NY Forum: Cybersecurity stresses funds, portco relationships

Growing risks challenge funds’ governance, experts agree at the New York CFO Forum

Cybersecurity’s growing risk is straining relationships between funds and their portcos, experts said Tuesday at Private Funds CFOs’ New York Forum.

Cyberattacks have landed on private equity managers in two ways, one executive at a cybersecurity consulting firm warned at the confab. One wave has involved attacks on the third-party IT service providers common among fund managers. The other form has followed public announcements of portco acquisitions, where cyber-hackers impersonate fund or portco executives in phishing schemes. Both are on the rise, the cybersecurity executive said.

All the panels at the Forum were either off-the-record or held on the condition that speakers not be named.

Regulators have already been focusing on the first form of attacks. The SEC has opened an exam sweep of private fund managers, asking them about how they defend their technological perimeters. Separately, they have been asking questions about how they vet their third-party vendors. Among the concerns regulators have voiced is that the third-party service provider market is concentrated, so a successful hack against one vendor could cascade across the sector.

The second form, though, the cybersecurity executive said, is still insidious. Indeed, at one panel Tuesday, 65 percent of the audience said their top cybersecurity concern was a lack of visibility into their portcos.

Governance challenge

That’s a frontal challenge to funds’ governance models, said a senior vice-president at an insurance firm. How do funds even evaluate a given portcos’ cyber-risks when the portco itself is not used to dealing with cybersecurity as an enterprise-wide threat?

It can require a delicate balance, said a chief technology officer at a $29 billion fund manager. Portcos may have their own cyber-systems in place, but many may need significant help ramping up their cybersecurity capabilities. That means that fund managers’ top levels should be talking early and often about how they will bring portcos into the funds’ defense perimeters, and “if those conversations aren’t happening, the deal teams or the operations teams ought to be raising them,” the CTO said.

For publicly traded private funds, that may be an easier point to get across, said the chief technology officer of a $150-plus private equity fund that is publicly traded, because public company board members can be held personally liable for cybersecurity lapses. Still, all funds have to look for “leverage points” because most cannot afford to spend the billions that some of the world’s largest asset managers spend on cybersecurity. That, in turn, means funds must focus on vendor diligence – for instance, checking whether a given vendor’s development centers are in Eastern Europe or other hacking hotspots.

Some funds start with a cybersecurity survey of their portcos. The difficulty is that the surveys can’t always capture the nuances of a firm’s understanding and readiness, the insurance industry executive said. He recommended hiring outside firms to have in-depth interviews with a newly acquired portco’s teams, and building what he called “a road map” of cybersecurity threats.

Any vendor ought, at a minimum, to be able to understand the relationship between the fund manager and the portco, as well as to offer real-time, clickable assessments on each company’s risks. “The days of spreadsheets are over,” the insurance executive said.

‘Training is key’

When Delta Dental was hit with a data breach that exposed the private info of seven million customers, private equity firms who used the company as a dental care provider for employees or invested in them had to deal with that breach internally. One chief technology officer said he had to talk to employees who were exposed to the data breach to help them protect their identities.

“Third-party compromises are a really big risk and you have to stay on top of them,” the CTO said. “Whether you use the firm as a third party provider or it’s a portfolio company, you have to stay on top of what happened and how the company is responding to the breach.

Another firm had to deal with a breach from DocuSign, in which hackers were breaking into legitimate accounts and asking for signatures for fake documents.

“Training is key. We use AI-generated phishing simulations to make this real as possible for employees so they hopefully don’t fall for the next scam,” the CTO said. “It really is the best way to educate.”

The managing director of a mid-market PE firm said he still asks employees to send questionable emails to him so he can investigate.

“I tell everyone, send it to me if you have any doubts. I’ll look at it to see if it’s actually from a training platform, our compliance to people, or any of our outsource providers,” the person said.

He advised all CFOs to have someone in the firm focused on technology or cyber issues if the firm does not have a chief technology officer.

‘You need to break it down’

The second CTO said the technology team also must take the time to make everyone at the firm understand potential risks.

“They don’t know the lingo, so you need to break it down to what the actual risks are to the firm. Making sure the senior folks at the firm, who might not understand all of the tech acronyms, understand the risks they are facing makes all the difference in the world. They’ve got to be able to relate to what technology has to do in terms of the actual business,” the CTO said.

Another attendee said communication is necessary to combat cyber issues. She suggested that the firm’s senior executives convene to talk about risk areas and how to mitigate those particular risks.

“You will have some execs whose eyes are rolling back in their heads, but you have to give them the information so they better understand what we’re trying to accomplish. The last thing anybody wants to be is to be the sucker at the end of the day that got exploited by a phishing attack,” she added.

A CFO/CCO said it is helpful to use real world examples of issues and how to deal with them.

“It’s very helpful if it’s not so abstract. You can use hypotheticals, but if you can point to a real world situation to bring an issue home, it’s very helpful,” that person said.