This article is sponsored by BDO, EisnerAmper and WithumSmith+Brown, and appears in the November issue.
AROUND THE TABLE
Noah Becker is the chief financial officer for lower mid-market firm LLR Partners, which he joined in 2012. Based in Philadelphia, LLR invests in technology and services businesses and has raised more than $3 billion across five funds.
Eric Feldman is the chief information officer at The Riverside Company, which he joined in 2011. Founded in 1988, Riverside has more than $8 billion in assets under management, with an international portfolio of more than 80 companies.
Prom Vatanapradit is a vice-president and head of technology at CCMP Capital. Since it was founded in 2006, CCMP has invested more than $16 billion in buyout and growth equity transactions. Prior to joining CCMP in 2016, Vatanapradit was a managing director and chief technology officer/head of infrastructure at Och-Ziff Capital Management.
Brian Ferrara is a senior manager at EisnerAmper, specializing in process, risk and technology solutions. He has more than 15 years of experience in the Sarbanes-Oxley Act, internal auditing, process re-engineering, risk management, compliance and IT controls.
Anurag Sharma is a principal of WithumSmith+Brown’s cybersecurity practice and system and organization controls practice based out of their Princeton, New Jersey office. He has more than 19 years of experience on cybersecurity and has written of many articles dealing with cybersecurity challenges faced by small and medium businesses.
Mike Stiglianese is the lead on national technology and cybersecurity for the financial services industry at BDO. Based in New York City, he has more than 30 years of experience in IT financial and risk management, compliance and controls, shared services and expense management. Stiglianese previously worked at Citigroup, where he managed an implementation program that included driving ‘check-list’ compliance to a ‘risk-based’ compliance program.
Private equity firms, like any other business, are often targets of thieves and criminals who seek to steal information through phishing, malware and other means.
For Mike Stiglianese, a managing director at BDO who is also the consulting firm’s national lead on technology and cybersecurity for the financial services industry, protecting a firm’s management data system is critical. It’s a responsibility that should be shared top-down – from managers to lower-level employees, he adds.
“I try very hard not to use the words ‘cyber security.’ In my mind this is all about cyber-risk management and putting it in perspective as a risk management discipline, especially when I’m dealing with private equity firms,” he says during a recent roundtable discussion with executives at private equity firms and service providers in New York.
Cyber-risk management, Stiglianese says, is a discipline similar to financial risk or credit risk management in that resources are put in place to minimize the likelihood of an incident and to protect against it. Should a security breach occur, a firm should be able to detect it and implement the proper response, he adds.
“Management and board directors understand how to manage risk. When people use the word ‘cybersecurity’ they think technology, yet we don’t know what they’re talking about. The reality is it’s managing risk in the same way that you do anywhere else,” Stiglianese says.
A collaborative effort by key members of a firm is also vital. Eric Feldman, the chief information officer at mid-market firm The Riverside Company, says their cybersecurity team comprises staff from the technology department, the compliance group and human resources who meet on a quarterly basis.
Feldman chairs the team and gets feedback from colleagues. They then work with outside counsel, which meet with the firm twice a year and offer the global regulatory perspective on recent rules – among them, the EU’s General Data Protection Regulation enacted in May. This affects Riverside as it has investments in Europe. From those discussions with legal counsel, Riverside develops its own internal policies that complement its general risk program, Feldman says.
“We don’t coin it ‘incident response.’ We think of this as ‘incident preparedness’ because it’s something that is constantly changing,” Feldman says.
Preparation is important so that each member in a response team can react properly to an incident and protect the firm’s data.
“What’s important is really understanding your data. What data don’t you want? What data do you want to protect?” asks Brian Ferrara, a senior manager specializing in process, risk and technology solutions at EisnerAmper. “You have massive amounts of data throughout your organization, so you need to figure out what’s relevant, what’s important and where it is located. How is that data going back and forth? And ultimately, how will you protect that data?”
Sharing data should be a firm’s big concern in terms of vetting the individuals who have access to that information, he says.
“If you don’t have folks who are properly trained, who understand the risk, understand what the requirements are and how it could affect downstream, you’ll never really have a successful cyber-program,” Ferrara says. “It reinforces training, tabletop exercises and that preparedness versus the response. We may have a great set of policy documentation procedures. ‘OK, an incident happened. Which way do we go? Who’s doing what?’”
And it’s not simply a case of hackers who are targeting firms through ransomware or phishing, Feldman says. The inadvertent loss of data could come from an unencrypted laptop that was stolen or has gone missing or someone emailing a document with no password protection.
Beyond checking boxes
Firms should do more than just simply go through a list of procedures and check the box when going through an incident response plan, says Anurag Sharma, a principal at WithumSmith+Brown’s cybersecurity practice.
“If you’re sitting there in a crisis without a planned approach not knowing who’s going to do what and trying to figure things out on the fly, that is the worst situation to be in,” he says.
Firms also need to record every incident, whether it be big or small, because each case is something to learn from. “Your response plan is not a static plan; it is not a static document. It needs to evolve. As the threats evolve, the plan needs to evolve. And as you go through the feedback, besides seeing what went wrong during your response, it’s also important to focus on what went right,” Sharma says.
At the same time, if an incident were to happen, there might be conflicting objectives in the resolution, he says.
“Do you want to recover as soon as possible, or do you want to retain enough forensic evidence to support any subsequent breach notification process?” Sharma says. “Either of those approaches would take you in a different direction. You can’t have both objectives met together, and that is why it is very critical that with whatever incident response team you have in place, you have representation from the legal side and the technical side so that they can take that decision to say whether this is allowed and this is not allowed, and to determine the way to achieve it.”
Not all firms will have the expertise to deal with security incidents. A firm’s general counsel, compliance officer or technology officer won’t be an expert in cyber-risk, so hiring outside consultants to do the work makes sense. It may also mean taking out cyber liability insurance and having an advisory service to ensure that handling forensic evidence is done properly, according to Feldman.
One method to acquire sensitive information is phishing. Sharma says that the most common phishing campaign is someone impersonating a colleague to send an email asking for information. A simple solution is flagging external email on the server. Continuing education on phishing is important because new tactics are being used.
Feldman says that, like other private equity firms, Riverside tests its employees by phishing them, and it has been extremely effective in raising awareness. “It’s just sort of baked into the overall education in keeping people on their toes, being good corporate citizens.”
Lessons learned at the management level can also trickle down to portfolio companies.
At LLR Partners, a lower mid-market firm which has investments in technology businesses, it’s an area that is slowly evolving. Noah Becker, the firm’s chief financial officer, says that three to four years ago there would have been less consideration about cyber-risk at the portfolio level. But with each year it’s becoming more of a focus for managers as the firm’s roster becomes bigger and more data-intensive.
“Internally, you’re assessing portfolio companies in terms of what industries they are in and what types of information they have,” Becker says. “That leads to risk profiling and then really focusing on particularly the higher-risk portfolio companies if they’ve got personally identifiable information [PII], payment card information and HIPAA [health data] and other types of data. You’re also assessing what people are involved at the portfolio – how are they focusing on it and how are they addressing issues? I think that’s going to continue to get deeper and deeper each year.”
Feldman established the Riverside Information Security Office a little more than four years ago, in partnership with a number of service providers. Its aim is to help educate their portfolio companies, which currently number more than 80, about risks facing mid-market companies. Typically, within the first 100 days of acquiring a company, Feldman says, Riverside is conducting a pure risk-based analysis based on 19 categories. Examples of these categories are security organization, security strategy and documented policies and procedures. Riverside follows up with the company twice a year to evaluate changes within their risk posture.
“We really train our companies because most of them don’t have an incident response plan,” Feldman says. “Having incident preparedness as part of the conversation gets our companies thinking about how best to manage this risk.”
Staying involved with peers within the industry through trade organizations helps. For Feldman, he’s part of the Private Equity CTO (PECTO) network and AITEC, a community of more than 300 members who work for buy-side alternative investment firms with combined assets under management of more than $4.2 trillion.
There was concern that portfolio companies might give some pushback to management because they might feel an intrusion into their operations. But Stiglianese says communicating with the portfolio companies on their cyber-risk management profiles is important to ensure that best practices are in place.
“There are very simple things that you can do that can give you a good idea of what the cybersecurity profile of your organization is, and I’ll give you five simple things,” he says. “One is if you just do nothing more than ask them to see their policies and procedures in the cyberspace. The next one will be if they had done a vulnerability test and if they have seen it. The rest is understanding what they do for patching, what they do for access control and what they do from employee training.
“None of those things are that intrusive. Just have a conversation,” Stiglianese continues. “While that won’t tell you how good they are, if you don’t get the right answer you know how bad they are. If they have policies and procedures, that’s a good thing. If they’ve got the vulnerability test, that’s a good thing. If they don’t, it’s bad. Right away you’ll know – at least whether they’re ignoring or they’re doing something.”
Storing data is also a concern for mid-market private equity firms who may not have the infrastructure available to store vast amounts of information on servers at their offices. In that case, they may turn to cloud computing services like those provided by Amazon or Microsoft.
“We’ve got the vast majority of our data on the cloud in name providers, which you feel is more secure because Microsoft has a far better security team than we could ever imagine,” Becker says. “But we do not put certain data on the cloud. For that we have a very restricted access on-site storage, which adds another layer of protection and control.”
Signing up with reputable providers, which have spent billions of dollars on hiring the best in technology, also provides some benefits. Expertise and knowledge from brand-name companies trickle down to private equity clients, and that can help reduce costs for firms who might otherwise have to spend to set up similar services, according to Prom Vatanapradit, the head of technology at buyout firm CCMP Capital.
“In cloud services, the security is baked in. So once you’re on it, you’re automatically receiving that benefit and the tools that you’re using. The cloud makes it very easy to do so compared to trying to budget your own on-premise facility in terms of your systems and then trying to budget cybersecurity and protection into that. That makes it much easier for a smaller shop to get the best of breed,” he says.
Everyone’s in play
Keeping up on regulation has had some surprise advantages. When CCMP had to be in compliance with GDPR to secure the privacy of data of its clients and employees, the firm used a file crawler system that found PII data in an archive of Excel files.
“Once everyone’s involved in regulation, which involves the chief legal officer, that gets the eye of our CEO. Everyone’s in play – going from a siloed technology person to actually having meaningful conversation with others,” Vatanapradit says.
In terms of what’s the next step in the evolution of cyber-risk management, blockchain and artificial intelligence come to mind. But panelists say their contribution is likely to be a way off and agree that the bigger private equity firms will have the scale and resources to take the lead.
“I feel like blockchain will eventually be impactful, but it’ll probably impact higher-transaction industries first, and then when it becomes widely adopted, will move to the private equity firms themselves where there’s less volume,” Becker says. “And I think on the artificial intelligence side, it will be the vendors that are adopting it and incorporating it into their products and services. I think AI will impact in ways like email filter providers using AI to make sure that the emails purporting to be your CEO – and the next versions of that type of threat – are blocked.”
Ferrara adds: “Building the technology is on its way – not for the smaller players in the market but for larger players in our space who have the time, the dollars and the resources to invest and try to make it work. From a security standpoint, all of the blockchain technology as I understand it is a very secure method of transacting data, but making it operational will take a little time to get there.”
Stiglianese says: “My general feeling is, right now these technologies have a promise for the future. For a lot of the private equity firms, there’s much more value they could get out of implementing and utilizing some of the proven tools that are out there right now rather than necessarily being on the leading edge of these new technologies. Let them play out a little bit longer. Let it get to a point where the large banks start making the investments and start seeing how they start implementing these technologies and start making it worth something that’s more practical for other firms to use. So right now again it’s something to watch, something promising, but you know my feeling is it’s premature.”
Ultimately, everyone from the C-suite down has to be involved to maintain best practices on cyber-risk management.
“Cyber-risk is not just the responsibility of the technology team or your outsourced service provider. It’s a shared responsibility of the organization. It’s got to come from the top down,” Feldman says.