Cyber-crime is a booming business and the threat levels have never been higher. A little over half of US companies reported a cyberattack in 2018, up from 38 percent a year earlier, according to Hiscox.
And – as financial institutions involved in the regular transfer of large amounts of money, but with relatively lean organizational structures and limited IT and security manpower – private equity houses are a cyber-criminal’s dream. Nearly a quarter of private equity firms experienced a cybersecurity threat in 2018, an EY survey found, with 58 percent of those threats considered to be at least moderately serious.
That comes through clearly in our 2019 Private Funds CFO Insights Survey, where 62 percent of CFOs consider strong cybersecurity protocols a “must-have” for investors, up from 47 percent in our 2018 survey.
The vulnerabilities, for private equity, exist at three levels. First, there is the transaction process, which will inherently involve the communication of deal-critical information. Then, there are the risks associated with the management of portfolio companies and the implications for exit value – Yahoo’s price tag famously fell by $300 million after a series of breaches in the run-up to its 2017 acquisition by Verizon.
Finally, and most importantly for those responsible for fund administration, there is the private equity firm itself and its relationship with limited partners. A failure to take the necessary steps to mitigate fund-level cyber-risk may result, not only in punitive financial losses, but in significant reputational damage.
So what can be done to protect a private equity firm from cyberattacks? We asked three financial cybersecurity experts – RFA’s Michael Asher, Agio’s Ray Hillen and Drawbridge Partners’ Anthony Patti – for their advice to private equity firms, and about the future of cybersecurity in private equity.
What cybersecurity threats should private equity managers be aware of?
Michael Asher: The majority of threats I see come from phishing, but we’re also dealing with concerns about migrating data to cloud systems on a regular basis. Many private equity firms are now relying on third-party services (analysts) to sort through massive amounts of information, including confidential data, ultimately in order to produce better returns. Where previously you had a single point of entry, firms are now providing their data to several vendors and service providers, all of whom could be at risk of a cyber-breach.
Ray Hillen: We’re seeing a lot of wire transfer fraud, maybe two times per quarter. These incidents often start with phishing and involve between $250,000 and $6 million. Many firms don’t have good wire transfer protocol – it’s still very common for them to be using email-only authentication. There are three or four parties involved in an acquisition: the private equity firm, the portfolio company, the bank and an attorney. It only takes one of them to be compromised – it doesn’t necessarily need to be the private equity firm itself.
Anthony Patti: The most common threats we see are related to phishing, email spoofing and social engineering to untrained users, which ultimately lead to breaches at the GP, LP and portfolio company level. These breaches are specific to fraudulent wire transfers, unauthorized account withdrawals and compromised confidential information.
Private equity managers are an appealing target for cyber-criminals, because they have access to, and move, large sums of money on a frequent basis, and because they have access to highly confidential investor information. They do not have the manpower of a major bank or enterprise, and generally don’t have internal staff dedicated to IT or cybersecurity, which puts them at significant risk of cyberattacks.
What can private equity firms do to mitigate cyber-risk?
MA: During the transition to cloud-based systems, education is key. It pays to do your homework and due diligence from the very beginning, and ask the right questions of whoever is doing your IT. Not just “is it secure?” but “is it scalable, is it going to stand the test of time?” Once you integrate systems, be mindful of how you are sharing data. A low-level analyst can share all your crown jewels with the click of a button.
RH: Firms need to take a multi-layered approach to preventing wire transfer fraud, with user awareness and education, and phishing-resistant multifactor authentication. There should be voice or video authentication on larger wire transfers – it’s amazing that people aren’t using this technology given its ease and availability.
AP: Private equity managers should first work to create a culture of security and train their users appropriately so that they avoid falling victim to the types of attacks listed above. They should then work to build a program that fits the appropriate framework, including policies and procedures, risk assessments, vendor due diligence, threat and vulnerability management, and training and awareness. The most common mistakes that we see are related to negligence. Often the firm is lackadaisical in its approach with respect to enforcing its policies and procedures, and users are also negligent when falling victim to an attack.
What is your outlook for cybersecurity in private equity?
MA: Cloud-based systems are nothing to be scared of, but it is important that private equity firms understand the risks factors that come with them.
RH: I think we’re going to see a greater awareness of cyber-risks within portfolio companies – we’ve already seen portfolio companies’ valuations go down after a cyber-breach. One way to tackle this is by educating the non-technical employees that are part of the deal teams, who are valuing the portfolio companies, and making sure that they have the right information to find out whether they are at risk of a cyber-breach. At the moment it’s an afterthought.
AP: Given the growth in the amount of PE firms and private equity deals in the current market, we feel that these types of firms will continue to be a high-risk target from a cybersecurity perspective. Firms should ramp up their programs internally or do so with the assistance of a third-party cybersecurity consultant.
Michael Asher is the chief information officer at RFA, an institutional-quality IT, financial cloud and cybersecurity services provider to the investment management sector.
Ray Hillen is the managing director of cybersecurity at Agio, a cybersecurity and managed IT provider with a dedicated private equity team.
Anthony Patti is vice-president at Drawbridge Partners, a cybersecurity consulting firm specializing in the needs of hedge fund and private equity managers.