Given the significant growth of private funds and the number of companies in their portfolios, it is perhaps unsurprising that regulators are increasingly focusing their attention on cybersecurity in the private markets space.
The US Securities and Exchange Commission, for example, has published proposals specifically aimed at private funds to regulate their cybersecurity arrangements, while in the EU and the UK, cybersecurity laws are being tightened and guidance issued that will have a direct impact on many funds and their investee companies.
And it’s not just regulators. LPs are increasingly scrutinizing the way potential funds are managing cybersecurity risk, with ILPA adding cybersecurity components to its latest standardized due diligence questionnaire in 2021. The result? “We are seeing LPs ask us more detailed questions around our approach and business resilience in general,” says Patrik Bless, chief information security officer at Partners Group.
Yet like many others in the industry, Bless is unfazed by this. “Cybersecurity is one of the big risks for many industries today – it’s likely that someone somewhere is being hit at any point in time – and so the increased scrutiny by regulators and LPs is absolutely justified,” he says.
He adds that such an attitude is even more important given the growing number of threats firms and their portfolio companies face today, compared with a few years ago. “It’s a constant arms race and the timelines to attack are shortening,” says Bless. “Hackers can get things wrong multiple times –they only need to be right once to have an effect; defenders have to be right all the time.”
Indeed, many simply see the more robust regime proposed by the SEC as a matter of cyber-hygiene. Fred Shaw, chief risk officer and global head of operations at Hamilton Lane, says: “There is increased regulatory scrutiny, although I’d say that the proposed SEC cyber-rules are more of a baseline. Companies should be doing all this already – it’s no longer best practice; it’s table stakes.”
So, what are the risks private markets firms face today and how has this changed? The answer depends on the corners of private markets that funds and their firms operate in because that will determine the type of risks they face.
Bless says that GPs need to be acutely aware of spillovers – or attacks that affect businesses and assets beyond the intended target because they enter via software or a service provider.
“Some sectors that may not seem that obvious, such as manufacturing, do have some exposure to spillovers,” he says. “This is especially true where [the Internet of Things] is used and there are operational technologies that may be used, for example, to steer production machinery or energy infrastructure. These are long-term, heavy-duty pieces of equipment with an investment horizon of 20 or more years and so upgrades are more challenging. It’s very different from software or information technology, where patches can be pushed out quite quickly.”
As new technologies and applications for them are developed further, misinformation is becoming another key area to keep an eye on. “The advance of AI and the use of generative models like ChatGPT present a new form of threat,” says Bless. “It’s possible, for example, to generate speech from just three seconds of someone’s voice – that could be used to make phone calls that sound very genuine. Generative models can also be used to generate malware very easily that is very hard for defenders to detect and fend off.”
Beyond regulatory requirements
All this means that private markets funds – regardless of whether regulation is keeping up or not – need to be constantly vigilant against existing and potential threats. But they have a range of defenses in their arsenal.
One of the biggest recent changes among private equity firms’ approach to cybersecurity is a more holistic approach, according to James Rashleigh, cybersecurity partner at PwC. “Everyone accepts the importance of cybersecurity in a deal context these days,” he says. “But I’ve seen a significant shift among private equity houses themselves. There is a much greater emphasis on the aggregate risk in the portfolio over the past year.”
This is in response to an increase in ransomware attacks in the past two years that are “fairly indiscriminate,” he says. “Larger houses have been looking across their portfolios for a while now, but many others are now doing this. They are looking for common gaps and risks in their portfolio companies. There is a strong case for them to buy an instant response retainer and potentially detection services negotiated across the portfolio. That way, they are in a better place to respond to an attack.”
Jeff Schneider, partner and chief operating partner at Victory Park Capital, says that as a lender, the biggest risk for his firm comes when moving cash to portfolio companies. “Attackers have identified this as an area to exploit and interceptions can be a death knell for funds,” he says, adding that the firm uses a variety of strategies to protect both his organization and portfolio companies.
“These include multi-factor authentication across systems – and we push our portfolio companies to use this, too – simple hygiene factors, such as changing passwords regularly, spam filtering and anti-malware software tools, dark web monitoring when looking for credentials of employees and the senior team, monitoring our networks 24/7 by a cyber-specialist, and constantly reminding employees of the risks. For example, we use phishing test emails internally to help keep employees aware of what these can look like.”
But, he says, you can’t just rely on technology. “We back this up with verbal call-backs when transferring money, and we carry out regular surveys of portfolio companies to understand what controls they have in place,” says Schneider. “We really encourage our employees and portfolio company staff to get out of email communications, especially when working on anything to do with a transaction – it’s just too risky.”
He also adds that cybersecurity checks on service providers are essential and that this may well fall under regulatory scrutiny in years to come.
Many point out that employee education is vital if firms are to fend off potential threats. “The biggest threat is via employees,” says Shaw. “By that, I mean that phishing is the main entry point for bad actors wanting to gain access to networks. As a result, everyone should be using dual factor authentication and perimeter testing regularly and thoroughly. This can be done internally or by hiring an external hacker, so that you can remediate if necessary.”
Caution is the watchword here for Victory Park. “You can have all the technology in the world, but you have to educate your employees that this is a real risk,” says Schneider. “[Multi-factor authentication] is great, but if someone blindly approves a request, the whole system is circumvented. We take the view that we’d rather be super-cautious than not careful enough.”
Many also point out the need to make the risk real for employees. Rashleigh says that education needs to be ongoing and that cyber-risk management should be embedded in the culture. “If an investment professional understands that a cybersecurity issue might prevent a deal from happening or stop an exit, that is no longer a vague risk to them,” he says.
He also says some firms now carry out crisis exercises to help executives understand some of the nuanced decisions that might need to be taken under an attack situation.
The approach is similar at Partners Group. “We work under the ‘assume breach’ assumption,” says Bless. “We think it’s important to take this approach because you need to educate your firefighters, not just to prevent fires but to fight fires.”
The increased workload and specialist nature of a lot of these functions is leading many firms to outsource some areas of their cybersecurity, although they are keeping oversight in-house and this is because, as Bless says, “you can’t outsource your risk – in the eyes of both investors and regulators, the risk remains with you.”
Regulations coming down the line
According to a recent Debevoise & Plimpton briefing, the SEC’s February 2022 proposals on cybersecurity for private funds are “significant” because they would require “an entirely new cybersecurity regime” including “an expansion of cybersecurity risk management practices to cover all systems and data,” increasing compliance obligations.
In summary, they would strengthen the incident reporting requirements and mean that firms must notify the SEC within 48 hours of identifying a significant breach; they outline the policies and procedures that private funds must have in place around risk assessment, user security and access, prevention of unauthorized access to funds and incident response; and they would make annual reviews and reports on cybersecurity mandatory. They would also increase disclosure requirements around any potential significant risks and any incidents that have occurred in the past two years.
In the EU, meanwhile, there have already been changes to the cybersecurity regime under the second Network and Security Directive (NIS2), which will be transposed into national laws of member states by October 18 2024. This revised framework will bring more public and private companies into its scope as it will likely broaden the definition of “essential services” and “essential entities” from critical infrastructure and health to include pharmaceutical companies, data centers, managed services and content delivery providers with at least 50 employees and/or an annual turnover of at least €10 million. The new rules include new cybersecurity reporting requirements, including a duty to notify within 24 hours of unlawful or malicious acts.
Meanwhile in the UK, the National Cyber Security Centre has recently issued reminders to organisations to take steps to protect their systems and the Information Commissioner’s Office has released guidance on ransomware that private funds need to take into account.