The SEC’s Office of Investor Education and Advocacy (OIEA) issued a warning to the public last week concerning fraudsters, who are impersonating the SEC in an attempt to trick potential victims to steal both personal information and money. Specifically, the impersonators cleverly email or call individuals under the guise of confirming trades, to help set up investment holding or trading accounts, or to record information related to trades “for the protection of both parties.” The SEC’s alert even contains a recording of one of these social engineering scams in action.
It’s worth noting the SEC does not contact investors when it comes to confirming their trades, recording details of specific trades or to help set up accounts. Furthermore, “Federal government agencies, including the SEC, do not endorse or sponsor any particular securities, issuers, products, services, professional credentials, firms, or individuals.” In summary, if you receive a phone call, email or even a text message from anyone claiming to represent the SEC, do not disclose private information or give them access to any of your money; and then turn around and contact the agency directly via the information available on their website: https://www.sec.gov/.
This approach is in line with the “follow the money” trend we’ve been seeing among hackers, as they turn their attention more and more to the financial services industry. For the big banks with millions of dollars invested in cybersecurity budgets as well as IT departments numbering in the thousands, it becomes a people and process issue. The more people and the more offices a firm has, the more entry points for a hacker to gain a foothold. For firms in the alternative space – hedge funds, private equity, asset managers, and venture capitalists – it becomes an investor and reputational issue.
“What are you doing for cybersecurity?” is a question investors are holding tight to when evaluating potential funds, and our clients are finding themselves having to adapt if they want to grow. Then there’s the reputational risk a firm faces – don’t think for a second an investor is going to go anywhere near a fund that’s experienced a breach. In fact, 60% of companies that lose their data, go bankrupt in 6 months. It’s not just the founders who jeopardize their personal and professional livelihood either; if you’re a CTO or COO/CFO in charge of technology, you’re most likely on the hook as well, and those skeletons tend to follow you.
Most organizations aren’t sophisticated enough to have a dedicated Chief Information Security Officer (CISO) so those in charge of technology get left with trying to ensure the firm is technologically and operationally sound, while also taking on a subject matter they’ve never been trained in – cybersecurity. This is the state we meet most of our clients in, and depending on their size, complexity and operational maturity, we’re able to get them from point A to point B. For some, that might mean starting with the basics – like Security Awareness Training, a Security Risk Assessment, and then Policy Development (which we offer as part of our consulting services). For others, who need a more comprehensive solution we look at our SEC Cybersecurity Governance Program with incident response rolled up. Finally, our technology clients love the fact that we have a managed detection and response offering as well; this means your IT and cybersecurity providers are no longer operating in a vacuum, which can cause serious delays in catching and thwarting malicious traffic when hackers attack.
No one expects you to have cybersecurity figured out in a day, but you do want to make sure you start somewhere, and with a provider who knows your industry…because in our experience vertical expertise results in just that – results, and over time trust is built to form an even more mutually beneficial relationship.