Cyber criminals target private equity capital, connections

Private equity firms are a uniquely attractive mark for cyberattacks, but a proactive approach can be a sturdy shield, writes Peter Cohen, director of strategic risk at MWR InfoSecurity

From global incidents like WannaCry and NotPetya, to a seemingly unending series of serious data breaches at household names, cybersecurity has come to dominate the business landscape in recent months.

The financial sector has always been one of the most at risk of attack thanks to the flow of capital involved. Research from Coller Capital found that, although only 5 percent of limited partners around the world said they had suffered a serious breach in the last five years, over half expected to be the victim of a major attack within the five years to come.

Further, 45 percent of LPs stated that they would be requiring general partners to undertake cybersecurity risk assessments in the next 10 years – something which only around 20 percent currently do. Private equity firms in particular are an attractive mark for the more high-level threat actors such as foreign nation states or organized crime.

Aside from directly attempting to steal capital, firms might be attacked to reach the ‘politically-exposed persons’ or high-net-worth individuals they have on their books, as well as other sensitive information such as undisclosed M&A activity and joint venture transactions.

M&A information is commonly used in ‘outsider trading,’ where a cyber criminal will use stolen information to make huge profits by buying and selling stock, or even directly manipulating deals. Any firm suffering a serious security incident is likely to suffer a range of negative repercussions, the most obvious being the financial damage. This can include the cost of investigating the incident, lost business if the firm was unable to operate due to a ransomware or DDoS attack, as well as regulatory fines and legal action from clients and partners that were impacted.

A major breach will also cause severe reputational damage as the firm struggles to convince both existing and future clients that they can be trusted with high-value, sensitive information. One of the most important steps a private equity firm should take to defend itself against attack is to understand its own unique risk level. Location, size, structure and clientele all influence how appealing a particular organization might be. They also need to have a realistic view of their own security capabilities, as too many firms will simply tick the boxes of a compliance sheet and leave it at that.

Private equity firms should also be aware that they are more likely than most organizations to be targeted by sophisticated cyber-attacks. Such attacks utilize advanced social engineering to trick victims and bespoke malware that is able to evade most traditional security measures. To counter this threat, companies should consider adopting an approach known as Managed Detection and Response, which puts an emphasis on the experience and intuition of a group of skilled experts rather than relying purely on automation.

These ‘threat hunters’ are able to spot more sophisticated attacks that don’t fit the usual pattern of attack, and will actively search out for signs of a potential attack rather than waiting for one to occur. The increasing complexity of cyber threats means there is no single solution firms can turn to in order to protect themselves from attack. However, those that equip themselves with the ability to proactively detect and respond to security incidents will be best placed to maintain the trust of their clients and partners.