use this information to pressure test our own operations, constantly looking for new ways to protect ourselves.

We always operate in a state of high alert and consider all kinds of scenarios—some highly improbable. If we were to see full-scale cyberwar across the globe, we’d be prepared. Fortunately, the world is not there yet.

How does Fidelity protect client data?

Ely: We employ a concept called defense-in-depth and focus on 3 factors: prevention, detection, and recovery.

Based on all of the intel we’re constantly gathering, we think about various techniques attackers are using, and we play out threat scenarios to determine how well we can detect and prevent them. We want to learn what additional controls we can layer in to our existing environment to give us as many opportunities as possible to prevent an attack from occurring and/or impacting the firm.

Finally, we think about recovery. If something did happen, how will we recover systems and data, and bring accounts back to the right state?

So we think across all of these dimensions and apply multiple layers of protection to make sure we have the ability to prevent attacks, detect attacks, and recover from any sort of data loss that may occur.

What can investors do to protect themselves?

Ely: For clients and customers it's always important to prioritize personal security.

Make sure Fidelity has your current contact information, most importantly your email addresses and phone numbers as these are the primary ways we would contact you in the event of an account compromise. Additionally, I cannot stress how important it is to use unique passwords and add multi-factor authentication to your accounts. If someone calls or emails you about any of your accounts, validate who’s calling.

These may seem like basic steps to take, but they're the best things you can do to keep yourself protected. Good, fundamental cyberhygiene is always important.

Adam Ely
Chief Information Security Officer
Adam Ely is chief information security officer at Fidelity Investments. Before joining Fidelity in May of 2021, he founded a security product company and held global cybersecurity leadership roles with several Fortune 100 companies, including WalMart, Salesforce, and The Walt Disney Company. Additionally, Mr. Ely founded the CISO Fund, a non-profit to support cybersecurity education and careers.

Keep your documents safe—for free

Store, access, and share digital copies of your family's most important documents with FidSafe®.

More to explore

This information is intended to be educational and is not tailored to the investment needs of any specific investor.

Views expressed are as of the date indicated, based on the information available at that time, and may change based on market or other conditions. Unless otherwise noted, the opinions provided are those of the speaker or author and not necessarily those of Fidelity Investments or its affiliates. Fidelity does not assume any duty to update any of the information.

Fidelity Brokerage Services LLC, Member NYSE, SIPC, 900 Salem Street, Smithfield, RI 02917