Phishing is becoming a growing concern in the private equity industry, as executives become the target of individuals illegally acquiring data for their benefit, such as for transferring money.
Phishing is the act of obtaining sensitive information like usernames and passwords by pretending to be someone else. One typical way for thieves to take advantage of private equity firms is when firms release information to the public, such as announcing the purchase of a company for their portfolio of investments. The news often contains names of top executives at the management level as well as at the portfolio company, who then become the mark of cyber thieves. Those thieves then send messages to executives’ email addresses, which can be found online on their firms’ websites.
“Right now, when you look at the threat factors that cyber criminals are exploiting, phishing has got to be right up there, with ransomware [and] wire fraud,” a private equity executive said at the 2018 Private Fund Finance & Compliance forum in San Francisco on Wednesday. “They’re pretending to be someone to get transferred large sums of money to their account. We get phished often, our portfolio companies get phished often.
“It’s not that difficult if you acquire a company – you put out a press release and your deal partner is probably quoted in that. It’s not difficult for someone to pretend to be that deal partner and send an email to someone in the portfolio company.”
One way people in the private equity industry are looking to combat this is by purchasing cyber insurance to mitigate the risk of an incident. In case of an attack, one speaker advocated having an incident response plan that details initial steps of action, which includes informing interested stakeholders, not just the IT team. “Focus on protection, investigation, mediation – all the way down to eradication,” he said.
Not every firm is capable of dedicating its resources to hiring a full-time employee dedicated solely to cyber security, so hiring outside service providers helps. Other measures that can be taken include making sure employees only send sensitive work documents through work emails and other work-related channels. Another measure firms are working on is educating their whole company on preventative cyber security measures, including executives.
“A lot of times when we’re brought in to do user awareness training, guess who’s not there? The CFO, the CEO, the GCs,” the speaker said. “In reality, they’re the ones being targeted the most and have the most influence.”