August 10, 2018
Interviewed by: David Snow

Protecting Your Firm’s IT and Infrastructure

Real estate investors, with vast networks of assets, tenants and capital partners, need to show not only investment prowess but strong protections against fraud and cybercrime.

Transcript Download Transcript

Protecting Your Firm’s IT and Infrastructure

David Snow, Privcap: Today we’re joined by Jay Morgan of StepStone, Nate Ruey of RSM, and Russell Appel of the Praedium Group. Gentlemen, welcome to Privcap today. Thanks for being here.

LPs have always been interested in looking at your returns and where the returns come from, and how you do deals. But are they spending more and more time looking at your firm itself—its infrastructure, the integrity of your system. What’s that been like?

Russell Appel, The Praedium Group: I think when a lot of the fund industry, in its newest form, in the ’90s, was formed, you had a bunch of deal junkies. You had a bunch of people who were running around, doing deals, highly entrepreneurial, and I think that the industry has evolved, because things happen that you don’t expect. No projection comes out exactly as you projected it, and so I think the focus on being the fiduciary and planning for the unexpected has just become more important. What people want is durability of returns or durability of cash flow or whatever the objectives are, that you have to have that planning for the unexpected.

Snow: Jay, as someone who backs managers, what are you looking at, as far as the institutional quality of the firms themselves, and how has that evolved as the market has evolved?

Jay Morgan, StepStone Group: We’ve gone to the point of having an ODD team go on-site, completely independent of the investment decision-making, so they need to opine on the investment and the manager before anything can get funded for approval by a client. And so, they’re looking at the regulatory environment that the manager operates in and make sure that everything is consistent with the statutory requirements. They’re looking at the cash controls. They’re looking at the back-office controls. They’re looking at the IT security. They’re looking at stuff like compliance manuals, making sure that they exist and making sure that they’re adhered to. They look at code of ethics, to make sure that that exists, and is demonstrable within the investment process within the firm.

Appel: As firms like your own have come in and “due diligenced” our firm, is it’s not only having the checklist or the processes, but it’s actually following it, too, because I think part of it is there are people who clearly want to impress the StepStones of the world. But I think it is about a culture and a mentality that actually puts investors’ interests at the forefront and making sure that happens.

Snow: When you get towards the smaller size firm or maybe the firm doing their first fund, or whatever the case may be, what are some areas where you’re seeing them come up short in the operational due diligence?

Morgan: A lot of them wouldn’t have a chief compliance officer with segregated duties, so we would need to make sure they have somebody who is at least up to speed with what the compliance requirements are. The cash controls can become an issue. They talked about fraud. We see people who are constantly getting phishing emails sent to them.

Nate Ruey, RSM US LLP: And I think it’s becoming more and more sophisticated of how hackers work through some of these, so the social engineering with the phishing emails, knowing the firm’s name, maybe changing a letter in the email address, knowing who the key stakeholders are, coming up with scenarios to transfer money over here and here. We’ve had clients that fell prey to that, and there’s a lot of pain, and after that, of trying to get the money back and can’t always have that happen.

Appel: We want to make investments, but of course we also want to make sure we protect investors. But as a manager of a firm, we also own all this real estate. We have responsibilities to our tenants, and we need to make sure they’re safe. And, of course, we have employees that work for us, and make sure that we do the right thing by them, too. So, I think there’s a lot of responsibility, and of course, part of what we’re talking about is making sure that firms have processes in place to be prepared.

Any classic examples of there being negative consequences of either client or a manager that you’re looking at, where it was clear that the outcome was negative because of a weakness in their approach to risk assessment or risk management?

Morgan: We had a client invest with a manager who had discretion over a separately managed account and acquired an asset and had reported back valuations that seemed a little bit in excess of what was logical given that market. So, given that we were traveling around in lots of different markets at lots of different times, we made an unexpected call on the asset and realized that the tenancy barely existed, and the type of tenant that was in there wasn’t paying nearly the rents that were being reported back to the investor. And so, it’s a lesson back to the investor that this particular manager didn’t have the valuation policy that they described, or he didn’t execute the valuation policy.

Appel: It almost sounds like they misrepresented the facts.

Morgan: They absolutely did. It was a different kind of fraud. As opposed to just stealing the money, they actually acquired an asset to allow them to do that, but essentially, they were funneling money out through the property back to related entities.

Ruey: We had a hospitality real estate fund, and they had someone in the back office that was responsible for all the bookkeeping. The vendor master file had access to checks, so they wound up changing the master file, cutting checks to themselves. And this was something that had gone on for three or four months until finally getting caught. The checks and balances weren’t there.

Appel: I think a lot of people who run funds view auditors as sort of not their friends. But really auditors are there to protect the manager. They’re there to protect everybody.

Unlock the Value of Your People and Ideas: Let Privcap Tell Your Story. Learn more at