Tech issues proved some of the big talking points when private equity executives gathered at PEI’s Operating Partners Forum in New York and pfm’s Private Fund Finance & Compliance Forum in San Francisco this fall.
Any company with business in Europe had a lot to think about when the EU General Data Protection Regulation came into effect in May. Now a similar law designed to protect consumer data will be implemented in California in 2020, and it’s up to private equity firms to figure out what this means for their business and how to prepare.
The law gives Californians the right to request that a business that collects a consumer’s personal information disclose what categories and specific pieces of personal information the firm has collected.
Citizens of California will also have the right to request that a business deletes any personal information about the consumer as well as the right to direct a company not to sell the consumer’s personal information.
It’s easy for people in the industry to compare this law to the GDPR, but some professionals question whether it will live up to the standard.
“GDPR is a fairly high bar, and if we’re advised that there’s some other things we need to do because of other legislation in the US or in Singapore or in the UK, then we will adapt and change as necessary,” a chief information officer at a mid-market firm tells pfm.
Private equity firms have to follow such guidelines to ensure the protection of its clients and employees. The California law follows the same principles in ensuring that consumers’ data are protected and that they have the right to access and know how their data is collected.
Before California’s rules go into effect, private equity firms will need to understand how the law affects their operations and whether portfolio companies that do business in California have to comply.
If a federal law doesn’t materialize, other states may follow California’s lead in personal data protection.
“California, I think, is a harbinger on what’s to come across the US. And whether or not this administration, meaning Trump’s administration, will do anything at the federal level is yet to be determined,” the CIO said.
David Fann, co-founder and chief executive of TorreyCove, an investment advisor, says planning for the California law is a part of their cybersecurity/IT strategy next year.
“Data privacy is something on our radar for next year. For us, client data is one of the most critical attributes of our business. It just makes sense to focus on both data privacy and security,” he says.
Cyber-risk management has become a growing concern for private equity firms. Whether a firm has in-house information technology personnel or it outsources that function, the need to protect sensitive information from being accessed externally is being acknowledged.
The Securities and Exchange Commission has even started reviewing private equity firms’ cyber-risk management plans as part of its examination process, especially for firms that have experienced a breach in the past.
“The minute you have a breach, then [the SEC] will come down on you. That’s why it’s so critical to be prepared on the cyber side,” one consultant said at the PFFC Forum in San Francisco.
The concern over the attention that regulators are putting on cyber-risk management policies is likely to continue into next year.
“One of the issues facing all investment firms is cybersecurity, especially given what is happening in the world and the increased attention that the regulators are putting on it,” says Fann of TorreyCove. Data breaches and system disruptions can paralyze investment organizations. At many firms, these issues fall upon the shoulders of the CFO or the COO.
One of the main ways to ensure a firm’s cyber-risk management policies are being implemented properly is through mock audits. However, firms choose to prepare, it will be interesting to see how firms adjust their cyber-risk preparation and handle the SEC’s new push on cyber-risk management.
At the PFFC Forum, industry members expressed their concern about phishing, where someone pretends to be someone else through email to steal personal information like passwords and credit card numbers.
“Right now, when you look at the threat factors that cyber-criminals are exploiting, phishing has got to be right up there, with ransomware [and] wire fraud,” one speaker said.
Making sure employees understand their role is a key aspect of a successful cyber-risk management plan within a company. “If you don’t have folks who are properly trained, who understand the risk, understand what the requirements are and how it could affect downstream, you’ll never really have a successful cyber-program,” said Brian Ferrara, a senior manager at EisnerAmper. “It reinforces training, tabletop exercises and that preparedness versus the response. We may have a great set of policy documentation procedures. ‘OK, an incident happened. Which way do we go? Who’s doing what?’”
Growth in outsourcing
Private equity firms have been relying more and more on outsourcing over the years and that trend is expected to continue into 2019.
One fund administrator cited recent studies saying that the amount of outsourced solutions in the US could grow up to 50 or 60 percent within the next five years.
“In terms of outsourcing, we already use a good outside fund administrator, tax team, lawyers and a compliance consultant, which is increasingly common in private equity,” says Sanjay Sanghoee, chief operating officer and chief financial officer of Delos Capital, a New York-based lower mid-market firm. “I see outsourcing becoming more prevalent in the industry because it is actually more cost-effective and time-saving, and frankly even safer for a lot of funds to outsource critical functions to experts – safer in the sense that it is comforting for investors to have a third party checking the fund’s work.”
Entrusting third parties could be a good way for firms, large or small, to complete tasks that are important, but that they might not be able to dedicate full attention on. Functions like IT and accounting are some examples of areas where firms could outsource further.
“Most of our IT is outsourced. We feel that we are able to have a more sophisticated IT platform including cybersecurity if we outsource,” Fann said.
“This could be a trend that we see other companies follow, especially on the IT and cyber-risk management side, due to the recent push on the importance of cyber-risk management by the SEC. We also see CFOs increasingly enlisting the help of outside sources for accounting and tax due to recent tax reforms.”
Firms could also expect to see more use of outsourcing to meet the demands of portfolio companies requesting more transparent and detailed reporting from private equity firms.
Fann says recent fund raises are incorporating more rigorous reporting requirements, largely configured by California’s law on transparency of fees and expenses or by what the Institutional Limited Partners Association is suggesting general partners provide – which is greater transparency around fees, management fees offsets and carried interest.
Sanghoee plans on improving his company’s reporting to investors next year. “We’ll see if other companies follow the same path,” he says.