Cybersecurity is always a hot topic at finance conferences, but even as attackers become seemingly exponentially more threatening by the day, many people are still struggling to define the right framework for addressing them. Here are three insights and suggestions from attendees at the Private Funds CFO Network’s European Forum earlier this month.
(Reporters at the event were barred from naming other attendees and speakers.)
Put your IT teams in front of investors
IT teams are becoming a much more valued part of private equity firms. Rather than merely a support function, the increasingly fraught cyber-risk landscape has led to their being viewed as integral partners in the business. As the finance director of an independent pan-European private credit firm explained: “When our teams are doing fundraising… they involve IT to help describe what cyber-risk policies we have in place.”
Vendors get a closer eye from investors
The collapse of Silicon Valley Bank in March this year (among others), led to a spike in investor queries about firm’s vendor selection processes.
That’s part of why COOs, CCOs and other responsible C-suite executives are spending an increased amount of time inventorying and examining the areas to which their company could be susceptible to cyber-risk, including vendors.
“We are discussing with our IT team and outsourced vendors what we need to do mitigate the risks of [our] increased [attack] surface,” said one attendee, adding that the firm is focusing on “integrating our IT team into the vendor selection process ahead of time to make sure if we don’t have the necessary safeguard in place for a specific risk, we have it at the time of contract negotiation.”
Shadow IT: A call for amnesty?
So-called ‘shadow IT’ risk – the risks introduced by employees’ individual use of their own technology for work purposes, unknown to the business – introduces an additional layer of complexity for private equity managers. The number of people using their own technology tools not authorized by their IT teams vastly increased during the pandemic, and continues to pose an elevated threat.
One panelist suggested firms consider introducing an amnesty period of two to three weeks during which all teams can share details on any shadow IT tools they’ve been using remotely, including AI tools. Even before the pandemic, banks in various jurisdictions have often instituted ‘blackout periods’ for individual employees once a year, in which they turn over all of their electronic communications, even being separated from their business smart phones while a review takes place. Similar programs could be devised for private markets firms, and perhaps expanded to provide amnesty for using personal devices for business.