Any discussion on cybersecurity should focus on risk tolerance and management. It should not be seen as a purely technical conversation to be led by the IT function within the organization, but instead be bolted on to the organization’s existing and approved company-wide risk levels.
The challenge is knowing where to begin. The seven cost-effective steps detailed here can mostly be taken by internal staff without third-party assistance. They build on the foundational risk assessment work, security training and awareness programmes, and the current-state assessment conducted by a trusted third party.
Identify your data and know where it resides
Once this is considered, a firm quickly realizes that sensitive data is stored across dozens of different systems, some managed by the firm itself, some in the cloud and some with third parties such as attorneys and tax consultants. A private equity firm must therefore map out exactly where its data sits.
This can be created using a simple Excel spreadsheet, which will help develop a process to protect this data. Within the spreadsheet, list the name of the system or the application, followed by a brief description of what it does for your business. From there, add a column that defines who the business owner of the application is and what type of data it contains. Other data points to consider include whether the application is on premise or not, vendor contact information and whether there is a secondary business owner.
Establish a data classification system
The classification system also needs to have controls in place to ensure data confidentiality, integrity and availability are secure and understood by all employees. LPs want to know the private equity firm, as the data steward, is safeguarding their sensitive data. This systems inventory highlights which systems require attention and who, internally, should have access to them.
Know who has access rights to your data
Use a password management strategy
Use two-step authentication and single sign-on
The first is something you know – your password. The second, the MFA piece, is something you have – a token. The two together offer a high degree of protection as you cannot access key corporate systems without both of them. Protecting platforms such as Microsoft Office 365, the corporate VPN and CRM with multi-factor authentication ensures only employees with access to the issued token can gain access to important platforms.
The technical aspects of SSO are beyond the scope of this article, but think of it as an extension of the firm’s identity management system. Many private equity firms today leverage systems in the cloud, which requires separate user names and passwords. With an SSO platform, company-based username and passwords can be extended to these cloud-based platforms. Having one user name and one password greatly simplifies how employees can securely access an expanding world of applications.
Prepare an incident response plan
Without an incident response plan already designed and tested, the firm is facing a very grim 24 hours. Securing the guidance and support of a cybersecurity third-party consultant to help develop an incident response plan will be of tremendous value.
Consider significant variables, define roles and responsibilities and properly manage communication in the event of a breach. Additionally, there are breach notification laws that differ from state to state and country to country, which are difficult to track and in some cases understand.
The bottom line is that when – not if – your private equity firm suffers a data incident or a loss of data, you may have a legal obligation to report it and you certainly have a fiduciary responsibility to manage it. Having a clearly defined plan on who should be involved internally and which external resources to contact makes resolving an uncomfortable and stressful situation easier.
Do not wait to develop a response plan until you are in the middle of an actual cyber incident. Make it a priority to meet with your cybersecurity steering committee and the firm’s management team to build out an incident response plan.
Many firms would benefit from seeking guidance from a third-party consulting firm or a legal cyber practice group to help shape and develop an incident response plan that best suits their culture and legal obligations. In many cases, it is also helpful to speak with an insurance broker about cyber liability policies as a means to manage and mitigate risk.
Many cyber liability policies have panels of experts that can perform legal guidance and cyber forensics work. Both are essential during a cyber incident investigation.
The cyber world of today has many moving targets. As cyber-criminals better understand private equity, most firms will become targets. Start analysing your internal risks and developing the strategies outlined in this chapter now in order to position the firm to manage both the cyber regulatory requirements and LP requirements of the future.
Taking appropriately measured steps will do much to mitigate current and future cyber-risks.
An effective cybersecurity program will take months, possibly years, to have a stable foundation that you can build upon as needed. The regulatory environment will continue to change and expectations from LPs and third parties will evolve. So too must your cybersecurity programme. It is a vital tool for protecting critical assets. Next time you think about the firm’s cybersecurity status, ask these two questions:
What will happen to the firm’s reputation if proactive steps are not taken to protect data?
Will this affect the firm’s ability to raise the next fund?
It is impossible to know, but taking no action is not a viable option.
How to respond to a breach
“[The incident response plan] should include aspects such as: who internally is responsible for leading the breach response; who to call if external technical response is required; what to do if the response needs to be conducted under legal privilege – how to tell and what to do; how to handle the PR side of a breach; if you have lost customer data for example, what is the communication plan to stakeholders.”