How to manage the constantly evolving threat of cybercrime
Maria Long, Content and Research Director at the SBAI, explains the three main types of cybercrime faced by fund operators and how firms can protect themselves against them.
Sara Benwell POSTED ON 4/12/2021 12:24:30 PM
Sara Benwell: How vulnerable are asset managers and other fund operators to cyber breaches?
Maria Long: Cybercrime is a constantly evolving threat. The attacks are getting more sophisticated and asset managers present an attractive target due to the routine transfers of large amounts of money.
Historically, cash controls were aimed at preventing internal fraud rather than external intrusions. However, vulnerability has increased in the last 18 months with the remote working environment (a trend that is expected to continue at least in part).
When you are not in the office you cannot easily verbally verify with colleagues “whether something looks right”, which increases the risk of frauds occurring.
“Vulnerability has increased in the last 18 months with the remote working environment”
Cybersecurity is one of the areas the Standards Board for Alternative Investments (SBAI) has covered extensively in recent years, helping managers build resilience against cyber-attacks and specifically protecting against cyber and payment process breaches.
The SBAI’s Toolbox Resources on Cybersecurity complement the SBAI Alternative Investment Standards, which promote strong governance and address other key operational risks within the asset management industry.
Maria Long, Content and Research Director at the SBAI
Sara: What are the specific types of fraud targeting fund operators?
Maria: There is a spectrum of cyber frauds ranging from simple through to more sophisticated attacks in three broad categories.
The first is fraudulent invoicing, which is really simple, but ultimately quite successful. A fake invoice is sent to either the company or the fund to be settled. It can be sent from a spoof vendor address or from somebody who has compromised your business emails. It often comes with a sense of urgency that scares the person into acting quickly and reduces the time to think.
“There is a spectrum of cyber frauds ranging from simple through to more sophisticated attacks”
The second is a fraudulent payment request purporting to be from a senior manager but sent through a spoofed or compromised email address. Again, it has a sense of urgency that the employee is going to get in to trouble because this money needs to be transferred immediately or should have been transferred already.
Thirdly, a request to change payment details, where someone tries to amend the settlement details of a genuine payment, so it is paid into the attacker’s bank account. This has been seen at fund administrators, manifested in the form of fake capital call notices – which due to the manual nature of these notices can be quite easy to fake.
There have also been instances of people contacting the administrator to fraudulently change the bank details of an investor so that any redemption proceeds get paid to the attacker’s account.
“Attackers will typically target senior executives, finance teams, and IT administrators”
The cyber element to these frauds is the compromise of business email where the attacker gains access to the email systems to either generate fake requests or obtain information to help enact a fraud.
Attackers will typically target senior executives, finance teams, and IT administrators, because those people either have the authority to instruct payments or they have administrator rights within a system to grant authority to other people.
Sites like LinkedIn and other social media can help attackers identify these roles and even when they will be out of office i.e., when traveling or attending a conference. Information like this allows the attacks to be very timely and personalised, which makes it much harder for someone to spot that it is fake.
Sara: Given how easy it is for fraudsters, what are the steps that organizations can take to protect themselves?
Maria: One of the best controls is to use electronic payment portals because they introduce restrictions or use multiple authorisations that can be systematically enforced. It means that nobody can react on their own quickly – you must go through the prescribed steps. It also means you are not communicating payment requests through email.
You can complement this by involving an independent third party, such as a fund administrator, outsourced middle-office provider, or custodian.
If you cannot do this for genuine reasons, for example investing in jurisdictions where the technology is not as advanced, using passwords for e-mail attachments is a good security protocol. But do not communicate passwords via email (which may already be compromised), communicate it by phone, Bloomberg chat or another non-email-based method.
Ideally you should have different levels of review and authorisation for different sized payments. So, the larger the payment, the more people that should be looking at it.
“One of the best controls is to use electronic payment portals”
Call backs is another really important tool. Your fund administrator or middle-office provider should do a call-back with the asset manager so they can verify a transaction is valid and call backs should be completed with vendors where new settlement details are provided.
Again, the important thing is not to use the number listed on the invoice or the payment request to verify its accuracy. Call a number that you have looked up via an official website, through your own web search, or a known contact phone number.
In addition to preventative controls, there should also be detective controls to identify any suspicious transactions as soon as possible. Controls like regular cash reconciliations and reviewing invoices against budgets to make sure they are expected and reasonable. Otherwise, you have another weakness in the process.
Sara: Where within an organisation should preventing cyber sit?
Maria:There was a point in time where cybersecurity was just seen as a technology issue, but it is not the case anymore. For it to be effective, it needs to be everybody's responsibility.
Staff need to be regularly trained. They need to understand what to look out for.
Everyone needs to be aware that they are the line of defence against these attacks. But in terms of ultimate control, I think that both regulators and investors now expect there to be senior oversight on cybersecurity and not just from the chief technology officer.
Sara: What role does technology play in all of this is?
I think it absolutely plays a part, but in conjunction with the kind of standard cash and payment controls that we talked about. The SBAI’s Toolbox Memo on Cash Handling and Cyber Security demonstrates a number of ways that technology and process controls can be combined to protect payment processes.
You can use technology to mitigate email risk; for example, multifactor authentication can be used to secure access to your email and particularly external access, which tends to be a very vulnerable point. If anybody can get into your portal, then that negates any preventative measures
“If anybody can get into your portal, then that negates any preventative measures”
You can do things like disable automated forwarding of emails outside of the organisation, which can be another method of compromise. Another simple one is to get the email software to identify external emails - it comes up with a big red flag that takes away the onus on the employee to be scrutinising email addresses.
You can also purchase domain names that are similar to your firm’s to avoid attackers taking control of these web addresses and using them to spoof emails. It is usually relatively cheap to purchase these.
Sara: What are some of the consequences for failing to protect
Maria: Everybody understands the financial consequences, but I think the reputational consequences are often not thought about and they can last longer. Investors may lose trust in the asset manager and if it is made public that your cash controls have failed, that is going to be a big red flag.
“Reputational consequences are often not thought about and they can last longer”
People's personal reputations can also be damaged and there have been instances of people being fired over breaches in these controls. Payment control failures can have serious direct personal, financial and legal consequences.
Get the recent popular stories straight into your inbox