Cybercrime is predicted to cost the world $8 trillion in 2023, according to Cybersecurity Ventures. That is expected to climb by 15 percent a year, reaching $10.5 trillion annually by 2025, more than triple the amount recorded 10 years earlier.
Cyberattacks are among the world’s most pressing problems – cited as a top 10 risk in each of the World Economic Forum’s last three Global Risks reports. Meanwhile, not only are attacks becoming more prolific, but they are also becoming more sophisticated. Private equity firms are having to dedicate increasing time and money to stay abreast of the latest threats.
Almost half of the respondents to the latest Private Funds CFO Insights Survey, conducted in partnership with Aztec Group, have increased spending on both human and technological resources in order to bolster cybersecurity in the past 12 months.
Luke Dembosky, cybersecurity and litigation partner at Debevoise & Plimpton, says he is seeing private equity firms pushing to keep pace with cybersecurity challenges in three major spheres. “First, they are working to ensure they are maximally resilient to the ongoing scourge of ransomware and data extortion attacks, including by tightening access controls, ensuring separate backups, upping network detection and response, emphasizing data mapping and minimization to reduce surface area, conducting yearly tabletop exercises, and developing bespoke communications plans to address the rise in threat actor harassment tactics and other crisis communications challenges.
$8trn
Estimated cost of cybercrime in 2023
“Second, they are scrutinizing and bolstering defenses against third- and fourth-party risks to their systems and data, including by conducting additional vetting and monitoring of vendors, as well as increasing efforts to minimize data exposure during incidents.
“Third, with respect to their portfolios, private equity firms are upping their cyber and data protection diligence in connection with acquisitions, and are undertaking more proactive measures to ensure their portfolio companies have the appropriate and necessary cybersecurity controls, procedures, resources and training, as the magnitude and number of attacks on their portfolio companies continues to increase.”
An evolving threat
Certainly, CFOs are acutely aware of the ever-present and ever-changing risk that cybercrime represents. “The risks we are facing evolve every day,” says Steve Darrington, partner and CFO at mid-market firm Phoenix Equity Partners.
“The switch to the cloud brought massive benefits – there is far less hardware to manage, and it has created huge flexibility in terms of the ability to work from anywhere. But it has also massively enhanced the threat of cyber invasion. The bad guys are constantly probing for weaknesses to exploit and that is not going to change. We need to make sure we are always one step ahead, or at the very least, that we are keeping pace with the tools they are using.”
Jillian Griffiths, CFO at Clayton, Dubilier & Rice, adds: “In the face of escalating cybersecurity threats and portfolio complexity, private equity firms are taking proactive measures to protect their own infrastructure and data and are helping their portfolio companies to do the same.”
15%
Annual rise in cybercrime costs
There are myriad steps that private equity firms can take to strengthen their defenses. CD&R’s cybersecurity strategy, for example, includes regular National Institute of Standards and Technology audits, biannual evaluations, monthly community sessions between chief information officers, as well as a robust insurance program.
“Equally importantly, we are committed to continuous improvement and to fusing expert counsel from industry advisers and our own group of chief information security officers with internal insights,” says the firm’s managing director of digital acceleration, Chris Satchell. “With cybersecurity, staying static means falling behind; we believe constant evolution is the key to staying ahead.”
When it comes to a private equity firm’s own operations, the cybersecurity approach is heavily dependent on the extent to which the firm embraces outsourcing. Phoenix, for example, outsources its fund cash movements to a fund administrator.
“The focus, therefore, has been on rigorously reviewing the practices and processes of our third-party providers,” says Darrington. “Of course, irrespective of thorough scrutiny, these administrators are very much aware that the integrity of their business is entirely dependent on ensuring that they do what they do in a secure manner.”
When it comes to Phoenix’s portfolio, meanwhile, Darrington adheres to the Russian maxim of “doveryai, no proveryai” – trust, but verify. “We have six clear expectations that we set out in writing, and those are tabled at the very first portfolio company board meeting.
“Those expectations include the requirement for appropriate accreditation; regular penetration testing; well-crafted policies that are regularly reviewed; and an attestation by the CEO that these things are being done.”
Phoenix also works with a business called KYND, which collates all the latest security releases from the big software companies and alerts Phoenix if patches haven’t been applied within individual portfolio companies on a red flag basis.
“We can’t take full ownership of the IT infrastructure of all our portfolio companies,” Darrington says. “Many are complex and global. But we can set expectations.”
AI and cybercrime
Of course, one of the latest evolutions in the realm of cybersecurity is the advent of artificial intelligence. AI can be harnessed to improve private equity firms’ defenses. But it is also being adopted by those that would seek to attack.
“AI is both an opportunity and a threat, in that automation in defensive security is cost efficient, driving up detection and response rates,” says Bob Nicolson, founder of cybersecurity consultancy Nicolson Bray. “But, at the same time, cybercriminals are able to significantly enhance their attack capabilities. In fact, a Microsoft research paper published last year revealed Chat GPT4 was natively able to scan a network and brute force a password to gain access to a desktop computer.
“Attackers, especially ransomware criminals, will soon be using these techniques to automate and enhance their attacks, which will lead to an increased threat level across the board.”
“We believe constant evolution is the key to staying ahead”
Chris Satchell,
CD&R
Debevoise & Plimpton partner Avi Gesser, who co-chairs the firm’s data strategy and security group, says: “AI presents several cybersecurity challenges for private equity firms. Cybercriminals are using AI to craft very convincing phishing emails, so phishing training and testing will be more important than ever.
“The people who handle funds disbursements at firms also need to be trained to spot deepfake audio or video requests that will appear to be coming from authorized persons but are really hackers trying to trick people into wiring money to their accounts.”
In addition, many AI projects involve the movement of large amounts of sensitive data from secure locations to data lakes or cloud environments. “It is therefore important to involve information security people in these AI projects to ensure that sensitive data being used to train or operate models is secure,” Gesser adds.
“Similarly, a lot of AI projects involve third-party vendors who are given access to large volumes of sensitive information. Cybersecurity diligence on these vendors will be very important, especially for small AI consultants and start-ups.”
Increased scrutiny
The enhanced cybersecurity threat that private equity firms face has not gone unnoticed by investors. Indeed, 43 percent of those canvassed in the Private Funds CFO survey said LP questions and requirements around cybersecurity have increased over the course of the past year.
“LPs are not necessarily all experts in the technical aspects of cybersecurity,” says Darrington, “but they are certainly asking well-framed questions around our level of preparedness, and it is clear that if a GP falls foul of a vulnerability that should have been mitigated, there will be repercussions, possibly in the form of a failure to reinvest.”
“Cybersecurity is a growing concern for LPs,” adds Debevoise & Plimpton partner Erez Liebermann. “Many have experienced their own breaches or understand the unfortunate reality that breaches will occur. As a result, LP cybersecurity due diligence has significantly increased. LPs want confirmation that private equity firms are treating cybersecurity as a critical risk.
“Sophisticated LPs routinely demand cybersecurity risk assessments from both sponsor firms and their portfolio companies, and some LPs are posing cybersecurity questions as part of due diligence. Fortunately for private equity firms, conducting risk assessments not only addresses LP concerns about cybersecurity, but also equips those to tackle both cyber risks and growing regulatory expectations about sponsor risk management.”
Regulatory scrutiny of cyber readiness also continues to intensify. “Cybersecurity practices in private equity are a growing area of scrutiny for the US Securities and Exchange Commission,” says Debevoise partner Charu Chandrasekhar.
“The Commission has proposed a cybersecurity rule for registered investment advisers – including to private funds – that will likely be finalized this spring. If adopted, the rule will impose significant cybersecurity compliance obligations, as well as a cybersecurity incident notification obligation, on private equity sponsors.
“Moreover, the recently adopted issuers cybersecurity rule requires public companies to disclose their cybersecurity risk management and governance practices in annual reports, and creates a mandatory four-day material cybersecurity incident notification on Form 8-K.
“Private equity sponsors will need to work with portfolio companies planning public exits to ensure their preparedness for these new cybersecurity disclosure obligations.”
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: