When pension funds have taken a position on an investment asset and need to fund that position, they engage in a business process known as a Capital Call. In doing so, a communication stream is initiated, and the transfer of funds process begins where an investment manager requests funding of the position by notifying the Chief Investment Officer or a representative from the investments department. This starts an internal process whereby funds are transferred many times from custodial accounts to external parties.
There are frequent places for potential threat actors to insert themselves into the communication stream with the end goal of eventually redirecting the funds to themselves. Understanding how threat actors can compromise the Capital Call process, establishing controls to check the legitimacy of a transaction, and working with investment groups is crucial to protecting a fund’s assets.
There may be the case that a threat actor has already compromised the email of a fund employee involved in the funding process via a phishing attack. They may not strike right away, but as advanced persistent threat actors tend to do, they wait for an opportunity to take advantage of their escalated access. For instance, they can read the minutes of closed investment committee meetings to understand what positions the funds are looking to take. Once they know the investment positions, they can insert themselves into the communication stream and request a transfer of funds themselves.
A less sophisticated threat actor can attempt to impersonate the investment manager or other staff as well to compromise a staff member. They may present themselves as the Chief Investment Officer asking Chief Financial Officer to transfer funds to an external account or they may present themselves as a third-party representative.
While no one wants to believe they could be subjected to insider threats by those on their staff, fund employees can manipulate internal transactions in their favor. In fact, the insider threat is the second largest cybersecurity risk to organizations, second only to phishing attempts. If an employee is privy to valuable insider information, they can use this knowledge compromise internal controls and redirect funds to their benefit or provide the information to an external collaborator for them to act on.
If a fraudulent Capital Call transaction is processed and remains undetected, it can be hard to trace and recover financial transactions over time. Having the right cybersecurity controls in place can help prevent these transactions from occurring or stop ones in progress. Some controls that can be implemented by organizations include:
- Role-based separation of duties to ensure that no one person can see the Capital Call process all the way through
- Continuous background checks to see if the financial situation has changed for staff
- Confirmations from multiple parties via an encrypted communication channel
It is important to make sure that these controls are not just present at the pension fund but with third-party investment partners as well, so it is advisable to have an agreement with investment managers for the management of cybersecurity risk. Many investment firms often operate on an opaque level regarding back-office operations and many of these firms may not have gone through the Service Organization Controls (SOC) accreditation process. The pension fund working with third-party firms should validate that due diligence is being performed internally at these service organizations.
Ensuring your staff is properly trained is one of the strongest deterrents to cyber threats. It is important to hold regular training sessions continuously so that general cybersecurity awareness is fresh in the mind of every employee. When employees receive a deceptive-looking email, they will be better able to determine its validity.
Key staff members should receive role-based training so that they understand the business risks inherent in the tasks that they perform and as we mentioned before they need role-based separation of duties to ensure the integrity of a sensitive business process. There should be distinct roles for each team member within the capital call process including payment requesters, recipients, and processors. Furthermore, there should be verification of all parties of the financial transaction at every stage.
Employees need to be trained on using the appropriate technology as well. IT should deploy technology to manage sensitive transactions that do not rely on email as the delivery vehicle to initiate the transaction and all team members should be well-versed in using encrypted delivery of communications.
There are many different threats to the Capital Call process, but with strategic cybersecurity planning and continuous training, your organization can effectively manage and mitigate cybersecurity risks to your business operations. Linea Secure's consulting team can help provide the strategic cybersecurity solutions necessary to help your organization achieve its goals.