How likely is the average private equity or venture capital firm to be targeted for wire fraud?
According to Michael Brice, President of BW Cyber Services: It is EXTREMELY likely. Moreover, if you also include the newly emerging, highly targeted wire fraud attacks that are successfully being directed at the PE & VC investors’ base – it’s not a matter of if, but when.
According to Brice, the continued escalation in successful PE and VC wire fraud is due directly to two key factors: COVID-19 and lack of investor awareness. Most notably, he relayed that COVID-19 has resulted in most PE and VC firms allowing (or requiring) their employees to work remotely. While technology has uniquely allowed remote operations to become ubiquitous, technical cyber protections supporting employees’ home-based operations have not caught up. Instead, Brice noted that key security measures are concentrated on the network at the office and not at the employee’s home PC. Moreover, while most PE and VC firms have addressed the increased threat of wire by including additional operational controls on their outbound wire controls – voice confirmations being the most notably measure taken, he continues to see very little focus on additional controls associate with LP and investor inbound wires – such as the valid wires that are sent by LPs and VCs in response to an initial investment, capital calls, etc.
As a consequence, Brice believes criminals have found it much easier to trick investors by redirecting valid wires intended for the PE or VC in a fraudulent manner. When you couple these two issues (remote operations and targeting of inbound wires), you have what he refers to as a “Perfect Storm” for overseas criminals conducting wire fraud with almost zero threat of prosecution.
To make matters worse, Brice relayed that “most firms won’t know that their security isn’t working until a breach has already occurred.” Most often, it takes a firm weeks or even months to become aware of an issue, at which time their opportunities for mitigation have already run out. And if the issue involves a wire fraud, “there is normally just a small window of time in which a wire can be retrieved before it’s gone forever – typically the first 72 hours. Within this limited window, it is critical that both the FBI and related banking institutions are notified of the fraud immediately,” Brice continues.
The increasing sophistication of these bad actors, compounded by the lack of investor awareness has put countless firms and even more investors at risk. And to make matters worse, Brice believes that unless and until these overseas cyber criminals are held accountable, wire fraud will continue to increase. According to global cybersecurity experts like Brice, it’s time for firms to be proactive instead of reactive when it comes to wire fraud. Below, we highlight the three key ways to kick off wire fraud risk mitigation and how your private equity or venture capital firm can protect itself and its investors/trading partners more effectively and reliably.
- Mitigate wire fraud risk with firm-wide education
Cybersecurity awareness and formal wire fraud training must become a fundamental practice for private equity and venture capital firms of all sizes. “It’s not enough to outsource cybersecurity to an IT vendor,” says Brice. “Great risk mitigation practices start and end with the employee base.” Put simply, firms can install endless firewalls and security software platforms, but employees are currently and will always be the most common entry points for phishers and bad actors. That’s why information sharing, hyper-awareness and vigilance, as well as continuous cybersecurity training for employees must be a pillar of the firm’s wire fraud risk mitigation program.
- Mitigate wire fraud risk with codified policies
One of the best ways to mitigate the risk of wire fraud is to install codified policies with your venture capital or private equity firm. “The firm’s rules, regulations, and procedures relating to wire fraud should not only be established by the firm’s leadership but should be written down and easily accessible by employees,” says Brice. “Importantly, a lack of adherence to these policies should have consequences that the employee base understands.” By creating a sense of urgency around the prevalence of the risk, firms can train their employees to better understand their individual responsibilities. While employees may be familiar with the security measures for recurring payments, having a codified policy for abnormal or one-time payments, for example, can have an outsized impact on protecting the firm against risk.
- Mitigate wire fraud risk with technical controls
While it’s easy to feel at ease when your private equity or venture capital firm enlists the help of an IT vendor, it’s important to have both verification of these human-led support systems and technical controls in place. “Firm leadership must assume that bad actors know your systems, people, protocols and the law better than you and your IT support staff do,” says Brice. “While following the guidance of IT and cybersecurity experts helps, restricting access to personal accounts, completely shutting down at-risk platforms like the Office web application, mandating multi-factor authentication and other technical controls are the best way to mitigate wire fraud risk.”
Mitigating the risk of wire fraud is a challenge for many private equity and venture capital firms, but it is an area of critical business risk that cannot be ignored. “Thoughtful protocols and technical solutions that address wire fraud holistically like WireSecure are essential to addressing this multi-billion dollar problem,” says Brice. To learn more about the WireSecure platform or to see a demo of the product, click here.