Ever since the Securities and Exchange Commission offered guidance that cybersecurity was an “important issue” for registered investment advisors, the industry has scrambled to address it. But when its technical nature and the fallout from high-profile breaches make it stressful and difficult to solve, just assessing a firm’s cybersecurity situation can be costly, complex and frustrating.
The result has seen most market participants look to an outside vendor, preferably one with industry experience that asks plenty of questions upfront.
The best will argue for an assessment of all three elements of any cybersecurity effort: the technology, the people and the policy. Only assessing the technology ignores the unpleasant fact that some of the biggest threats arrive when employees interact with a firm’s systems.
Ideally, the vendors will produce a report that ranks the threats and is comprehensible to non-IT staff. The process can take several weeks to a few months to complete and, in the face of a continually evolving threat, may be needed on annual basis.
However, that’s no reason to play the fatalist and rely on internal staff for the assessment to save money.
“From my perspective, your internal IT staff has their own responsibilities,” says Chris Anderson, CCO and legal counsel of turnaround specialist KPS Capital Partners. “And cybersecurity requires a proactive approach to understand the threats and how people are addressing them.”
And one CIO admitted that one of the chief rationales for an assessment is a fresh view of programs and procedures, which isn’t possible from those who designed the system.
In choosing a vendor, it’s important to define the scope of the test. Will it include a review of the portfolio? Healthcare and retail companies process enough sensitive information that it may warrant a vendor that has experience in those industries, as well as private equity.
“The PE fund has its own issues, but a huge part of the risk can reside at the portfolio level, so you may want someone with broader experience,” says Daimon Geopfert, leader of RSM’s security and privacy consulting.
Some firms have even taken to conducting assessments at the valuation stage of high-risk acquisitions. “In some cases, they’ve walked away from the transaction as a result,” says Geopfert.
Of course, private equity experience is vital. “The two primary drivers for us were cost and experience,” says Eric Feldman, CIO of the Riverside Company. “We declined one vendor who worked with a few big banks and Fortune 500 companies, but no private equity firms.”
The reason is that threats can differ immensely across industries.
“The people attacking retail banking are not necessarily the people attacking a private equity firm,” says Eldon Sprickerhoff, founder and chief security strategist at eSentire.
Another key element to vet is how well the vendor understands relevant regulatory guidance. “We asked what they thought regulators were looking for,” says Feldman. “Which was a question designed to learn how they interpreted the SEC’s recommendations since the regulator has only issued guidelines and nothing is set in stone.”
Beyond industry and regulatory experience, there are some basic credentials a vendor should have. “We inquired who would actually be performing the test, the security engineers and their credentials,” says Feldman.
But there’s an alphabet of certifications that can be hard to sift through. The consensus was that CISA [Certified Information Systems Auditor] and CISSP [Certified Information Systems Security Professional] are two of the key certifications.
Those vendors should also have a rapport with the in-house IT staff or current IT service provider, since they will be working closely during the assessment, and should be part of the process from day one.
“Chances are, the current IT staff knows your systems and architecture better than anyone,” says Anderson. “And if they find issues that only require a quick fix along the way, they can be handled right there.”
The best vendors will realize how interdependent each piece of a cybersecurity program is, and will argue to test every element. Those three key elements are the technology, the people and the policies.
The technology test involves a deep dive into the systems, with penetration tests and vulnerability assessments to gauge if there are any holes in the security systems. “But we stress these penetration tests are only diagnostic,” says Geopfert. “So they may discover a hole and we patch that, but it doesn’t identify what might have caused that hole, similar to hammering out a defect at the end of the assembly line, without examining the entire manufacturing process.”
So the technical piece may involve “softer” reviews into current IT procedures. Some vendors will add a social engineering component to the technical test as well.
“One day, they dropped USB drives around one of our offices to see if any employees would plug them into their computers,” says Feldman.
“There’s definitely a human element,” adds Geopfert. “All it takes is tricking an employee to give up their security credentials for a breach to occur.”
Naturally, the second part of the assessment focuses exclusively on the risk of simple human error, through a series of interviews to gauge any employee’s behavior, and their knowledge of cybersecurity risks and protocols. “We liked that our vendors felt comfortable speaking with every department in our firm, including HR and even our co-CEOs, and that provided consistency to the interview process,” says Feldman.
But beyond the interviews, there’s a third piece that might be viewed as the governance element, where the vendor lines up the firm’s written cybersecurity policy to the employees’ behavior.
Often, a policy will be revised from answers in the interview. “On the behavioral side, one issue, in layman’s terms, might be, how does money move around?” says Anderson. “So during capital calls or distributions, are there adequate policies, procedures and controls in place?”
Once the assessment is done, the vendor will produce a report detailing their findings, but the better vendors will include an executive summary in plain English to share with senior management.
“The test wouldn’t be worth the expense if it was indecipherable to non-IT staff,” says Feldman.
An assessment report should also categorize risks and how easy they are to address, to help prioritize action. One GP admitted spending a great deal of time sifting through their first assessment report to rank the recommendations on risk-level, and resources needed to address. With that done, they were then able to execute the easy fixes immediately, while developing a longer-term plan for the issues that need more resources to mitigate.
But how long does the assessment alone take? Naturally it depends on the scope of the search and the size of the firm, with a range from a few weeks up to three months, and even more if the portfolio companies are part of the review. In terms of cost, the range for these in-depth assessments can vary from $20,000 to $60,000, though frequently GPs may contract cybersecurity firms on an annual basis where the assessment is included.
How often should an assessment take place? The consensus seems to be annually. “How comfortable are you telling an LP that your last assessment was two years ago?” asks Feldman, who plans on conducting assessments every year, though perhaps without repeating some of the social engineering tests.
Even if done frequently, GPs should be aware that the assessments and recommendations have their limitations. At best, they can make a breach difficult, limit the damage and rectify the issue quickly.
“We use a bank analogy,” says Geopfert. “Since the first bank opened, there have been robberies. And over the centuries, banks have gotten harder to rob, but it still happens, though now thieves get away with less, and are easier to catch.”
While that might make GPs sleep any easier, it certainly argues in favor of checking the lock on the vault, time and time again.
Test the technology: This includes testing vulnerabilities of the externally faced environment, which interacts with the internet, the internally faced environment, which would involve the vendor playing a rogue entity after a breach, and any web applications.
Test the people: This includes interviews with employees outside the IT department. Do they know the company’s cybersecurity policies? How do they respond to incoming emails from unknown senders?
How do they log into the system from home or during business travel? Sometimes in testing the technology, the vendor will send suspicious emails to see which employee might click on it.
Test the policies: Compare the interview results with the internal policy, and see if the behavior matches the procedures detailed there. Does the policy have clear directions for the action steps once the breach has been discovered? Does the policy need to be revised and updated for threats found in the penetration test?