Chief compliance officers are making it a priority to educate and train their staff on the importance of cybersecurity, delegates heard at the PEI Private Fund Compliance Forum 2014 this week in New York.
“There needs to be a cultural mind shift in how the firm thinks about cybersecurity,” said one CCO at the event speaking on the condition of anonymity during a cybersecurity panel. “That means the CEO knows not to call into a board meeting on his cell phone, or doesn’t take his laptop containing sensitive business data when travelling out of the country.”
The issue of cybersecurity is becoming a major area of focus for the US Securities and Exchange Commission (SEC), which is planning a sweep of registered advisors to test the financial market’s ability to withstand digital attacks.
The SEC has already begun the process of sending exam letters to registered advisors, including a handful of billion-plus private equity shops, said a fellow panelist at the event who provides GPs compliance consulting.
To meet SEC expectations, CCOs in attendance said they were creating dedicated training material to cybersecurity.
“As part of my spring training I’ll allocate some time to tell staff they can’t use an unencrypted thumb drive for example or that they can only use the corporate cloud for storing and sharing files,” said the CCO.
A related best practice heard at the conference is to quiz outside service providers on their cybersecurity as well. For instance, major retailer Target recently made headlines when it suffered a data security breach from servers outside its network.
Some delegates mulled how much of a threat cybersecurity is for smaller firms with less visibility. Many noted hackers were unpredictable in who they target and often cybersecurity risks come from within.
“Take the example of a disgruntled employee who was just fired and starts downloading every document in the firm’s shared folders. Do you really want that person leaving with your data?” one delegates said to PFM on the sidelines.
Moreover the panel noted that cybersecurity is fast becoming a standard part of LP’s operational due diligence, meaning GPs should be prepared to answer what steps they’ve taken to protect their networks.
“Five years ago no one was talking about cybersecurity,” said the CCO. “Now it’s one of the biggest compliance issues out there.”