The issue of cybersecurity, and the rising, fast-evolving threat of cyber-attacks, is high on the agenda for many private equity managers. The threat is relatively new, often poorly understood, and the consequences – financial, regulatory, and reputational – can be severe.
Cybersecurity is the process of applying security measures to ensure the confidentiality, integrity, and availability of data. It attempts to assure the protection of assets, which includes data, desktops, servers, buildings, and – most importantly – humans. The goal of cybersecurity is to protect data both in transit and at rest.
Large breaches are now a staple of the news agenda. The list of recent victims encompasses some of the biggest names in finance: Lloyds, Barclays, and JP Morgan have all fallen prey to attacks over the past eighteen months, while cyberterrorists allegedly caused a flash crash at NYSE. Even central banks – the lynchpins of the global economy – are highly vulnerable. In March, a criminal gang managed to extort $80 million from Bangladesh’s central bank through what amounted to a simple phishing operation. If it hadn’t been spotted in progress, the losses could have run as high as $1 billion.
But although it is the banks and similarly large institutions that tend to make the news, cybersecurity is arguably an even bigger threat for the smaller firms that characterize the private equity sector. These firms tend to lack the technical resources that larger organizations have at their disposal and in the US last year more than 60 per cent of all cyber-attacks were targeted at small businesses. While the JP Morgans of the world will likely continue to attract business despite an attack, smaller private equity fund managers competing for capital in a highly competitive marketplace, do not have the same luxury. In a survey of global institutional investors with more than $3 trillion of assets under management–conducted by KPMG last year–an overwhelming 79 per cent said they would be discouraged from investing in a business that had been breached. And importantly, in addition to the security of the asset management side of their own businesses, private equity managers must additionally consider the security of their portfolio companies.
In the US last year more than
60 per cent of all cyber-attacks
were targeted at small businesses.
Given the recent events, the issue is understandably high on the global regulatory agenda. In the US, the SEC has been conducting a series of inspections and examinations with a focus on technology and cybersecurity. In October last year it announced the latest round of examinations via a Risk Alert, and set out its cybersecurity priorities for 2016.
In the SEC’s view, “funds and advisers should identify their compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber-attacks. Funds and advisers could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws.”
The pattern is reflected in Asia, where last year Hong Kong’s Securities and Futures Commission (SFC) issued a circular relating to cybersecurity risk stating that all licensed businesses must undergo regular self-assessments of risks and controls pertaining to the threat. Both Hong Kong and Singapore’s monetary authorities have since re-emphasized the importance of risk management in this area. In the UK, while the UK’s Financial Conduct Authority (FCA) has not issued any specific new guidance related to cybersecurity, its existing policy on data security very much still applies. The FCA’s latest Risk Outlook in its 2016/17 Business Plan makes clear that “cyber-attacks are increasing and pose risks to consumers and markets.” It also points out that “some attacks are likely to be successful and firms may not have adequate defenses or effective plans to identify and respond to them.”
Cyber-attacks are increasing and
pose risks to consumers and markets.
It is impossible to guarantee that you will withstand a cyber-attack. However, there are counter-measures laid out by regulators that can be put in place in order to increase the security of data and mitigate the risk. These include access control, awareness training, audit and accountability, risk assessment, penetration testing, vulnerability management, and security assessment and authorization.
The specific details of what is required vary across jurisdictions, and of course each private equity fund manager is different, and operates their business in slightly different ways. Nonetheless there are some basic hygiene points and things to consider that apply universally. Key questions to ask yourself include:
- Which cyber threats and vulnerabilities pose the greatest risk to the business and its reputation?
- What are the key assets that need to be protected?
- Do we have the right people (either in-house or through a third party) to manage this – both in terms of quality and quantity?
- Do we have good cyber threat management practices, including protective, detective and response capabilities? Is it fully integrated with our business strategy and processes?
- Do we have the right gauges to measure the success of our cyber threat management program?
Businesses need to make cybersecurity part of their day-to-day life, with documented policies and procedures – it cannot be considered a one off, and must be built into the wider day-to-day culture of compliance. Fund managers and others involved in the day-to-day governance process should consider this to be a frequent agenda item. In addition, the nature of private equity means that these same considerations must also be applied to fund portfolio companies.
Cybercrime is here to stay, and will only get more complex and challenging. In the Augentius annual survey of fund managers across the globe, 51 percent indicated that they would be increasing their spending on technology on 2016, while nearly a third intend to increase the scope of their outsourcing.
With firms spending greater sums on technology—both in-house and outsourced—cybersecurity will continue to be a major priority for the industry in the years ahead. For a more detailed understanding of specific ways to combat the threat, private equity managers would do well to consider soliciting third party advice. In the meantime, these considerations provide a good overview and starting point on the road to getting your cyber house in order.
About the author
Ian Kelly is Group CEO of Augentius. He started his career with Augentius in 2002 as a Fund Accountant and has grown through the roles of Client Services Director, Chief Operating Officer (Europe) and Global Head of Client Delivery to become the Group CEO. Throughout his career Ian has been actively involved with numerous fund types, structures and jurisdictions through the complete fund life-cycle.
Augentius is one of the largest independent private equity administrators in the world. The firm is responsible for the administration of 373 funds and provides services to over 10,000 investors located in 101 countries. Augentius was founded in 2002 and has 479 staff members. (www.augentius.com).
© 2016 Private Equity Professional • 8-23-16
