Phishing: Exposing Control Weaknesses and Causing Catastophic Loss for Emerging Managers

Cybersecurity related problems for organizations of all shapes and sizes are a constant concern — with financial services being among the most vulnerable industries to a cyberattack based on the nature of business. Recent cases highlight how cybersecurity weaknesses in an investment fund complex can expose further control weaknesses and create a chain reaction that can cause an emerging fund manager to go out of business. Appropriate cybersecurity and other operational controls are critical to the sustainability of an emerging fund manager’s business.

Since 2015, the U.S. SEC’s Investment Management Division has issued cybersecurity guidance for investment advisers, broker-dealers, and investment fund complexes to help combat potential cyber-related losses in the financial services market. The substantial growth in the asset management industry has also forced the SEC’s Office of Compliance Inspections and Examinations (now called the Department of Examinations) to pay special attention to registered investment advisors (RIAs) and the cybersecurity controls in place at RIA firms specifically.

However, even with all of the cybersecurity guidance and attention, cyberattacks continue to rise in the financial services space. The decentralized nature of an investment fund complex, where multiple independent organizations are involved , offers a greater number of gateways for cybersecurity attacks. How do they get in? A popular and relatively easy method is phishing.

Phishing: the fraudulent act of sending an electronic communication, such as an email or text, where the sender poses as a familiar company/person to elicit the email recipient to reveal personal information, such as passwords and financial information.

Phishing scams shouldn’t come as a surprise. In the financial services industry, much is made about compliance with rules and regulations surrounding cybersecurity threats to investor privacy and identity protection, fair dealing and asset protection. However, the same level of consideration should be taken when focusing on employee training to identify various types of phishing attacks properly. Without it, good old fashioned human error in judgment and compliance will open the door to the perpetrators’ malevolent intentions every time.

One of the main purposes of a phishing attack can be to elicit payment fraud – the hacker cons a business and its bankers into issuing payments believed to be legitimate. This type of fraud has been around as long as commerce itself, but more recently, headlines talk of the asset management industry being more exposed to fraudulent payments, where it’s the victim instead of the perpetrator. Unfortunately, a scenario all too familiar are the Madoff-like schemes involving fraudsters posing as fund managers.

When “gatekeeper” weaknesses exist in the cybersecurity control environment, combined with multiple weaknesses in the manual control environment, payment fraud is more likely to occur. Payment initiation, authorization and completion often entail multiple people performing segregated duties in the payment processing cycle, with the segregation of duties being a fundamental element of good controls design. Within an investment fund complex, the payment processing cycle includes multiple organizations: an investment adviser, a fund administrator, transfer agent and bank, which may be completely separate, independent entities or some combination thereof – each with its own control environment. And with each control environment comes additional levels of vulnerability.

In some of the recent cases which have made headlines, further weaknesses in payment authorization controls have been involved in phishing scam success. Bypassing of required controls can be a significant weakness. At times, to the legitimate end user, payment authorization and verification controls can feel excessive. Dual-authentication, new device verification, security questions, password parameters and other protocols can feel like a teeth-grinding annoyance but each of these are cleverly designed to prevent certain types of criminal activity.

In these recent cases, multi-million dollar wires to first-time counterparty accounts (which were fraudulent) were processed by fund service providers based on email communication alone, and dual-factor authentication practices were bypassed. Additionally, there were no policies in place to verify the new counterparty and no daily reconciliation of cash payments to general ledger entries. By failing to catch the erroneous payments to the fraudulent counterparty via daily reconciliations, the payments had time to circulate through the financial system, making the funds harder to trace and recover. These all contributed to huge losses for the funds.

For a multimillion-dollar operating company, being defrauded out of hundreds of thousands or even a few million dollars can be difficult. But in the business of managing other people’s money, being the victim of even a relatively insignificant fraud measured in dollar terms can mean an irreversible loss of trust and a fatal strike to the integrity of the investment company complex. So what was a one-time ‘extraordinary loss’, can end up becoming a catalyst for full-scale liquidation and termination of the business entity.

Nonexistent cybersecurity measures and required training are not the problem when it comes to protecting against a cyberattack. Inconsistent training that doesn’t reinforce retention is the problem. This shortfall means most people are still not trained to spot legitimate phishing attacks or follow through on all the required steps of a robust controls design, every single time. Most companies train their employees once a year and/or don’t include high-value targets like executives, giving a false sense of capability. If a company is not doing frequent phishing training that reinforces the techniques of spotting a scammer’s email and how to handle the email, then they aren’t doing phishing training.

Since social engineering is still the most effective way to compromise any company’s cyber defenses, asset managers and other service providers to the investment fund complex need a robust control environment and consistent, reinforcing cybersecurity training. Without it, technical defenses and personnel behaviors will remain mediocre, allowing phishing to continue to be effective and painful. It’s also essential for all entities within the investment company complex to have a vulnerability assessment and penetration test of the IT infrastructure.