Cyber Due Diligence - Reinforcing a Security Culture to Mitigate the Threat of Social Engineering

9/14/17 1:11 PM

Our understanding of cyber security risk in the investment management industry can often be enhanced by analysis of cyber events in other industry sectors.

At the end of August, it was revealed that MacEwan University in Edmonton, Canada, was defrauded in a spear-phishing scam that saw the university send almost $12M in payments to a new bank account they believed belonged to a vendor. The attack was executed via e-mail exchanges with accounts payable staff: communication continued from late June until early August, with up to three relatively low-level MacEwan employees added to the e-mail chain. 

For more information, click here.

The fraudulent party ostensibly registered a domain name that was close enough to that of Clark Builders (a vendor engaged in the construction of various university facilities) to pass a cursory examination. The fraudsters then copied the construction firm’s logo into their e-mail correspondence and used these factors to initiate and maintain a long-term deception that allowed them to convince university staff to change electronic banking information for the vendor, leading three payments (two of which were in excess of $1M) to be misdirected.

What does this mean for investors conducting due diligence on their fund managers?

First, asecurity awareness course, targeted to employee and job functions, should have given MacEwan employees sensitivity to basic cyber “scam” risks.

A logo is trivial to copy and paste – the presence of an authentic-looking image is not grounds to accept the entire contents of an e-mail at face value. Clearly, there should have been a heightened awareness around verifying the authenticity of not only the identity of the individual making the request, but the e-mail domain itself. 

Calling this a ‘sophisticated cyber-attack’ is, therefore, disingenuous. No technical controls were broken, no systems were compromised – this was an example of social engineering, through and through. As has proved so often to be the case, it’s not technical infrastructure, but an organization’s employees which are targeted – why expend a massive effort to circumvent and subvert information technology systems when employees can be manipulated to freely hand over the keys?

Second, are controls and procedures sufficient to prevent to fraud? If we take a step back from the MacEwan fraud, weaknesses in internal accounting controls and practices are revealed.  Removing the technological component entirely – had the spear phishing e-mail never come into play - would it have been appropriate for a ‘relatively low-level accounts payable employee’ to change deposit account information for a vendor - let alone a major vendor - with no oversight or approval? Should it have been appropriate for a payment to be released to a new account number (again – a payment in excess of $1M) with no verification of that new account information? Principles of separation of duties would seem to dictate that employees who have the authority to process payments should not have the authorization to change account numbers, and any such changes should be subject to review at a higher level – particularly given the sums of money involved.

All of that said – how is a scenario like this transposed to the asset management sphere, and how can it be safely navigated? We’ve seen cases where social engineering attacks have cost hedge fund managers millions of dollars – in 2015, Fortelus Capital Management dismissed their CFO after he gave account information to a caller claiming to represent their bank (to the tune of a $1.2M loss). 2016 saw administrator SS&C sued by a client for authorizing the transfer of almost $6M to Chinese hackers – based on e-mail instructions from a spoofed address.

While it is unusual that a fund would have a $12M supplier, could a fund be exposed to smaller losses by an imaginative fraudster? Could a fund’s staffers be convinced to move money from a prime brokerage or other custody account to pay a new legal bill, a consultant’s fee, or a data feed invoice?

Going even deeper – does the administrator and / or fund manager validate that a redemption request is valid, and that the redemption payment is equally bona fide? One of Castle Hall’s clients raised specific questions around fund administrators’ procedures to process requests to change redemption payment account instructions. Responses were generally strong from top tier administrators: however, do all admins have appropriate levels of review to prevent a $50 million redemption being wired to the “wrong” account based on bogus instructions?

As another example, investors should consider the quality of controls in place to prevent fraud and validate asset existence when wiring money to purchase a private asset – be it a private equity stake, a portfolio of pharmaceutical royalties, or a payment to acquire a portfolio of mortgage servicing rights. “Flow of funds” documents within the private asset and private equity sphere can be complex. Castle Hall consistently encounters situations where more could be done to ensure that the chain of destination bank accounts that “touch the cash” are independently verified by administrators and other service providers. In too many cases, service providers simply accept documentation forwarded to them by a management company employee. 

Castle Hall’s diligence has also identified risk within more complex private equity structures in relation to use of international SPVs (special purpose vehicles). Investments may be structured through holding companies and tax blockers in countries such as Ireland, the Cayman Islands, Holland, Luxembourg, Malta and numerous other offshore jurisdictions. Cash controls may rest with local service providers rather than the fund manager: due diligence should consider whether cash controls are in place for every jurisdiction and every account. 

These potential weaknesses only serve to underline that cyber security is not a completely separate thought process – rather, security is an essential, integrated aspect of the asset management business.

The 'defense-in-depth' approach should not be limited to technical infrastructure: layered controls must be implemented to reduce risk and ensure that appropriate checks and balances exist and are being enforced. Security awareness must be instilled in employees as part of the corporate culture – defenses are often only as strong as their weakest component.

The best part of a comprehensive and robust procedure is that employees will follow it. Conversely, the worst part of an incomplete and poorly thought out procedure… is that employees will follow it.

You May Also Like

These Stories on Cybersecurity

Subscribe by Email