Managing Cybersecurity Risk in the Investment Area – a Focus on the Capital Call Business Process
By: Peter Dewar and Joe Potischman, Linea Secure
Understanding how threat actors can compromise the Capital Call process, establishing controls to check the legitimacy of a transaction, and working with investment groups is crucial to protecting a fund's assets.
This is an excerpt from NCPERS Winter 2023 issue of PERSist, originally published January 5, 2023.
When pension funds have taken a position on an investment asset and need to fund that position, they engage in a business process known as a Capital Call. In doing so, a communication stream is initiated, and the transfer of funds process begins where an investment manager requests funding of the position by notifying the Chief Investment Officer or a representative from the investments department. This starts an internal process whereby funds are transferred many times from custodial accounts to external parties.
There are frequent places for potential threat actors to insert themselves into the communication stream with the end goal of eventually redirecting the funds to themselves. Understanding how threat actors can compromise the Capital Call process, establishing controls to check the legitimacy of a transaction, and working with investment groups is crucial to protecting a fund's assets.
Potential Risks in the Capital Call Process
There may be the case that a threat actor has already compromised the email of a fund employee involved in the funding process via a phishing attack. They may not strike right away, but as advanced persistent threat actors tend to do, they wait for an opportunity to take advantage of their escalated access. For instance, they can read the minutes of closed investment committee meetings to understand what positions the funds are looking to take. Once they know the investment positions, they can insert themselves into the communication stream and request a transfer of funds themselves.
A less sophisticated threat actor can attempt to impersonate the investment manager or other staff as well to compromise a staff member. They may present themselves as the Chief Investment Officer asking Chief Financial Officer to transfer funds to an external account or they may present themselves as a third-party representative.
While no one wants to believe they could be subjected to insider threats by those on their staff, fund employees can manipulate internal transactions in their favor. In fact, the insider threat is the second largest cybersecurity risk to organizations, second only to phishing attempts. If an employee is privy to valuable insider information, they can use this knowledge to compromise internal controls and redirect funds to their benefit or provide the information to an external collaborator for them to act on.
Establishing Cybersecurity Controls to Prevent Fraud
If a fraudulent Capital Call transaction is processed and remains undetected, it can be hard to trace and recover financial transactions over time. Having the right cybersecurity controls in place can help prevent these transactions from occurring or stop ones in progress. Some controls that can be implemented by organizations include:
Role-based separation of duties to ensure that no one person can see the Capital Call process all the way through
Continuous background checks to see if the financial situation has changed for staff
Confirmations from multiple parties via an encrypted communication channel
It is important to make sure that these controls are not just present at the pension fund but with third-party investment partners as well, so it is advisable to have an agreement with investment managers for the management of cybersecurity risk. Many investment firms often operate on an opaque level regarding back-office operations and many of these firms may not have gone through the Service Organization Controls (SOC) accreditation process. The pension fund working with third-party firms should validate that due diligence is being performed internally at these service organizations.
Peter Dewar, President:
Peter Dewar has over 25 years of experience in cybersecurity and leads the cybersecurity practice for the Linea group of companies that provide services across the United States and Canada. Under his leadership Linea has developed a Pension Cyber Security Framework (PCSF) to complement the generalized standards for protecting information systems. The PCSF focuses on the business process employed, services provided, and technology utilized by pension and benefits organizations, and devises controls to minimize and mitigate the inherent cybersecurity risk experienced by the industry.
Peter has a Master's degree in Information Systems from the George Washington University, a Bachelor's degree in Information Systems from the University of the District of Columbia, is a Certified Information Systems Security Professional (CISSP), Certified Data Privacy Security Engineer (CDPSE), and has received certificates of achievements from the Harvard Kennedy School of Government, Gartner CIO Academy, and International Foundation of Employee Benefit Plans.
Joe Potischman, Marketing Specialist:
Joe Potischman is the marketing specialist for Linea Secure with over 5 years of experience in the professional services industry. With his work, Linea has been able to present at over 15 separate engagements and has been published by multiple pension and benefit associations. Joe has a Master's degree in Communication, Culture & Technology from Georgetown University and a Bachelor's degree in Intercultural Communication from the State University of New York at Geneseo. He has also received a Certificate of Achievement in Public Plan Policy from the International Foundation of Employee Benefit Plans (IFEBP). Prior to working for Linea, he managed, CommLawBlog, an award-winning blog on Communications Law & Policy.