While most private capital firms are well prepared to detect and prevent internal fraud, many are simply not equipped to deal with cyber-fraud.
During a recent webinar held by WireSecure, entitled “Mitigate Wire Fraud Risk in Private Capital Markets,” it was noted that the threat of wire fraud in private capital markets has reached critical mass. In 2020, the FBI noted more than 19,000 reported cases totaling over $1.8 billion in losses, a 69 percent increase in complaints from the prior year.
And that’s just what was reported. There are likely many more victims, but in many cases they choose not to report due to reputational risk.
“Anyone who says they haven’t experienced cyber-crime is lying to you,” said Anthony Mascia, co-founder and managing partner of Essential Fund Services International.
Scott Neuberger, co-founder and managing partner of Karmel Capital, said his firm has experienced wire fraud. Neuberger related that he was inclined to push through a payment to a broker even though he didn’t verbally verify wire transfer simply because “everything seemed right.” However, he finally did a verbal verification of the transfer request and found out the broker never sent the transfer instructions.
“This was someone I talked to frequently, via email and phone, so I really thought the transfer request looked right. It shows that you always have to verify,” Neuberger added.
One reason for the increasing numbers of cyber-crimes has been the covid-19 pandemic. According to Michael Brice, founder and president of BW Cyber Services, most PE firms allowed employees to work remotely. However, security measures in place at the office and on firm equipment are not in place at an employee’s home and on personal devices, making firms more vulnerable to cyberattacks.
In order to prevent wire fraud, firms need to understand the threat, how it affects them and what to do to prepare for it.
The first thing firms must do is develop, implement and maintain codified policies and procedures relating to wire fraud.
But it’s not enough to have the policies; employees need proper education and training. Brice advised firms to train employees on their policies at least quarterly, and to make employees attest to the training at least annually.
According to Brice, “Great risk mitigation practices start and end with the firm’s employees, because they are the most common entry points for phishing scams and other types of cyber-fraud.”
Neuberger agreed employee training is crucial to preventing wire fraud.
“You need to make sure people understand your policies and procedures. I would suggest quarterly training, at least,” Neuberger said.
“And, you want to be sure your employees can recognize something that is not normal to prevent a fraudulent transfer,” he added.
Technology is also a useful tool to firms who have implemented cybersecurity policies and procedures, and are properly training employees.
“Technology can act as an additional control when the human factor fails,” Brice noted.
Finally, Mascia said one area of risk that firms may overlook is their third-party vendors.
“You have to make sure your third-party vendors are buttoned up when it comes to cybersecurity. All of the internal controls and training in the world won’t help you if those perpetrating the wire fraud are getting at your firm through your third-party vendors,” Mascia explained.
“At the very least, make sure your third-party vendors are following your own security policies and procedures,” he added.