Cybersecurity is a growing concern in the private equity sphere, both at management and portfolio level. But how can firms protect themselves, and what should they be looking out for? We asked RFA’s Michael Asher, Agio’s Ray Hillen, and Drawbridge Partners’ Anthony Patti for their advice to private equity firms, and about the future of cybersecurity in private equity.
What cybersecurity threats should private equity managers be aware of?
Michael Asher: The majority of threats I see come from phishing, but we’re also dealing with concerns about migrating data to cloud systems on a regular basis. Many private equity firms are now relying on third-party services (analysts) to sort through massive amounts of information, including confidential data, ultimately in order to produce better returns. Where previously you had a single point of entry, firms are now providing their data to several vendors and service providers, all of whom could be at risk of a cyber breach.
Ray Hillen: We’re seeing a lot of wire transfer fraud, maybe two times per quarter. These incidents often start with phishing and involve between $250,000-$6 million. Many firms don’t have good wire transfer protocol – it’s still very common for them to be using email-only authentication. There are three or four parties involved in an acquisition: the private equity firm, portfolio company, bank and attorney. It only takes one of them to be compromised – it doesn’t necessarily need to be the private equity firm itself.
Anthony Patti: The most common threats we see are related to phishing, email spoofing, and social engineering to untrained users which ultimately lead to breaches at the GP, LP, and portfolio company level. These breaches are specific to fraudulent wire transfers, unauthorized account withdrawals, and compromised confidential information. Private equity managers are an appealing target for cyber-criminals, because they have access to, and move large sums of money on a frequent basis, and because they have access to highly confidential investor information. They do not have the manpower of a major bank or enterprise, and generally don’t have internal staff dedicated to IT or cybersecurity, which puts them at significant risk of cyber-attacks.
What can private equity firms do to mitigate cyber-risk?
MA: During the transition to cloud-based systems, education is key. It pays to do your homework and due diligence from the very beginning, and ask the right questions of whoever is doing your IT. Not just “is it secure,” but “is it scalable, is it going to stand the test of time?” Once you integrate systems, be mindful of how you are sharing data. A low-level analyst can share all your crown jewels with the click of a button.
RH: Firms need to take a multi-layered approach to preventing wire transfer fraud, with user awareness and education, and phishing-resistant multifactor authentication. There should be voice or video authentication on larger wire transfers – it’s amazing that people aren’t using this technology given its ease and availability.
AP: Private equity managers should first work to create a culture of security and train their users appropriately so that they avoid falling victim to the types of attacks listed above. They should then work to build a program that fits the appropriate framework inclusive of policies and procedures, risk assessments, vendor due diligence, threat and vulnerability management, and training and awareness. The most common mistakes that we see are related to negligence. Often the firm is lackadaisical in their approach with respect to enforcing their policies and procedures, and users are also negligent when falling victim to an attack.
What is your outlook for the future of cybersecurity in private equity?
MA: Cloud-based systems are nothing to be scared of, but it is important that private equity firms understand the risks factors that come with them.
RH: I think we’re going to see a greater awareness of cyber-risks within portfolio companies – we’ve already seen portfolio companies’ valuations go down after a cyber breach. One way to tackle this is by educating the non-technical employees that are part of the deal teams, who are valuating the portfolio companies, and making sure that they have the right information to find out whether they are at risk of a cyber breach. At the moment it’s an afterthought.
AP: Given the growth in the amount of PE firms and private equity deals in the current market, we feel that these types of firms will continue to be a high-risk target from a cybersecurity perspective. Firms should ramp up their programs internally or do so with the assistance of a third-party cybersecurity consultant.
Michael Asher is the chief information officer at RFA, an institutional-quality IT, financial cloud and cyber-security services provider to the investment management sector.
Ray Hillen is the managing cirector of cybersecurity at Agio, a cybersecurity and managed IT provider with a dedicated private equity team.
Anthony Patti is vice-president at Drawbridge Partners, a cybersecurity consulting firm specializing in the needs of hedge fund and private equity managers.