It's a regular morning for the fund administration professional - working from home of course thanks to Covid. In her inbox is an email request from a fund manager client, asking to move $39,000 from the fund bank account to a new payee to cover a new fund expense item. The request is authenticated and signed by the manager's CFO and Controller in accordance with the manager's dual signatory policy and is supported by a valid invoice, wire transfer details helpfully attached. Thankfully the admin completes a call back to her client...where it becomes clear that the manager has been hacked.
In a recent conversation with Castle Hall, the head of a leading fund administration business noted that they had seen multiple examples of cyber attacks on fund managers over the past six months. Hackers are using phishing attacks to gain access to manager computer systems, and are then spending considerable time to understand the manager's organization and search out examples of wire transfer instructions (all the hackers care about, of course, is stealing money, either from the management company or the firm's funds).
In each case, the administrator has received entirely "valid" instructions from their manager client, with the right signatures from the right manager staff, requesting transfers to new payees. In all but one example, the amounts have been fairly modest - less than the $100,000 level which would raise greater attention. In each case, the fraud was discovered when the administrator's team completed a call back to their client - and in each case this was the first time that the manager was aware that their IT systems had been compromised.
It does not appear that the increase in attacks is directly related to Covid, in the sense of exploiting any "new" weaknesses which have emerged due to a work from home environment. Rather, it suggests an escalating volume of general criminal attacks on asset managers, driven by a relentlessly increasing number of phishing attacks, which are in turn becoming more sophisticated. Evidently, our industry is attractive given the sums held in funds and accounts, and at the management companies themselves.
What can investors do?
First, asset managers must focus intensively on cyber risks. While technical defences (firewalls, network perimeter etc.) remain important, social engineering training and support is critical. We continue to be surprised by the number of asset managers who still only conduct an annual phishing test for their team - this key process must ramp up to match the frequency and sophistication of hackers.
By the way, the best phishing test template we have seen so far? A manager who sent their staff an email saying "you have failed the most recent phishing test: please click here to remediate".
In the service provider realm, prudence and skepticism have never been more important. In this case, multiple successful hacks were discovered because the administrator adopts a universal call back process to validate new payee accounts when wires are requested to be paid from the fund.
Caution and care needed from all parties.
Visit cybersecuritydiligence.com for more information about Castle Hall's approach to cyber risks across the asset management industry.
1080 Côte du Beaver Hall, Suite 904
Canada, H2Z 1S8
84 Chain Lake Drive, Suite 501
Canada, B3S 1A2
1 Pancras Square, Kings Cross
London, N1C 4AG
+44 20 3036 0828
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
24th Floor Al Sila Tower, Suite 2422
Abu Dhabi Global Market Square
Al Maryah Island, Abu Dhabi, UAE
+971 (2) 694 8510
Level 36 Governor Phillip Tower
1 Farrer Place Sydney 2000
+61 (2) 8823 3370