Steps to increase cyber security for EB-5 regional centers

By Richard Kristof

An EB-5 regional center is a financial institution, which must take precautions when it comes to the security of investors’ personal information and the finances of the projects the center supports. Security is achieved from a plan, not by accident, and that plan needs to acknowledge that any weak link provides a vulnerability that might allow cybercriminals access to information that could jeopardize the business.

Cybercrime is part of daily life. Protecting yourself, your investors and your projects requires taking the threats seriously and having all the proper protections. You can’t wait until you get hacked or fall victim to a ransomware attack. If that happens, the damage is already done, and there is very little that others can do for you. Protection against cybercrime must be handled proactively, like those in the financial services sector have done for decades.


Internal users are the biggest concern, starting with passwords. Passwords are easy for to remember and then use them for multiple systems. Even worse, most of us don’t change them regularly, which can allow the breech of one system to provide access to other systems with only a little detail from your website or social media. Simply implementing a password policy for your business will go a long way toward adding a layer of security to protect against this common threat. Using a password vault like 1Password or LastPass is a huge time-saver and can greatly increase your password security.


Secure socket layer (SSL) certificates have long been considered unnecessary for information-based websites until Google and others started to brand those sites unsafe. Furthermore, the new search engine optimization (SEO) algorithms lower the page ranks of sites not behind proper SSL certificates, giving more reason to add the relatively inexpensive coverage. In a random search of active regional centers, many can be found to not be using SSL certificates for their websites.

Cybersecurity is such an important part of running a financial institution that someone in your organization, even if you run a three-person operation, needs to be designated as your security officer and have documented procedures for maintaining the security of the regional center. Even the business plan for the center should include details on how the business plans to maintain a secure technology infrastructure. Just a few to consider include: passwords (managing, storing and sharing); an investor portal that provides secure communications; an encrypted escrow administration system between investors, regional centers, administrators and banks; email security measures (such as what you will and will not send via email); determining a method for storing data online; security measures for mobile technologies; website development; basic and advanced search engine optimization for EB-5; and secured third-party access for brokers, dealers, rental center administrators, bankers and others who need access to your data.


Email has become universal and many of us are complacent when it comes to email security. Unless email is encrypted before transmission, it travels over the Internet with nothing stopping people with the right equipment from “sniffing” the web and machine reading everyone’s email. There are over 246 billion emails sent each day, according to Radicati Group research. With spam accounting for over 20 percent of those emails, the potential for one of those emails to be malicious is like playing Russian roulette every time you click or tap on your device.

Phishing involves sending emails that purport to be from reputable companies but are actually trying to induce recipients into revealing personal information, like a password or credit card number. If you get an email from your bank or other institution that you work with, it is always safer to login through their portal than click on an embedded link. These emails use the real company’s logo and format to trick you. They can be very convincing. There are examples of emails, supposedly from reputable senders, that ask recipients to pay an attached invoice or log into a site. In reality, the invoices are fake and the sites are actually stealing passwords.

Virus protection is no longer merely a nice thing to have if you operate an electronic device with access to clients’ personally identifiable information. Without virus and malware protection you are acting irresponsibly and committing malpractice in your business. The days are long gone when you can say you didn’t know. The court system is full of cases seeking huge damages from business operators who wanted to save $9.99 per month and not have proper virus protection software.

Whether you use a PC, Mac, Android or iPhone, you must be diligent in updating your device. Most updates and patches have something in them that will improve security. Software developers learn about bugs and other vulnerabilities all the time and put out fixes that need to be installed to be of benefit to users. Web browsers need to be updated and they often need to be helped manually, even though they are supposed to have an automated update feature. Check them monthly to be sure.

Unless you’ve known someone for 10 years or more, how can you really know enough to provide trust with the type of materials, money and responsibilities necessary to conduct business as an EB-5 regional center? The minimum bar should be to run a background check on everyone with access to investor and project information working in your circle.


Cyberinsurance might have seemed like a ridiculous waste of money just a few years ago, but now it is an absolute necessity as part of your continuity of operations plan. What would happen to your business while you are defending your company against claims from a cyberattack? Most EB-5 regional centers wouldn’t survive, costing investors their funds and green cards.

Travel is an important part of the EB-5 business model, during which time data is perhaps most vulnerable. You’ve heard stories about government laptops that were stolen and contained millions of people’s personal information, which means the entire database was replicated on that device. Most people have stopped doing that, but it is very dangerous to have that much data concentrated within an unsecured device. You log in to your office technology over public Wi-Fi or the free Wi-Fi provided by the vendors you patronize, often not realizing that your information could be captured for use by cybercriminals who pay to machine read your transmission, searching for ways to steal your data. This is just another day at the office for them. Using your mobile device as a hotspot is convenient, but it makes that hotspot a vulnerability. Be certain that all your people have more than just simple virus protection on their laptops and mobile devices. Each unprotected device is an open door for cybercriminals.

Regional centers are financial institutions that, in many cases, handle transactions totaling hundreds of millions in foreign investor funds, combined with at least that much in domestic money. Cyberthreats are a real and present risk to the investments and reputations of investors, regional center owners and project owners. While some regional centers conduct impressive self-imposed security procedures, unfortunately, many of these exposures are not understood and therefore overlooked or ignored by far too many. Expect integrity measures to include provisions for ensuring the security of investor information in the future. Be prepared and do a self-assessment of your security now.

Richard Kristof

Richard Kristof

Richard Kristof is the CEO of ISCoA, the makers of EB5 Suite. His expertise is in multi-supplier platform integration, standards-based approaches to content development, gamification, predictive analytics and neurocognition. As a leader in outsourcing, he created many successful models to provide clients with the infrastructure needed to run their business without worrying about the operation of complex back-office functions. He has a deep background in financial services that extends from working in a Wall Street-based investment company to doing global acquisitions and investments.


Add your comment

Use a Facebook account to add a comment, subject to Facebook's Terms of Service and Privacy Policy. Your Facebook name, photo & other personal information you make public on Facebook will appear with your comment.