Why PE managers should view cybersecurity like personal hygiene
The attraction for private equity as an alternative asset class is as strong as perhaps it has ever been. As the results of a recent E&Y survey reveal (Positioning to win: 2015 global private equity survey), 19 per cent of investors said they currently allocate up to 5 per cent of capital to private equity, but 39 per cent said they allocate more than 25 per cent.
This is encouraging news for private equity managers, but with it comes extra responsibility as investors and regulators alike ramp up their due diligence. Indeed whereas only 28 per cent of managers said they had been the subject of an SEC examination in 2013, that number had risen to 41 per cent in 2014. Most likely, the figure will be higher still for 2015.
As such, PE managers are focusing more attention on their compliance and operational frameworks to move into closer alignment with today’s global expectations. And as they increasingly adopt new technologies to improve business efficiency, so does the threat level from cyber attacks.
PE groups are in a unique position when it comes to maintaining a secure cyber programme because not only must they concentrate on ensuring that their own business operations are protected, they must also proactively monitor the security of their underlying portfolio companies. That is no easy challenge, especially with respect to data management.
To cope with the compliance and regulatory challenge, and the subsequent slew of data, PE managers are increasingly turning to third party providers. As they do so, having a proper vendor management process becomes an important element of any cybersecurity programme because whilst the GP might have fortress-level security, it counts for nothing if their law firm or fund administrator has network vulnerabilities.
“With respect to data management, you really have to think about where your data resides within your organisation. Let’s say you have subscription documents coming from lawyers. How is that personally identifiable information (PII) stored and protected and, crucially, how is it transferred to other third parties?” comments Jamie Hadfield (pictured), Managing Director -Technology at Gen II Fund Services LLC, a leading private equity fund administrator.
“We will look at a manager’s entire data flow, from start to finish. We pay a lot of attention to security concerns on how we initially receive documents, deploy access controls and communicate on an ongoing basis. Knowing where the data resides is key when putting in place a security governance model, not just in terms of understanding where data resides with a PE manager, but also the fund administrator, auditors, law firms and maybe a third party IT providers,” adds Hadfield.
Although it sounds like an obvious point, it is only by knowing precisely where all the fund data resides that a PE manager can ever hope to effectively run a cybersecurity programme. That is why so many attacks often take place without the manager – not just in private equity but across the entire funds industry – ever knowing about it.
It is much easier to manage an outsourced model as the organisation can establish a checklist with which to conduct annual vendor reviews, making sure they have the right credentials and certifications in place. As Hadfield points out: “Not everyone in a manager’s ecosystem will necessarily have the most up-to-date certification. A key part of the governance model is risk management; that is, mitigating risk across the whole transfer and flow of data.
“It’s a balance and the analogy I tend to use is personal hygiene. There are lots of things you need to do to maintain personal hygiene. It’s not just one aspect like brushing your teeth or using hand sanitizers. It’s a combination of methods and the same concept applies to cybersecurity governance. It needs to become a habit and core to the business and not an afterthought.”
Private equity managers who embrace best practices, such that across the firm being ‘cyber aware’ becomes second nature, are going to be well positioned to attract institutional dollars compared to those who bury their head in the sand and continue to adopt a fatalistic mindset.
To be clear, though, better discipline and housekeeping need not mean hiring legions of people to shore up one’s back office and IT team. It just requires a change in mindset. And if, at the same time, the PE manager uses a third party administrator, much of the operational work in terms of receiving, processing and securing data, is taken care of.
Where cyber attacks tend to originate, however, is internally. This can be because of any number of reasons; a disgruntled employee who deliberately leaks information, poor education and staff training on cyber risks, too much access to data across the firm without proper encryptions and access controls.
Staying cyber secure needs to become more of a day-to-day consideration. If you receive an email from a third party, check the address, check what the attachment claims to be. When sending documents with sensitive information make sure emails and communications are encrypted.
“Social engineering comes in many forms and there needs to be some effort made to stay on top of the different tactics and techniques criminals employ to try and hoodwink firms. It’s just having the right level of awareness; I’m presented with a piece of information, now what is the right way to handle it?” A large part of that is undoubtedly an educational process.
“You’ve got to protect yourself from the outside world, but equally you want to make sure you can protect the firm from internal breaches as well. The rogue employee is often the reason behind a lot of data breaches,” says Hadfield.
In some respects, the fact that regulators such as the SEC are putting out guidelines on cybersecurity is helping newer managers who are still coming to terms with what it means to have a robust cybersecurity compliance programme. In the early stages of running a new business, PE managers have to tread a fine line in terms of deciding how much of the work they want to do internally, and how much they can outsource, if at all.
If managers do go down the outsourced administration route, what does that bring to the table? Does it bring more compliance, better tools and better processes to the table? Outsourcing typically can because of the scale that an administrator like Gen II can offer.
“As managers grow and become larger organizations, it becomes even more important to have a robust cybersecurity compliance programme in place. They can outsource the IT maintenance part, the back office, and now, increasingly, PE managers are outsourcing the regulatory compliance piece; leveraging third parties to help them gain the requisite level and scale of sophistication to help meet all of the requirements,” comments Hadfield.
One of the key drivers for embracing the outsourced model is the sheer amount of pressure PE managers are under to improve transparency and share fund data with LPs and regulators.
This ties back to the data management issue, and the need to keep a clear handle on who is accessing sensitive data, and monitoring it across the entire ecosystem. Now, for the very largest PE groups, spending IT dollars to improve system architecture is no problem. But for smaller and mid-sized managers, it can rapidly become overwhelming. This is where the benefit of scale comes into effect, when working with a third party administrator.
“We are seeing LPs doing increased due diligence during a PE manager’s fund raising before making a commitment. From our vantage point, our chief operating officer Steve Alecia is fielding many due diligence calls from LPs and very often cybersecurity is discussed.”
Looking at the latest SEC examination, the OCIE will want to see: governance, access rights and controls, incident response. These are the things they are going to look at when they visit an investment advisor and they will want to know where the fund administrator sits in the overall matrix. As regulation pushes PE managers more towards the outsourced model, administrators are going to play a bigger compliance role, according to Hadfield.
“Based on published studies about 30% of PE Managers outsource their administration. What they get when they outsource is the benefit of scale on a robust operating infrastructure with more sophisticated disaster recovery plans, guaranteed up times, incidence response plans, etc,” adds Hadfield.
To conclude, whilst PE managers need to develop best practices to get a clear picture of where all of the fund’s data resides and who has access to it, they must also take steps to properly review their vendors and hold them to account. After all, if the appointed administrator is unfortunate to suffer a security breach, who is liable for the loss of that data? If the manager fails to demonstrate that their governance policy outlines an annual or bi-annual assessment, they could be open to litigation.
“Many firms carry cyber insurance now, both administrators and managers. Cyber insurance is a new development for the marketplace. Five years ago, nobody had to think about it,” concludes Hadfield.