What keeps compliance officers up at night? The knowledge that if their firm hasn’t already had a cybersecurity close-call or successful hacking attempt, it will. No matter how up-to-date and comprehensive your firm’s cybersecurity policies and procedures are, hackers will find weak points to exploit, not least because some of those weak points lie outside your control.
Chief compliance officers shared their real-life nightmare scenarios at PEI’s Private Funds Compliance Forum in New York on May 24, and provided some tips for how to avoid similar situations.
Invasion of the voice snatchers
Hackers might be bad actors, but they can have other ways of pretending to be who they aren’t. One compliance professional shared a story about hackers who tried to commit wire fraud by creating a fake audio recording of the firm’s CEO. They used comments the CEO had made at public speaking engagements and on television to create a phony message to employees telling them to make a wire transfer to a valued LP.
As the compliance team uncovered the trail of events, they found that the hackers had somehow been able to identify the most appropriate LP to make the fake phone call about – one with a personal relationship to the CEO – filling in gaps to mimic the CEO’s voice with advanced audio effect techniques. The result was a fake phone message that might lead staff to think, “Yeah, we might do something out of the ordinary for this LP,” the compliance pro said.
Ultimately, the plan was foiled before any harm was done. But the lengths that the hackers went to are still worrisome. “That’s how good they’re getting and we just always have to be better,” the compliance officer said. It is critical for CCOs to continually review your processes and controls, she said. Firms need to “get ahead of how the bad actors are changing so that they can get ahead of those controls.”
The (fraudulent capital) call is coming from inside the house
For hackers, it’s all about getting into your firm’s systems without your knowledge. But sometimes the weak points they exploit to get in the door aren’t even in your house.
“Just a few weeks ago an LP reached out and said, ‘I just want to confirm that you’ve changed your wire instructions related to this capital call’,” said one CCO at the Forum. “I said, ‘We didn’t change any wire instructions, what are you talking about’?”
The firm did have a deal in the works, and had indeed posted a capital call to its investor portal – firm policy dictates that capital calls are never issued by email. The individual investor in question, not themselves much of a technophile, used a simple AOL email address and, likely, the same password for that account as for the investor portal.
“They must have had access to the investor’s [AOL account],” the CCO said. The hackers then accessed the capital call on the investor portal and changed the wire instructions, then emailed those instructions to the investor from a spoofed account that looked similar to the firm CFO’s.
“How could you let this happen?” the investor wished to know.
“The vulnerability of your LPs, or any third party, but particularly individual [investors] – that is where the vulnerability lies,” said one general counsel.
But they won’t necessarily take responsibility, the CCO said. “They’re gonna blame us,” even if the problem didn’t originate with the team, he said.
One way to shore up that vulnerability — which is of course made up of a multitude of vulnerabilities — is to ensure better verification methods for access to investor portals.
“I had to reach out to all investors [and tell them], ‘No more single sign-on. Everyone’s on dual factor [identification],’” the CCO said. “And I had to get into a fight with our IR team, who said, ‘We’re going to get so many complaints about this.’” To which the CCO responded: “You know what you’re going to get a lot more complaints about? Investors wiring money to fraudulent accounts and then losing that money forever.”
Steps to prevent such attacks are sometimes obvious, though not to say ubiquitously taken. “We tend to be high-touch, customer service-oriented, problem solving [businesses] for our investors, and that, unfortunately, is one of the biggest vulnerabilities,” said the general counsel. Staying safe from unwanted intruders may even come down to instructing IR staff not to just give out a password when called by a supposed investor who has asked for it.
“Because invariably [real investors] call and say ‘Why can’t I get in and get my capital call, can you just give me my password, I don’t know what it is.”
Make training fun
Best practices to prevent fraud include regular staff testing to see if they fall for phishing scams; regular training sessions and email reminders of policies, procedures and best (and even common sense) practices; and so-called “micro-training,” in which staff take regular, brief online training sessions on specific focus areas.
The CCO also recommends gamifying cybersecurity practices. “Gamification gets buy-in” from staff, he said. At his firm, regular phishing tests go out to staff, and the first person to identify it gets a trophy, in the shape of a fish, as well as a gift certificate. Staff now proudly compete for the fish trophy, which changes hands monthly, he said.
Tabletop exercises are also important to ensure everyone understands exactly what they need to do. When an attack is successful, firms usually have a matter of hours to do damage control. And if LP data was lost, some states dictate that they must be notified within just a day or two.
“I can’t stress enough how valuable it was for us to actually sit down and pretend that [an attack] was actually happening,” the CCO said of tabletop exercises. “You might train your employees, you might do everything and get all the buy-in [from staff] in the world. But you need to train yourself to figure out what to do, who to call,” he said.
“If you’re not prepared, if you haven’t trained yourself for that, you’re not going to succeed.”
This article first appeared in affiliate publication Private Funds CFO