In March 2020, Norfund became the target of an unfortunate and serious case of fraud.
Norfund’s management decided immediately to be open and transparent, not least to contribute to reducing the risk of others falling victim to similar fraudulent activities.
A sophisticated fraud
After successfully hacking a Norfund e-mail account, the fraudsters managed to access information concerning a loan of USD 10 million (approx. NOK 100 million) from Norfund to a microfinance institution in Cambodia. This information enabled the fraudsters to manipulate and falsify the information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. In addition, key documents and payment details were falsified.
As a result of this manipulation, the fraudsters were able to divert funds to an account in the name of the microfinance institution in Cambodia, but, in reality, an account under their control.
Norfund immediately set up a crisis management team, informed the Norwegian Ministry of Foreign Affairs, Norfund’s owner, and contacted the police. Considerable resources were dedicated to obtaining a full overview of the sequence of events and systematically reviewing and strengthening internal routines and controls.
Norfund’s Board of Directors also engaged PwC to undertake an independent external evaluation. Norfund collaborated closely with the police, our bank DNB and other applicable stakeholders and authorities following the discovery of the fraud.
A combination of factors made Norfund vulnerable
The report prepared by PwC concluded that a combination of factors made Norfund vulnerable to fraud. Amongst them were a delay to the implementation of security measures already adopted, insufficient internal IT security and IT supplier management expertise, inadequate focus on operational risk management and awareness training in the current digital threat landscape.
New security and control measures implemented
Over the past two years, Norfund has implemented multiple measures to strengthen IT security, internal procedures and control systems. In 2020, the Board of Directors established a risk and audit committee and decided to set up an external internal- audit function. A number of operational measures have also been put into place, including a dedicated enterprise risk management function, consolidating financial controls, overhauling governance and compliance systems, recruiting dedicated internal resources and retaining an external provider of an IT security operation centre.
We have done a lot to strengthen our routines and systems to prevent a similar incident happening again.Tellef Thorleifsson, Norfund CEO
Norfund’s compliance program
In 2020, a comprehensive overhaul of the governance and compliance system was carried out to update and provide better visibility and awareness internally of the regulations, policies, standards and ethical practices that apply to our organisation. This project was initiated prior to the discovery of the fraud, which emphasised the importance and value of having robust internal tools and systems in place.
The following policies have been updated and /or adopted in 2020:
- Code of Conduct
- Business Integrity Policy
- ESG Policy
- Compliance System
- Delegation of Authority
Digital crime – an increasing problem for Norwegian and international businesses
According to the Norwegian Centre for Information Security and the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime, fraud stemming from data breaches is a major and growing problem for businesses. Both organisations state that the number of unreported and undetected cases is also likely to be high. According to the Norwegian bank DNB’s Annual Fraud Report 2019, the number of fraud cases, like the one experienced by Norfund, increased by 32% between 2018 and 2019, while the amount attempted to be stolen increased by 65%. The report describes the way in which cases are becoming more targeted and advanced, and several customers have suffered losses running into many millions.
Fraud of this kind is perpetrated by very sophisticated criminals. With access to e-mail communication between two parties, they can familiarise themselves with the way in which the parties correspond.
The payment transactions they initiate therefore deviate very little from ordinary payments made by the victim company and become very hard to detect and prevent.Terje A. Fjeldvær, DNB’s head of fraud prevention
Transparency can prevent future events
The efforts to uncover vulnerabilities and to understand the digital threats facing Norfund have taught us valuable lessons in preventing similar incidents for other investors and operators working in the same markets. Norfund has made a conscious decision to be open about the incident. We have been contacted by others that have had similar experiences and leaders who would like to learn from us to reduce their risks. Norfund has participated in several seminars and meetings to share key lessons gained from the case.