As if counter-party risk weren't already one of the biggest concerns of HF Managers! SS&C, one of the largest and most trusted fund administrators serving the alternative asset management industry fell victim to a phishing cyberattack costing a fund client millions of dollars but far worse, their business. As a fund manager, how can you protect yourself?
Case Background:
If you haven't read up on it already, it is certainly worth a read to understand the intricacies of this case.
Hyperlinks* to case articles here:
Brief Summary:
SS&C, a publicly traded Global Fund Administrator, provided fund admin services to Tillage Commodities Fund, LP, a private investment fund. In an unfortunate sequence of events, SS&C was defrauded of over $6,000,000 of Tillage Fund assets by way of a social engineering scheme. A number of fund transfer requests came from what looked like a Tillage email address but in fact was coming from a fraudulent address with requests to transfer funds to a bank in Hong Kong. According to the complaint:
"SS&C took virtually no steps to “validate” these wire transfer requests or “authenticate” the sender’s authorization. Further – and despite its purported use of “cutting edge” technology – SS&C failed to employ any basic email filtering tools that would have blocked, segregated, or marked these emails."
For the sake of this article, we need to solely determine how if at all, the fund could have protected itself against such a fraudulent scheme and whether or not there was anything the fund could have done to ensure that it was made whole.
There are only two (2) potential ways to manage and address this type of counter-party risk:
- Amend service/vendor contracts to include proper indemnification back to the fund for a situation like this; & or
- Make sure the Fund Administrator carries appropriate insurance coverage. More specifically a fidelity crime bond inclusive of an extension of coverage for cyber transfer fraud and social engineering with the appropriate limits of liability.
Fidelity Crime Bond Coverage
Fidelity Crime Bond coverage protects insureds against fraud by employees of an insured for theft of monies and securities that are either owned by the named insured or are in their care, custody, and control. Coverage is also available for funds transfer fraud, computer fraud and/or social engineering whereby an employee of an insured is the victim of a phishing attack.
Given the circumstances surrounding this case*, even if Tillage carried a fidelity crime bond, it was not their employee who fell victim to the fraud. It was the employee of SS&C, the third-party vendor.While the Cyber Transfer Fraud & Social Engineering coverage extensions provide protection for a situation where the insured’s employee acts on instructions from someone purporting to be another employee of the firm, a vendor employee or a 3rd party investor, it will not provide coverage for a vendor’s employee being phished.
That said, if SS&C has/had a fidelity crime bond inclusive of coverage for cyber transfer fraud, then this scenario could potentially be covered by insurance.
Given the SEC's Examination priorities for 2017 and their continued focus on Cyber Security compliance, the Iron Cove team is currently working on a one-stop cyber solution which will address a number of Hedge Fund Cyber risks not currently being addressed in the insurance market.
[button title="Contact Us" link="mailto:louisd@ironcoveins.com" target="_blank" size="" color="" class=""]
*The facts and opinions of any links embedded in this article are that of the author’s and not of Iron Cove Partners, LLC. Nothing in this article is meant to malign any organization, company, or individual. All information is provided on an as-is basis with no warranties and confers no rights. This article was written for educational purposes only as well as to provide general information and a basic understanding of the insurance application to a specific set of facts in an ongoing legal matter. Iron Cove is not in any way opining on the merits of the case, the accuracy of the facts alleged in the complaint or the circumstances surrounding the legal matter.
Comments