The auction house plans for sales to proceed, including for a Warhol ‘Flowers’ estimated at $20 million
3 min
Christie’s remained in the grip of an ongoing cyberattack on Tuesday, a crisis that has hobbled the auction house’s website and altered the way it can handle online bids. This could disrupt its sales of at least $578 million worth of art up for bid this week, starting tonight with a pair of contemporary art auctions amid New York’s major spring sales.
Christie’s said it has been grappling with the fallout of what it described as a technology security incident since Thursday morning—a breach or threat of some kind, though the auction house declined to discuss details because of its own security protocols. Christie’s also declined to say whether any of the private or financial data it collects on its well-heeled clientele had been breached or stolen, though it said it would inform customers if that proves to be the case.
“We’re still working on resolving the incident, but we want to make sure we’re continuing our sales and assuring our clients that it’s safe to bid,” said Chief Executive Guillaume Cerutti.
Sotheby’s and Phillips haven’t reported any similar attacks on their sites.
Christie’s crisis comes at a particularly fragile moment for the global art market. Heading into these benchmark spring auctions, market watchers were already wary, as broader economic fears about wars and inflation have chipped away at collectors’ confidence in art values. Christie’s sales fell to $6.2 billion last year, down 20% from the year before.
Doug Woodham, managing partner of Art Fiduciary Advisors and a former Christie’s president, said people don’t want to feel the spectre of scammers hovering over what’s intended to be an exciting pastime or serious investment: the act of buying art. “It’s supposed to be a pleasurable activity, so anything that creates an impediment to enjoying that experience is problematic because bidders have choices,” Woodham said.
Aware of this, Cerutti says the house has gone into overdrive to publicly show the world’s wealthiest collectors that they can shop without a glitch—even as privately the house has enlisted a team of internal and external technology experts to resolve the security situation. Currently, it’s sticking to its schedule for its New York slate of six auctions of impressionist, modern and contemporary art, plus two luxury sales, though one watch sale in Geneva scheduled for Monday was postponed to today.
The first big test for Christie’s comes tonight with the estimated $25 million estate sale of top Miami collector Rosa de la Cruz, who died in February and whose private foundation offerings include “Untitled” (America #3),” a string of lightbulbs by Félix González-Torres estimated to sell for at least $8 million.
Cerutti said no consignors to Christie’s have withdrawn their works from its sales this week as a result of the security incident. After the De la Cruz sale, Christie’s 21st Century sale on Tuesday will include a few pricier heavyweights, including a Brice Marden diptych, “Event,” and a Jean-Michel Basquiat from 1982, “The Italian Version of Popeye Has no Pork in his Diet,” each estimated to sell for at least $30 million.
But the cyberattack has already altered the way some collectors might experience these bellwether auctions at Christie’s. Registered online bidders used to be able to log into the main website before clicking to bid in sales. This week, the house will email them a secure link redirecting them to a private Christie’s Live site where they can watch and bid in real time. Everyone else will be encouraged to call in or show up to bid at the house’s saleroom in Rockefeller Center in Midtown Manhattan.
If more bidders show up in person, the experience might prove to be a squeeze. During the pandemic, Christie’s reconfigured its main saleroom from a vast, well-lit space that could fit several hundred people into a spotlit set that more closely evokes a television studio, with far fewer seats and more roving cameras—all part of the auction industry’s broader effort to entice more collectors as well as everyday art lovers to tune in, online.
Once this smaller-capacity saleroom is filled, Christie’s said it will direct people into overflow rooms elsewhere in the building. Those who want to merely watch the sale can’t watch on Christie’s website like usual but can follow along via Christie’s YouTube channel.
Art adviser Anthony Grant said he typically shows up to bid on behalf of his clients in these major sales, though he said his collectors invariably watch the sales online as well so they can “read the room” in real time and text him updates. This week, Grant said a European collector who intends to vie for a work at Christie’s instead gave Grant a maximum amount to spend.
Grant said the cyberattack popped up in a lot of his conversations this past weekend. “There’s a lot of shenanigans going on, and people have grown so sensitive to their banks and hospitals getting hacked,” he said. “Now, their auction house is going through the same thing, and it’s irksome.”
Copyright 2020, Dow Jones & Company, Inc. All Rights Reserved Worldwide. LEARN MORE
What a quarter-million dollars gets you in the western capital.
Alexandre de Betak and his wife are focusing on their most personal project yet.
CIOs can take steps now to reduce risks associated with today’s IT landscape
3 min
As tech leaders race to bring Windows systems back online after Friday’s software update by cybersecurity company CrowdStrike crashed around 8.5 million machines worldwide, experts share with CIO Journal their takeaways for preparing for the next major information technology outage.
IT leaders should hold vendors deeply integrated within IT systems, such as CrowdStrike , to a “very high standard” of development, release quality and assurance, said Neil MacDonald , a Gartner vice president.
“Any security vendor has a responsibility to do extensive regression testing on all versions of Windows before an update is rolled out,” he said.
That involves asking existing vendors to explain how they write software, what testing they do and whether customers may choose how quickly to roll out an update.
“Incidents like this remind all of us in the CIO community of the importance of ensuring availability, reliability and security by prioritizing guardrails such as deployment and testing procedures and practices,” said Amy Farrow, chief information officer of IT automation and security company Infoblox.
While automatically accepting software updates has become the norm—and a recommended security practice—the CrowdStrike outage is a reminder to take a pause, some CIOs said.
“We still should be doing the full testing of packages and upgrades and new features,” said Paul Davis, a field chief information security officer at software development platform maker JFrog . undefined undefined Though it’s not feasible to test every update, especially for as many as hundreds of software vendors, Davis said he makes it a priority to test software patches according to their potential severity and size.
Automation, and maybe even artificial intelligence-based IT tools, can help.
“Humans are not very good at catching errors in thousands of lines of code,” said Jack Hidary, chief executive of AI and quantum company SandboxAQ. “We need AI trained to look for the interdependence of new software updates with the existing stack of software.”
An incident rendering Windows computers unusable is similar to a natural disaster with systems knocked offline, said Gartner’s MacDonald. That’s why businesses should consider natural disaster recovery plans for maintaining the resiliency of their operations.
One way to do that is to set up a “clean room,” or an environment isolated from other systems, to use to bring critical systems back online, according to Chirag Mehta, a cybersecurity analyst at Constellation Research.
Businesses should also hold tabletop exercises to simulate risk scenarios, including IT outages and potential cyber threats, Mehta said.
Companies that back up data regularly were likely less impacted by the CrowdStrike outage, according to Victor Zyamzin, chief business officer of security company Qrator Labs. “Another suggestion for companies, and we’ve been saying that again and again for decades, is that you should have some backup procedure applied, running and regularly tested,” he said.
For any vendor with a significant impact on company operations , MacDonald said companies can review their contracts and look for clauses indicating the vendors must provide reliable and stable software.
“That’s where you may have an advantage to say, if an update causes an outage, is there a clause in the contract that would cover that?” he said.
If it doesn’t, tech leaders can aim to negotiate a discount serving as a form of compensation at renewal time, MacDonald added.
The outage also highlights the importance of insurance in providing companies with bottom-line protection against cyber risks, said Peter Halprin, a partner with law firm Haynes Boone focused on cyber insurance.
This coverage can include protection against business income losses, such as those associated with an outage, whether caused by the insured company or a service provider, Halprin said.
The CrowdStrike update affected only devices running Microsoft Windows-based systems , prompting fresh questions over whether enterprises should rely on Windows computers.
CrowdStrike runs on Windows devices through access to the kernel, the part of an operating system containing a computer’s core functions. That’s not the same for Apple ’s Mac operating system and Linux, which don’t allow the same level of access, said Mehta.
Some businesses have converted to Chromebooks , simple laptops developed by Alphabet -owned Google that run on the Chrome operating system . “Not all of them require deeper access to things,” Mehta said. “What are you doing on your laptop that actually requires Windows?”
