Cybercrime is a booming business and the threat levels have never been higher. A little over half of U.S. companies reported a cyberattack in 2018, up from 38 percent a year earlier, according to Hiscox.
And—as financial institutions involved in the regular transfer of large amounts of money, but with relatively lean organizational structures and limited IT and security manpower—private equity houses are a cyber-criminal’s dream. Nearly a quarter of private equity firms experienced a cybersecurity threat in 2018, an EY survey found, with 58 percent of those threats considered to be at least moderately serious.
The vulnerabilities, for private equity, exist at three levels. First, there is the transaction process, which will inherently involve the communication of deal-critical information. Then, there are the risks associated with the management of portfolio companies and the implications for exit value—Yahoo’s price tag famously fell by $300 million after a series of breaches in the run-up to its 2017 acquisition by Verizon.
Finally, and most importantly for those responsible for fund administration, there is the private equity firm itself and its relationship with limited partners. A failure to take the necessary steps to mitigate fund-level cyber-risk may result, not only in punitive financial losses, but in significant reputational damage.
Future fundraising prospects, in particular, could be devastated if LPs fear their assets are inadequately protected. Indeed, a recent PEI survey revealed that 90 percent of private equity CFOs consider strong cyber-credentials to be a must-have for investors.
Money transfers between private equity firms and their LPs, are, of course, a particular source of vulnerability. Typically, cyber-criminals will seek to gain access to these funds through phishing schemes.
By taking control of the right person’s mailbox, they can identify invoices or outbound wire instructions, and either initiate or change a transfer so funds end up in their own account. By setting up a fake domain that closely resembles a real one, they can prolong their scheme indefinitely while avoiding alerting the firm.
Meanwhile, as cyber-criminals become increasingly sophisticated, they may also monitor emails for valuable intellectual property, which can be used to extort money.
“Fraudulent phishing attacks and network attacks remain a regular threat for all industry participants, with key risk areas involving those for immediate financial gain, including misdirected payments and virus-related malware,” says Justin Partington, group head of funds at IQ-EQ.
“Moreover, hackers are getting smarter and issuing fake capital call notices to high volume funds of funds which has resulted in the administrator being compelled to stay ‘on-guard’ at all times.”
Indeed, human fallibility is widely believed to be the greatest cyber-risk of all. “Large amounts of cash are always moving about in private transactions, involving many people, and people are weakest link in cybersecurity,” says Anne Anquillare, chief executive at PEF Services. “If you have ‘capital’ in your URL, then you are a target.”
What should firms be doing?
Ensuring that you have the right technology in place to protect your—and your limited partners’—funds is a fundamental starting point. Multifactor authentication or biometric credentials represent basic, critical safeguards.
But implementing a cybersecurity strategy is not about installing a tech solution, running a penetration test and then congratulating yourself on a job well done. Threat actors continually evolve, and cybersecurity must, too, be considered a work in progress.
It is also vital that cybersecurity is not viewed as purely an IT issue. Starting at board level, cyber-awareness must be integrated into company culture to create a sense of collective responsibility. All employees should follow protocols when sending emails, for example, or in securing personal devices.
Regular and effective training are therefore essential, according to Melanie Cohen, managing director at Apex Fund Services. She adds that her team’s cyber-awareness proved critical when a private equity client’s security failed.
“Even if your own cybersecurity environment is good, your client’s environment may be exposed. Our staff are all trained to look out for red flags and, in one particular instance, due to that, we were able to catch it and alert the client, which then involved the FBI.”
Meanwhile, any robust cybersecurity strategy must also consider, not only prevention, but emergency incident response. Fast action and good communication following an attack can mean the difference between a glitch and a disaster.
A work in progress
The private equity industry has taken significant steps in response to escalating cyber-risk in recent years. Awareness and education have ramped up dramatically, according to Partington, with considerable help from the Big Four firms which have established cyberconsulting and assessment units to help the asset class prepare for these risks in an optimum manner.
“Cyber-risks are increasingly being actively discussed at board level and receiving the required focus, be it physical office security, network security, phishing and email attack defenses, or employee awareness and training,” he says.
But there is still more work to be done, not least in controlling contagion effect. Indeed, firms are experimenting with AI, RPA and blockchain in attempts to mitigate exposures with partners and trading activities.
“We believe the challenge is that there are new participants every day, with varying degrees of technology, security and processing capability,” says James Ferguson, head of Americas at Intertrust Group.
Ensuring that standards, regulations, oversight and governance are managed is a top priority. From there, ensuring all parties to a transaction are locked-in participants, with equal security provisions, adds value, Ferguson says. “If even one player in the life cycle is exposed, it creates vulnerability for all.”
Are your fund administrator’s cyber-credentials up to scratch?
Private equity firms are increasingly choosing to outsource their fund administration, not least to leverage superior cybersecurity.
But when it comes to cybersecurity credentials, not all outsourced administrators are equal and conducting thorough due diligence should be a priority.
“Fund managers should be looking for administrators that have had a respected firm conduct their full external cybersecurity reviews, have implemented controls based on the assessment, and followed it up by continuously updating security protocols to protect client data and money,” says IQ-EQ’s Justin Partington. “In this context, an emerging trend is the hiring of a chief security officer—which is increasingly becoming a must, given the security threats to businesses in the current era.”
PEF Service’s Anne Anquillare, meanwhile, adds that fund administrators must be able to prove the successful completion of an annual SSAE 18, System and Organization Controls (SOC) 1, Type 2 audit examination, in accordance with the American Institute of Certified Public Accountants attestation standards.
“This examination provides a comprehensive and in-depth review of a service organization’s controls and tests their operating effectiveness,” Anquillare says. “Companies that successfully complete an annual SOC 1 examination can demonstrate a higher level of security assurance and operational visibility than those that have not.”
While SOC 1 Type 2 audit standards protect the integrity of data and documentation, the right technology protects it against cyber-threats by keeping sensitive information, including capital calls, distributions, financial statements, K-1s and other fund-related documents, in a secured digital environment.
A fund administrator must use platform technologies with advanced security features, including two-factor authentication and extended validation SSL certificates for all sensitive data. It must also have regular training for all staff and have cybersecurity firmly embedded in its culture.