How private equity firms have been hacked

Cyber-attacks on private fund managers are becoming increasingly sophisticated and can take many forms, from spyware and malware to direct hacks into a firm’s network.

Cybersecurity is the biggest threat to the financial system, according to Mary Jo White, the chair of the SEC’s Office of Compliance Inspections and Examinations.

The regulator has made cybersecurity an important part of its private fund examination to ensure that firms have the proper systems and programs in place to protect their investors’ money.

And cyber-attacks really do happen at private equity firms. Here are three real life examples. pfm is not revealing the names of the firms and individuals involved.

CASE ONE: An accountant at a private equity firm received an email supposedly from one of the general partners at her firm asking her to transfer a certain amount of money to a specific account. The account number looked familiar except for one number, prompting the accountant to transfer the email to her chief financial officer, who found out the general partner had never sent that email; it had been sent by someone posing as him.

THE LESSON: Phishing scams looking to retrieve sensitive information or to prompt someone to transfer money are becoming increasingly sophisticated. Private fund advisors should train employees to identify red flags. Employees should be taught not to click on emails and not transfer money unless they have spoken directly with the person requesting the transfer first.

CASE TWO: A private equity firm received an email purporting to be from an investment bank about an upcoming debt transaction. The firm disregarded it, but received a follow-up email saying the bank was planning a conference call to address client questions. The follow-up asked the recipient to click on a link to get details of the call. The recipient at the firm did not click on the email, which turned out to be fraudulent, but instead alerted the appropriate person about it.

THE LESSON: Attempts to install malicious software on a firm’s computer systems can be devastating for a firm. Not only can it install a virus and steal existing fund and portfolio company information, but hackers can hold the stolen information to ransom. Again, private equity firms should train employees to identify such threats and to refrain from clicking on such emails.

CASE THREE: After a thorough due diligence process, a venture capital firm decided to invest in a start-up that produces video games. Someone in China hacked into the portfolio company and stole key elements of the company’s intellectual property, including an important unreleased product. The hacker sold the product to a rival company, which resulted in the video game being released before the portfolio company could bring it to market, rendering the investee company virtually worthless.

THE LESSON: Cyberattacks can impact third-party vendors and portfolio companies. Cybersecurity should be an integral part of a firm’s acquisition due diligence process.

Private fund advisors can find guidance from the SEC on cybersecurity best practices in this risk alert document from April 2014 and this risk alert document from September 2015.