As readers of pfm are aware, cybersecurity has skyrocketed up CCOs’ priority lists ever since the US Securities and Exchange Commission (SEC) made the protection of digital data, and by extension the stability of a computer-powered economy, its own focus area two or so years ago.
Related issues were a major talking point onstage and on the sidelines at this year’s PE/VC Finance and Compliance Forum in San Francisco. Here are five key takeaways.
1. Do your due diligence:The SEC expects CCOs to perform due diligence on third-party service providers with access to the firm’s systems. Less clear is how much work needs to be done, which is particularly troubling for small firms with limited staff and resources. A few delegates said it was important, at a very minimum, to ask vendors for a few specific documents, including their policies on IT security, as well as who at the organization would have access to their client data and any other policies related to cybersecurity. These documents should be reviewed for due diligence purposes, but also serve as something to show SEC inspectors asking for evidence.
2. Vendors are being inundated with DDQs:Of course, most CCOs go above and beyond the minimum requirements, and are sending service providers lengthy questionnaires about their cybersecurity readiness. But similar to LP information requests, these questionnaires tend to arrive in different styles and formats, despite asking for the same general information. At the conference, vendors told pfm the additional administrative burden has been a struggle, with one vendor saying exasperatedly that he is now receiving “easily 150 to 200 DDQ requests a year.”
3. …and are seeking a standardized DDQ for relief: To relieve the administrative burden, some service providers and CFOs at the conference promoted the use of a standardized cybersecurity due diligence questionnaire written by the Alternative Investment Technology Executives Club (AITEC), an industry group comprised of CTOs and other technology executives working in the alternatives space. Pfm asked delegates about the DDQ to learn that many in the private equity field were unaware of its existence but highly interested to learn more.
4. Cybersecurity insurance policies are limited: Fearful that a hack could cost the firm millions in damages or lost reputation, more and more GPs are considering purchasing cybersecurity insurance policies these days. Delegates at the conference cautioned one another to review these policies carefully. The concern is that data breaches can lurk in the firm’s systems unnoticed for years, and many insurance providers do not cover cybersecurity breaches that occurred prior to the start of the policy date.
5. It’s still easy to be fooled by hackers: Now that cybersecurity training modules and additional IT security policies have been introduced at the firm, many delegates said they were beginning to feel confident about their firms’ cybersecurity abilities. But one CFO in attendance warned that “it’s easy to be overconfident here.” The CFO hired a consultant to send staff spoof phishing emails to see who would bite. “It was surprising to see senior managers still falling for these things. The sophistication of some of the emails was incredible, and appeared like a legitimate email from an IT department saying the system was going through an upgrade and to ‘click here.’” Worse, the CFO said many would later lie about being duped.
For more on what strategies GPs are pursuing to enhance their cybersecurity readiness, and a detailed look into the value of today’s cybersecurity insurance policies, readers are encouraged to visit the February and August issues of pfm, respectively.