Technology and security due diligence: what to verify before wiring capital

An allocator can call a fund’s auditor. The systems that move the fund’s cash are harder to see — and they are where capital is actually lost. Technology due diligence on a fund still gets treated as a questionnaire section: a policy exists, a vendor is named, the box is checked. The FBI logged $16.6 billion in reported cybercrime losses for 2024, and business email compromise — the attack aimed squarely at wire instructions — accounted for roughly $2.77 billion of it across more than 21,000 complaints. This brief covers four areas worth verifying before capital moves, and the artifact that proves each answer.

Wire controls: verify the procedure, then attack it

Business email compromise produced almost $8.5 billion in reported losses over the three years through 2024. The mechanics rarely involve breaking into a bank. They involve a convincing email, a changed account number on familiar-looking instructions, and a process that authenticates the message instead of the sender. The first wire at risk is the allocator’s own subscription — spoofed funding instructions are a known pattern — which makes this the one control environment both sides of the table have reason to test before day one.

The questions that matter are procedural, not technical. How is a change to standing settlement instructions authenticated — by callback to a number on file, or by replying to the email that requested it? Who at the administrator can modify payee details, and what does the manager independently verify? Is multi-factor authentication enforced on every system that touches cash movement, including email? SEC exam staff documented credential-stuffing campaigns against adviser and broker-dealer accounts as far back as 2020; a password alone protecting a treasury function is a 2015 control defending against 2026 attacks.

The artifact: a written wire procedure, and evidence it survives contact — a walkthrough of how a redemption bank-detail change would actually be processed, person by person. A procedure the manager has to improvise in the meeting is not a procedure.

Key management is not a diagram

For any strategy holding digital assets — and increasingly for any fund whose treasury touches them — key management deserves its own line of questioning, because the failure mode has changed. In February 2025, roughly $1.5 billion in ether left a major exchange’s cold wallet after its signers approved a single malicious transaction. The FBI attributed the theft to North Korea’s TraderTraitor group. The detail that matters for diligence is the mechanism: attackers compromised a developer workstation at the wallet-software vendor, stole cloud session tokens to bypass multi-factor authentication, and injected malicious code into the signing interface — so the exchange’s own multisig signers approved, on screens they trusted, a transaction that rewrote the wallet’s logic. The private keys were never stolen. The signers were shown one transaction and signed another.

The lesson generalizes. “Multisig cold storage” on a slide describes an architecture, not a control environment. The live questions are about the signing path: what device renders the transaction each signer approves, whether verification happens on independent hardware rather than a browser, and who builds and serves the interface the signers rely on. Counterparty and custody structure in digital-asset strategies is a subject of its own; the point here is narrower — the integrity of the signing process itself is now where sophisticated attackers operate, and a manager should be able to describe theirs precisely.

The artifact: a key-management description specific enough to attack — devices, signers, verification steps, and the vendors in the signing path.

The vendor stack is the attack surface

A fund’s security posture is the union of its providers’ postures. SEC exam staff warned in 2020 of increasingly sophisticated ransomware campaigns hitting not only registrants but their service providers — specifically those maintaining client assets and records. The administrator, the order-management system, the cloud email tenant, the outsourced IT firm with administrative access to everything: each is a door, and most reviews never ask who holds the keys.

The questions: does the manager maintain an inventory of vendors with access to fund data or systems, ranked by what each can touch? How is vendor access revoked when a relationship ends? Has the manager ever asked its critical vendors for security documentation, or does reliance rest on brand familiarity? Vendor management appears throughout the SEC staff’s published observations on resilient firms for a reason — it is where control of the environment quietly leaves the building.

The artifact: the vendor inventory itself, with access levels. A manager who cannot produce one is telling the allocator the attack surface is unmapped.

Incident history now has a paper trail — ask for it

For SEC-registered managers, this review no longer depends on goodwill. Amendments to Regulation S-P adopted in May 2024 require registered advisers, broker-dealers, and funds to maintain written incident response programs and to notify affected individuals within 30 days of becoming aware of a breach involving sensitive customer information. Larger entities — including registered investment advisers with $1.5 billion or more in assets under management — passed their compliance deadline on December 3, 2025; smaller entities have until June 3, 2026. As of early 2026, an allocator can simply ask a larger manager to produce the program. With the SEC’s separately proposed adviser cybersecurity rule withdrawn in June 2025, Reg S-P is the operative federal requirement — though it reaches only registered firms. Exempt reporting advisers and offshore managers without U.S. registration sit outside it, which makes the contractual ask more important, not less.

Managers trading futures carry a parallel obligation: NFA members must maintain a written information systems security program approved by an executive-level designee, train staff at least annually, and notify NFA promptly of incidents involving loss of customer funds. The ISSP, its approval, the training log, and any incident notices filed are all concrete, requestable artifacts.

Enforcement history shows why the dates matter more than the documents. In August 2021, the SEC sanctioned eight firms a combined $750,000 over cloud email takeovers that exposed thousands of customers’ personal information; at five of the firms, none of the taken-over accounts were protected in a manner consistent with the firms’ own policies. One sanctioned firm had known of account takeovers since January 2018 and did not implement firm-wide enhanced security measures, including MFA, until 2021. The diligence translation: ask when a control was actually enforced, not when the policy was written.

Artifacts, not assurances

None of this requires the allocator to be a technologist. Each area resolves to something that can be produced and inspected: a wire procedure that survives a walkthrough, a signing path described device by device, a vendor inventory, an incident response program with a date on it. For managers, the discipline runs the other way — assemble that package before it is requested, because the gap between a policy and an artifact is exactly what an experienced reviewer is trained to find.

SetOne Labs pressure-tests the technology and security posture of funds — wire controls, key management, vendor exposure, incident readiness — before an allocator does. To arrange a confidential review, begin a conversation.

SetOne Labs provides advisory services and general information. Nothing here is legal, tax, or investment advice.