KKR’s chief compliance officer Bruce Karpati, and chief information security officer, David Stern are a team. Dialogue and disagreement with each other help to focus their priorities when it comes to all things cybersecurity and data protection.
The two spoke with Private Funds CFO to discuss their top concerns, their greatest challenges, and how they try to build and maintain first-class defenses against attacks and errors that also comply with today’s cyber regulations.
What are the top cyber concerns for a chief information security officer and compliance officer today? What threats keep you up at night?
David Stern: There are four things that concern me. The first is how to protect our data. I would say that protecting private equity data is incredibly complex and can be hard to do, especially in a mature organization.
The second is how to prevent insiders from misusing that data.
The third is our supply chain. We, like any other business, work closely with cloud providers, law firms and other service providers that operate outside of our firewall. We rely on them to protect themselves and it’s something we have to stay vigilant about.
Finally, with KKR being a global organization, I worry about geopolitics and how they impact regulation.
Bruce Karpati: For me, the most concerning cyber issues are supply chain management and vendor management. Attacks are going to happen no matter what, so it really comes down to how to best prepare yourself for that inevitability. Recently, David and I have been talking a lot about generative AI and how the nature of cyberattacks in that area have been highly sophisticated, which requires additional preparation.
How do you keep on top of the various risks you’ve identified and then how do you mitigate them?
DS: It’s a long road. If you would have asked me my top concerns two years ago, my answer would have been very different. Back then I wouldn’t have thought about inside threats because other issues were more of a focus, such as ransomware. But now there is a regulatory regimen around cyberattacks, which makes compliance such a big part of assessing and addressing our cyber-risks.
To stay on top of the regulatory regime and your own risk profile, you have to work with compliance and legal to understand how various issues impact your operations. I used to think that cyber required technical fixes to make issues go away, but now I understand that it takes a village to identify, understand and mitigate cyber-risks to the firm.
BK: For me, it’s all about preparation, preparation, preparation. You have to think about how you can best protect yourself long-term. For us at KKR, David and I co-ordinate our teams to be proactive and prepared across a variety of areas so that we can be ready to address any issues that may arise.
For firms that have a CISO and a CCO, can you tell me how the two can work together to better protect the firm?
BK: First and foremost, if we’re not on the same page then there are going to be real issues. With David and me, I think what’s been good about our relationship is openness and transparency to be able to escalate issues to each other when we don’t necessarily agree. This has to happen. And second, you have to be co-ordinated on your areas of focus, for example, your incident response plan, and your policies and procedures.
DS: I think it’s great having a partner with expertise and a focus on issues that you don’t. Bruce is extremely clear thinking and he’s laser focused on the things that matter. He keeps me focused on these issues. On any given day I could be pulled away on 16 different things, but I know Bruce will help keep me focused. I think that’s really important.
“I could have the best cyber program in the world, but if I’m not prepared to speak the regulator’s language then I’m going to fail”
David Stern
What is compliance’s role in a firm’s cybersecurity? What do CCOs need to know about cyber and how do they stay on top of current risks, and prepare a firm for an inevitable SEC exam where examiners likely will focus on cyber issues?
BK: The current regulatory construct makes it imperative that compliance officers be integrated into information security programs. The compliance rules are based on the premise that you have to build your compliance program according to the risks that your firm is facing, develop a set of policies and procedures based on those risks and then test those policies and procedures on an annual basis.
We’ve only seen that regulatory regime continue to expand. The SEC’s proposed rules basically re-emphasize this point, making it imperative that compliance officers know what’s happening in the cyber space. It is essential for compliance officers to partner with the tech team. I am not a cyber expert, so I need that partnership with David to be able to respond effectively to regulatory inquiries and exams, and to be proactive.
At KKR, we have an infrastructure that is built around making sure we respond in the way that regulators want. Some of the things we do include having a regulatory exam working group that has exam template responses; we do mock exams; and we also have an audit team that is focused on cyber issues. We’ll also look at the SEC’s risk alerts and make sure that we cover the practices highlighted.
Because of the nature of our business, we have had real regulatory interest in our cyber program, which has led us to coalesce around these topics and make sure that we are prepared.
DS: I could have the best cyber program in the world, but if I’m not prepared to speak the regulator’s language then I’m going to fail. I think Bruce and his team do an amazing job in making sure that we understand what it is we need to have when it comes to cyber protections, and we need to speak the SEC’s language so they know we are doing what they expect.
The worst thing you could do is take a cybersecurity engineer and put them in front of regulator. That’s where the partnership comes in, with compliance helping us make sure we’re doing things right, I can deliver my program the way it’s supposed to be delivered.
We’ve talked about the roles of the CCOs and CISO in cybersecurity, but what should all employees at the firm know about the firm’s policies and procedures? What training should be done, and how often should it be done?
DS: Training is very important, but how you deliver it really matters. You can’t simply deliver hundreds of hours of training a year in the same format; people need to hear things in different ways. While we do have mandatory training, it’s more about getting the message out, so I prefer to have regular conversations with smaller groups.
It’s a lot easier to talk to 100 people than to send a mass message out globally. So, we have these cyber conversations, we’ve had sessions with an FBI cyber agent, and we always look for opportunities to educate our people on different issues. Recently, we’ve been experiencing a lot of phone-based attacks with attackers trying to poke around to try to get information, so these incidents become teaching moments in how to spot a scam, how to respond, and who to report it to.
“With David and I, I think what’s been good about our relationship is openness and transparency to be able to escalate issues to each other when we don’t necessarily agree”
Bruce Karpati
BK: We do regular fishing exercises where people inevitably get caught because they are so difficult to detect. We also have live trainings and online trainings by our portfolio company KnowBe4. And then we have continual alerts. It’s a multiple array of things that we’re doing to keep our folks prepared and to make sure our policies and procedures are understood and are being followed.
How do you get firm-wide buy-in to KKR’s cyber policies and procedures?
BK: You need a firm that prioritizes compliance and cybersecurity. Ultimately, for you to be able to execute, you need that fundamental support from senior management who are setting the right tone about issues like this and coordinating with them on the right messaging to everyone across the organization.
Drilling deeper into one of the top risk areas for KKR – data security – how does the firm figure out what data must be protected and once you’ve figured that out, how do you protect it?
DS: Protecting data starts with the individual, so we embarked on a program last year to start talking to people about data generally, what data is important to them, and what data they think should be protected. We took that long journey because it’s the individuals who know what data needs to protected and they are the ones who are going to protect that data.
“There are a lot of solutions out there that try to address third-party risks, but I don’t think firms should put too much stock in these technologies”
David Stern
Once we’ve emphasized the importance of protecting data and mapped which data is most important, then we can start applying protections. Applying protections is the easy part. It’s knowing where to apply those protections that takes so much time.
BK: I would say risk assessments are critical to knowing what your data risks are, so then you can then take the right precautions around those risks.
There are also risks that come from your various vendors, so how do you deal with vendor security? Are there specific policies and procedures or protections you want to see in place at the vendors you work with?
BK: We have developed a vendor risk management program where we’ve identified the highest risk vendors, and we regularly test our third-party vulnerabilities. You can’t necessarily control your third parties, but you can set up a system and develop policies and procedures for vendor management that lets you look at issues like cybersecurity as well as a host of other issues that vendors might have and develop your own protections and responses to those issues.
DS: I don’t think there’s one solution to solve the vendor risk problem. There are a lot of solutions out there that try to address third-party risks, but I don’t think firms should put too much stock in these technologies. I think it comes down to having a regimen in place and a set of rules to figure out what a vendor is doing on their side of the firewall. So, it comes back to figuring out who are your riskiest vendors and trying to manage the impact to your organization if they have an incident.
Cybersecurity is constantly evolving, so how do you stay on top of new issues? How often do you do a risk assessment to try to identify new areas of concern?
BK: Risk assessments are a constant. As a firm, the risk team, audit team, compliance team and the cyber team are regularly doing risk assessments because risks are ever-evolving. You have to make sure you’re evolving your policies and your procedures so that you’re always covering the current risks you face.
DS: There’s no way that in this ever-evolving world you’re going to be able to prevent some type of breach from happening. I think that’s where all the preparation around incident response comes to the fore. All of these risks are so extensive that you can never protect yourself entirely, so to deal with that you really have to be prepared for an eventual incident to happen.
“You can’t necessarily control your third parties, but you can set up a system and develop policies and procedures for vendor management”
Bruce Karpati
Security has always been a continuous system and you can never be 100 percent protected all the time. You have to constantly be assessing your risks, and continuously thinking about how to best protect yourself. Security never stops.
We’ve talked about what firms should be doing when it comes to cyber concerns, but what are firms doing wrong, or not doing at all? What’s being missed?
BK: I don’t want to speak for others. What I would say is that no cybersecurity program is perfect and you’re always going to need to reassess and make adjustments as threats evolve. The main thing is that it’s not a question of “if” an attack is going to happen, it’s a question of “when” it will happen, and the best thing you can do is to be as prepared as possible to respond.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: