Chief compliance officers are not known for being tech-savvy, which makes it all too easy for them to underestimate the ability of ill-intentioned hackers to disrupt normal business operations. But over the past year, CCOs have been waking up to the fact that cybersecurity is as important an area as any other, leading many to make the case to senior management that additional resources are needed to protect the shop’s IT systems, train staff on how to secure roaming mobile devices and monitor data movement within their systems with more diligence. And it didn’t take a headline grabbing Sony hack – reportedly orchestrated by a villainous dictator shouting cyber threats against America on the world stage – to grab their attention.
For starters, the US Securities and Exchange Commission (SEC) put together a cybersecurity questionnaire that GPs have been using to test their cyber vulnerabilities (and withstand questions from inspectors who expect a certain level of readiness). Beginning in mid-2014, the commission paid a visit to more than 50 registered advisers and broker-dealers to test their cybersecurity preparedness. The questionnaire itself was clearly written by tech experts, making it a difficult read for anyone without a bachelor’s degree in computer science. But jargon-filled questions around “remote customer access and funds transfer requests” and “testing the reliability of event detection processes” inspired CCOs to think about cybersecurity in a much bigger, more intelligent way. In the end, many said the questionnaire was the perfect starting point to perform a gap analysis on how their electronic data is stored and accessed.
“The chief compliance officer should sit down with internal senior IT professionals and/or its outsourced IT vendor to figure out what the firm’s answers might look like in response to each question on the sample request list,” advises ACA Compliance Group partner Theodore Eichenlaub, a compliance consultant.
Equally important was the questionnaire’s ability to convince senior partners that cybersecurity wasn’t just an important item to consider on a need-to-know basis, but an essential piece of the firm’s ongoing compliance, and even operational strategy.
“Look, it’s not that our managing partner didn’t take cybersecurity seriously, it’s just that a risk alert with the three letters S-E-C at the top is going to give me the leverage to recruit a dedicated IT security professional or hire an outside consultant to walk us through the questions,” one US-based CCO said when asked about what effect the questionnaire had internally.
And what might come of the cybersecurity sweep? To date, there haven’t been any enforcement proceedings on the issue, but that may be a result of cybersecurity being a nebulous requirement that regulators haven’t offered any definitive guidance on. Multiple sources expect the SEC to craft that guidance sometime this year, but the commission declined to confirm or deny the speculation.
“One way they might do it is by adding cybersecurity preparedness to the annual review, which registered advisers are of course required to complete on an annual basis,” guesses Eichenlaub.
High-profile cyber-attacks against major retailers and businesses did however move the needle in terms of cybersecurity being taken more seriously at the firm. The aforementioned Sony hack demonstrated to private fund managers that cybercriminals aren’t necessarily seeking a financial reward for their efforts.
In the past, many GPs held the belief that a private equity or real estate firm was a soft target for hackers because any information gained from a systems breach couldn’t easily be used to steal a client’s funds. Unless wire transfer data or certain fund accounting information was compromised, the thought was that cybercriminals gaining unauthorized access to their deals pipeline was was, at most, a nuisance.
“The conversation changed for more fund managers in 2014,” says Michael McCarron, chief information officer at large-cap private equity firm Bain Capital. In some ways Bain Capital is far ahead in the cybersecurity game on account a former high profile executive who entered the public eye. “That immediately made us a target for hackers,” says McCarron. The Sony cyber-attack – in which hackers leaked embarrassing emails sent by Sony Pictures executives – was a “wake up call” to other GPs that sometimes the objective is to simply tarnish the firm’s reputation, says McCarron.
An earlier 2013 attack against Target – in which credit and debit card data was stolen from 40 million accounts – is another tale of caution still being discussed by GPs. The breach reportedly began with a malware-laced email phishing attack sent to employees at a third party HVAC firm that did business with the company. Target, a company with some $45 billion in assets, poured ample resources into securing its network only to be compromised by its relationship with a less-secured outside vendor.
“There’s no question third party providers need to be part of your cybersecurity policies and procedures,” the CCO said. “If you don’t, I’d imagine it’s that kind of negligence the SEC would look at if they wanted to bring cybersecurity enforcement action against an adviser.”
Experts recommend quizzing service providers about their budget, and how much of it is dedicated to cybersecurity readiness. Other questions around who at the organization is responsible for cybersecurity, what types of gap analysis tests are performed and how they’ve responded to cybersecurity threats in the past should also be asked to gain a feel for their cybersecurity preparedness. These assessments should be conducted on a regular basis, and if the relationship is terminated, further questioning around how the firm’s data is destroyed or preserved confidentially will need to be asked, stress cybersecurity experts.
“And if a vendor uses their own outside providers – so maybe a firm in China or India to handle an easily outsourced task – the questions then have to drill even deeper into that,” adds KPMG principal Glenn Siriano, who specializes in data protection.
As alluded to earlier, many CCOs also wonder how much of a threat cybersecurity really is for smaller firms with less visibility. Sure, a major bank like Goldman Sachs that is often the target of Wall Street resentment has reason to worry. But a small firm operating in the Midwest is surely too far off the map for hackers to consider. CCOs speaking to pfm say this mentality was very real even just a year ago but now widely considered dangerous thinking. Cybercriminals are generally unpredictable in who they target and often cybersecurity risks come from within.
“Take the example of a disgruntled employee who was just fired and starts downloading every document in the firm’s shared folders. Do you really want that person leaving with your data?” said a second CCO. And because large organizations like JP Morgan, and closer to home, The Blackstone Group, have already committed significant resources to cybersecurity, the smaller GPs may be viewed as a weaker entry point to these large firms or simply a softer target easier to infiltrate, adds Siriano.
As if GPs needed any further convincing, the investor relations factor is the final major piece pushing cybersecurity to the fore. Cybersecurity is fast becoming a standard part of LPs operational due diligence, meaning GPs should be prepared to answer what steps they’ve taken to protect their networks.
“Five years ago no one was talking about cybersecurity,” said the second CCO. “Now it’s one of the biggest compliance issues out there.”
The best defense is a good defense
Of course, appreciating the importance of cybersecurity is only the first step in safeguarding the firm from attack. Over the past year, GPs have explored a range of strategies to bolster their defenses, but admit it’s a project that’s never really completed.
“I don’t think anyone can say they’re 100 percent bulletproof,” says Bain’s McCarron. “You could have the best people in the world working on your cybersecurity and it only takes one mistake made by a staffer to let the bad guys infiltrate your network.”
Accordingly, GPs are beginning to create dedicated training material to cybersecurity and distributing it at a firm-wide level.
“As part of my spring training I’ll allocate some time to tell staff they can’t use an unencrypted thumb drive, for example, or that they can only use the corporate cloud for storing and sharing files,” says the first CCO.
Eric Feldman, chief information officer at The Riverside Company, says the mid-market investor even plans to decorate its walls with cybersecurity information awareness programs. “They’ll be lighthearted posters that remind everyone to lock their computers and ignore suspicious-looking emails.” Feldman adds the firm intends to create a 15-minute video featuring a fictional Riverside employee that explains all the dos and don’ts of cybersecurity. At Bain, a consultant was used to send employees a phony phishing email that, if clicked, would present fooled staffers with cybersecurity education material.
Aside from formal training exercises and compliance material, some GPs are distributing regular emails about the firm’s cybersecurity efforts as well as news highlights of major data breaches making the headlines; the idea being to keep the issue fresh in mind throughout the year.
David Smolen, general counsel and chief compliance officer of mid-market private equity firm GI Partners, says it’s additionally important to instill the message that suspicious content can and should be investigated.
“We have made it clear to everyone that if they receive an email from a firm employee asking to make a payment in an urgent or other unusual fashion, it is always OK to call that employee without fear of reprimand – regardless of how senior or busy that employee may be – to confirm the legitimacy of the email,” says Smolen.
In fact, it’s been senior partners who are the biggest liabilities when it comes to cybersecurity risk, multiple sources speaking to pfm agree.
“In my experience it’s most likely been the senior managers that upload sensitive documents to a personal cloud or forward important files to their personal email,” says a US-based compliance consultant.
The first CCO adds that managers also sometimes make the mistake of calling into a board meeting on their cell phone, which could be roaming in and out of unsecured networks. “And it’s always the senior personnel that leave their briefcase or laptop in some foreign country unlocked,” he adds, while stressing the importance of creating a cultural mind shift on cybersecurity that needs to start from the top.
At a more sophisticated level, GPs are installing software systems capable of tracking data movement throughout the firm’s entire network. The software can detail who is accessing what and at what time.
“If you move, print or upload a file – even uploading your resume – we’ll know about it,” says one private equity in-house information technology director, who adds a similar notification can be made for employees attempting to move large amounts of data. His firm is then considering going one step further: senior management is considering removing the ability for staff to use external drives, which can be used to covertly steal thousands of files. The IT director says it also stops people from backing up work on their home computer, which may be corrupted, and plugging a thumb drive into the firm’s shared system, which runs on a closed corporate cloud.
Because it would be nearly impossible for the compliance or tech team to monitor every employee’s online actions every day, what some GPs are doing is creating history logs of what types of files or programs employees access, and tell the system to notify them whenever a user begins exhibiting anomalous behavior.
“You could, for example, see that a data entry clerk accesses the same three or four applications every day, but then suddenly begins opening a fifth application at the end of the work day. The system could see that as a red flag,” says Siriano. Some private fund professionals gripe that the systems slow down their computer speed, but cybersecurity experts say they’re necessary to create activity logs that can be used to determine where a breach may have occurred (and by whom).
Top level executives, who have the keys to the kingdom, are also given priority. In many ways these systems are able to limit employees’ access based on seniority or job description (and notify the CCO whenever a user attempts to travel outside their permitted digital area), meaning a disgruntled senior partner has the most ability to do damage.
Smaller shops with less financial capital to invest in state of the art cybersecurity software are finding other ways to protect their systems. Simple fixes like requiring employees to password protect their cell phones, or encrypt their mobile devices are a few common ones. One CCO said he realized that using a digital pin (instead of a dead lock) to secure his servers allowed him to electronically log who was coming in and out of the server room. Or anytime an executive is hopping on a plane to travel, an email reminding him or her of some simple cybersecurity tips like keeping their laptops guarded is another inexpensive pro-tip being utilized.
And if the firm can’t afford its own corporate cloud, like what some larger firms have, some GPs are providing their staff guest networks allowing them to log on to at the office. The deal is that an employee uses their personal laptop or tablet device whenever browsing the internet or accessing personal emails and files. Unfortunately, all the training in the world doesn’t stop someone from simply ignoring the company policy, which, like cybersecurity risk itself, is something GPs may be never able to fully prevent. Nonetheless, private fund managers are appreciating the need for – and taking time to build – stronger digital fortresses.