The CIA could well be listening in on your next phone call with a prospective investor.
That was the thrust of a front-page New York Times story on day two of sister title Private Equity International’s Responsible Investment Forum, run in concert with the UN-supported Principles for Responsible Investment in New York earlier this month.
WikiLeaks had released thousands of pages purportedly detailing sophisticated software tools and techniques used by the intelligence agency to break into smartphones, computers and internet-connected televisions, including instructions for compromising commonly used tools such as Skype, wifi networks, PDF documents and commercial anti-virus programs.
Just a week earlier New York state had adopted the US’s first cybersecurity regulation requiring banks, insurers and other financial services organizations overseen by its Department of Financial Services to have a cybersecurity program in place.
It just so happened the forum that day included a panel discussion examining cybersecurity and private equity at fund and portfolio company level. Edward Stroz, founder of cybersecurity risk management firm Stroz Friedberg and a former FBI special agent, and Edward Brandman, chief information officer at KKR, offered delegates tips on how to think about cybersecurity as it relates to their firms and their portfolios, and some practical steps to prepare for potential attacks.
Some were surprised to see cybersecurity as a topic at a responsible investment conference; when people hear the word ‘cybersecurity’ their minds immediately go to risk and compliance. But there are significant benefits to approaching the topic from an ESG standpoint.
The UN PRI regularly surveys its signatories to find out the key issues they would like the organization to work on, and cybersecurity has been coming out on top as investors realize it’s incumbent on them to consider and address the risks and opportunities presented by cybersecurity within their portfolios. The organization has now formed an advisory committee of members to address the issue.
The ‘S’ and the ‘G’ – social and governance – are the most pertinent to cybersecurity. Governance, said Stroz, who in his previous role formed the FBI’s computer crime squad in New York City, is the starting-point for effectiveness, both when it comes to a firm’s own cybersecurity and that of its portfolio companies. If there isn’t buy-in at the very top, it undermines the seriousness of the message.
Brandman told delegates that at his firm, even Henry Kravis takes the time to follow the protocol, so there’s no excuse for others failing to do the same.
Cybersecurity also touches on social risks, such as privacy and human rights, as demonstrated by the WikiLeaks story. Changing business models, such as smart watches collecting health data or consumers accessing internet banking via smartphone, mean certain portfolio companies are not only open to potential data breaches but vulnerable to weaponization.
As cybersecurity increasingly comes under the purview of regulators across the globe, private fund managers will have no choice but to start crafting and implementing robust policies. But even absent such parameters, to be considered a responsible investor in today’s world managers must demonstrate they take cybersecurity seriously, both as a steward of LP capital and as a steward of data.