It started off as something of a non-issue. Then CFOs and COOs started thinking about it more when purchasing new software or updating the firm’s IT systems. Last year, thanks to an SEC sweep, we witnessed compliance officers make it their own priority. Now, cybersecurity is lurking somewhere on the minds of every partner and employee at the firm when clicking emails, taking their cellphone abroad or downloading files. That’s at least the goal.
Fortunately GPs, for the most part, are meeting that goal. Last year we wrote about “The rise of the CTO” in response to IT professionals – the good guys in the war against hackers – enjoying a rise in status around the firm because of cybersecurity and regulatory issues. Senior managers realize cybersecurity isn’t just a tech issue either, but something that requires firm-wide buy in. Anything less is a threat to normal business operations.
But here’s the rub: cybersecurity is a job without a finish line. It’s impossible to stop a determined hacker from infiltrating the firm’s systems, but GPs aren’t sure what stops them from being an easy target.
It’s why every firm, and not just those in the US, should take a hard look at the SEC cybersecurity risk alert issued last week. What’s great about the alert is how much effort the commission made to break its findings down by percentages; something clearly done to provide registered entities a benchmark on their cybersecurity readiness. It isn’t clear if the SEC will write specific rules on cybersecurity, but they’ve made no secret that the issue will be a top priority during inspections in 2015. Don’t be shocked if inspectors use the risk alert as inspiration for the types of questions they will ask during exams.
But the industry shouldn’t make regulations the driving force behind more cybersecurity training and data protection. True, GPs have appreciated the need for building digital fortresses – which we talk about at length in our February issue out now – but many still have the mentality that private funds is too small a community, or doesn’t have enough sensitive client data to steal for identity theft purposes, to be a real target for hackers. That kind of thinking is dangerous. The Sony hack alone – which may or may not have come from North Korean cybercriminals – proved that damaging a company’s reputation is enough incentive for hackers to want to infiltrate its systems. Imagine a private equity-backed company going belly up, leading to a laid off factory worker’s whiz kid son or daughter to extract his revenge.
And then there’s the internal threat: a disgruntled employee who begins downloading thousands of files for purposes that can only be bad. A few weeks ago we learned that TPG apparently suffered this very situation. A former TPG spokesperson, allegedly upset over a promotion pass, downloaded sensitive files from TPG’s systems to his laptop, according to a complaint filed by TPG in a US district court. GPs that build systems which can track data movement, and restrict access to confidential documents based on certain criteria, are better able to prevent this kind of crisis from happening.
To be sure, private fund professionals take on a more serious tone when talking about cybersecurity these days. Now, with the SEC benchmark in hand – and more importantly the acceptance that cybersecurity is a firm-wide issue for all staff – the next step is turning that talk into more action.