Dealing with Security Breaches and Cyber Fraud through Scam Websites
Practical advice should your asset management firm and/or fund be subject to an illegitimate cloning of your identity.
The Central Bank of Ireland (the “CBI”) published a letter to industry on 10 March 2020 outlining the key findings from their thematic inspection (the “Thematic Inspection”) of cybersecurity risk management in asset management firms (the “Industry Letter”).
The Thematic Inspection took place against the backdrop of a working environment that has since changed dramatically, at least temporarily, however its findings are even more relevant with most people working remotely resulting in processes and policies being placed under varying strains. Typically financial services organisations and their service providers might have between 10% to 15% of their workforce working remotely. At present this is more likely to be closer to 95% and consequently the threat of cybersecurity is heightened.
The Industry Letter and subsequent CBI speeches remind Investment Firms and Fund Service Providers (“Asset Management Firms”) that the responsibility to ensure that cybersecurity is engrained in their firm’s governance rests with the board of directors and senior management. A summary of the CBI’s non-exhaustive expectations are as follows:
- Cybersecurity Risk Governance: Asset Management Firms should have a “comprehensive, documented and Board-approved IT and cybersecurity strategy”.
- Cybersecurity Risk Management: The cybersecurity risk management framework should ensure related risks are identified, assessed and monitored.
- Information Technology (“IT”) Asset Inventories: Asset Management Firms must conduct and maintain a thorough inventory of IT assets.
- Vulnerability Management: Vulnerabilities should be assessed on a continued basis and Asset Management Firms should identify both external and internal vulnerabilities and appropriate robust safeguards should be put in place.
- Security Event Monitoring: Security events and incidents should be detected on a timely basis and Asset Management Firms should ensure that all assets containing or processing critical data are monitored.
- Security Incident Management: Asset Management Firms should have a documented cybersecurity incident response and recovery plan in place outlining what actions will be taken during and after a security incident.
The CBI have followed up with individual firms to ensure that they are taking steps to enhance their cybersecurity resilience and to minimise the risk to themselves and to the wider industry from a cyber-attack. It will be particularly important that all firms who delegate key functions to third party service providers are confident that these delegates have in place and adhere to appropriate cybersecurity systems. Boards should be requesting regular updates from these delegates.
Practical examples of cyber-attacks
Many investment funds have experienced cyber-attacks through bogus redemption requests and attempts to circumvent what are usually robust anti money laundering protections. These cyber-attacks have increased over the past year.
The creation of elaborate “scam” websites has become an increasingly common threat for both asset managers and investment funds, with several experiencing multiple attacks within a short timeframe. Funds and asset managers have had their names and identities cloned using very sophisticated methods, which in some circumstances has resulted in significant losses arising to unsuspecting investors who have subscribed to the ‘cloned’ funds on foot of the “scam” website. The fraudsters behind this are luring investors to “scam’ websites which promote fake investment opportunities, assets, or shares. In each case, the property or opportunity is either non-tradeable, valueless, unreasonably expensive, or simply does not exist.
There has been a noticeable increase in the creation and registration of domain names for financial firms, not of all which are genuine. The CBI has warned in recent press releases, relating to detected unauthorised firms, that cloning of legitimate firms’ details has become increasingly common, with fraudsters quoting a combination of legitimate authorisation numbers/company registration numbers, addresses and links to seemingly legitimate websites for the purpose of this fraud.
We have set out below a list of practical steps to follow should your asset management firm and/or fund be subject to an illegitimate cloning of your identity. Any additional steps to be taken will need to be considered on a case by case basis.
- Notify the Board of Directors of the cloned fund.
- Notify the administrator of the fund and other fund service providers.
- Notify the CBI (in the context of an Irish fund/asset management firm).
- Consider whether any regulatory authorities in other jurisdictions need to be notified (for example, the information on the “scam” website may refer to the cloned firm being authorised by a regulatory authority in another jurisdiction).
- Notify the Irish Garda National Economic Crime Bureau and, where relevant, the relevant police force within the jurisdiction of any impacted investor.
- Advise any impacted investor to also separately report the matter to the relevant regulatory authority and police force, as well as notifying their banking institution of any transaction details in the event monies have been subscribed to the ‘cloned’ fund.
- Notify the investors in the relevant funds and include appropriate ‘alerts’ on relevant official websites.
- Contact the host domain to shut down the fraudulent website.
- Contact the relevant internet search engine to remove the fraudulent website from its search results.
- Prepare a cease and desist letter provided that local law enforcement and regulators confirm that this will not result in “tipping off”.
- To the extent possible, purchase domain names similar to those of your firm/fund. This is something which a fund/asset management firm should bear in mind when establishing a fund at the outset.
In addition, some asset management firms have engaged with internal and external forensic teams to combat the cyber threats posed by “scam” websites. Once reported to local law enforcement you should ensure that there is regular follow up to monitor how investigations are progressing.
We would encourage all asset management firms/funds to regularly check that your websites have not been cloned. If a cloned website is discovered, regard should be had to the practical steps outlined above and prompt action taken.
If you have any queries in respect of the issues raised in this article, please do not hesitate to contact our Dublin office on +353 1 6670022, the author by email firstname.lastname@example.org or your usual contact at Dillon Eustace.
Laura Goonan, Senior Associate, Dillon Eustace