Cyber-risk management should be treated like any other area of risk, such as finance and credit. It should be the responsibility of all workers at a private equity firm — from the chief executive down to the lowest employee.
This was one of the clearest messages from a roundtable discussion between experts and CFOs that pfm hosted earlier this month (published in our November issue). Here are some of the headlines:
Call it cyber “risk”, not cybersecurity
Cyber-risk management is a discipline similar to financial risk or credit risk management in that resources are put in place to minimize the likelihood of an incident and to protect against it. Should a security breach occur, a firm should be able to detect it and implement the proper response. Management and board hear cybersecurity and think it’s a technology issue, argues one participant. “The reality is it’s managing risk in the same way that you do anywhere else.”
Preparation, preparation, preparation
Incident preparedness is essential and “is something that is constantly changing,” as one of the participants notes. Firms need to understand their data: where is it stored, which data can you get rid of and which data do you want to protect? Firms should do more than just simply go through a list of procedures and check the box when going through an incident response plan. “If you’re sitting there in a crisis without a planned approach not knowing who’s going to do what and trying to figure things out on the fly, that is the worst situation to be in,” says one of our experts. Firms also need to know what their objectives are in the event of an incident. Is it to recover quickly or to retain forensic evidence for future reference? “Either of those approaches would take you in a different direction.”
Phishing: a popular pastime among cyber-criminals
One way in which criminals circumvent a firm’s security defenses and acquire sensitive information is phishing, and criminals are getting more creative at it. In one typical playbook, thieves retrieve the personal and work information of a firm’s chief executive from social media accounts or even the company’s website. They then send messages to the CEO’s email account, with the goal of taking over the email address and having messages forwarded to another account where they gain access to confidential information.
The Securities and Exchange Commission has been making pronouncements about cyber-risk for several years now, making sure it is on managers’ radar. The agency has now begun asking executives about their firms’ incident response plans as part of the examination process. And if there has been an incident, be prepared for a barrage of follow-up questions. “The minute you have a breach, then [the SEC] will come down on you. That’s why it’s so critical to be prepared on the cyber side,” one advisor says.
It is also increasingly becoming an investor issue. While only one in five investors said they require GPs to undertake cybersecurity risk assessments for their management companies, according to a survey last year by secondaries firm Coller Capital, over half of LPs said they will do so within three to five years.
Be sure to keep an eye out for our roundtable on the subject… and for any emails that don’t look quite right.
Write to the author: firstname.lastname@example.org.
Read the story here: Why cyber is a key part of your risk management plan