5 minutes with… Agio
The run-up to GDPR in May 2018 had all industries, including private equity, scramble to grasp their exposure to cyber breaches. The risk of hefty fines for those failing to protect personal data sparked LP questions about the reputational implications. In various polls, GPs had little confidence in their own defences, with doubts around who in a firm is best placed to tackle the growing threat.
Has the momentous EU law impacted the cyber security discussion in the US? Bart McDonough, CEO of IT and cyber security provider Agio, explains why private equity is becoming a target, and discusses whether US regulators will follow in the footsteps of their EU counterparts in adopting GDPR-style rules.
The Drawdown (TDD): Surveys have shown GPs and LPs both foresee a rise in cyber-attacks. Is the risk really increasing for private equity?
Bart McDonough (BM): From our side, we’ve seen indeed a certain evolution with cyber security in the private equity landscape. If I’d been asked 18 months ago, I would’ve said most private equity funds were not a particular target, bad actors did not seem to have much intelligence on the industry. Of course there were risks for GPs, like random phishing attacks, but the threat wasn’t different to that faced by the average business.
From our conversations with clients, the picture is changing. We’ve got evidence of a recent number of very sophisticated attacks, campaigns orchestrated by bad actors to gain knowledge on private equity funds. You’d see someone using a pretext to call in and try and map out the organisation’s structure, who sits on what board, the relationship between a GP and its portfolio companies. There’s been a drastic increase in the interest by certain parties to gather and then leverage that knowledge to extract cash from a GP.
TDD: Given the nature of private equity organisations, where and how are they most structurally vulnerable to cyber-attacks?
BM: We find there is a bit of a contrast between private equity and trading organisations such as hedge funds. Private equity firms are more challenging to secure than hedge funds; it’s a bit counterintuitive, you would’ve thought the opposite, but there’s a number of reasons why.
Something we talk a lot about in the cyber security space is one can’t understand what one doesn’t know. When you think about the nature of deals that most private equity firms do, understanding the counterparties is a challenge. If I were to ask a GP where his upcoming deals will be, who they will involve, answering would be difficult. By contrast, a hedge fund would be able to predict the counterparties of a transaction down to the precision of the IP address. The data hedge funds and other trading organisations use is much more structured than in private equity.
I don’t think a GP’s vulnerability lies in a particular function but rather in its people. It is the staff, rather than the system, that is the focus for potential bad actors: can they be manipulated and if they can, can that be leveraged to obtain something?
TDD: Over in Europe, GDPR has forced private equity and its stakeholders to rethink how sensitive data is managed. Has the EU law impacted the cyber security conversation in the US?
BM: GDPR has definitely had an impact here. Perhaps it hasn’t been a major transformation, but it’s certainly made people rethink what data they’re holding, reconsider data privacy. With cyber security, you can’t know what you’re protecting when you don’t know the data you’re holding. Having to carry out data-mapping exercises has had a big effect on firms.
In principle, private equity organisations are quite similar to one another in the data they hold and their data needs. What we’ve seen is most houses have discovered in recent years shadow IT elements, lurking within their organisations without the GP’s knowledge. Perhaps, for instance, the HR function or the investor relations team had started adding the contact details of LPs to PDF files, and so forth. Our experience with private equity is there’s been a lot of surprises around where the data actually was.
TDD: What has been the SEC’s approach to data privacy so far; will we see them emulate EU policymakers and pass stricter, GDPR-like rules eventually?BM: GDPR was under the purview of data privacy, the empowerment of the consumer whereas the SEC really is all about protecting the investor. I do think the SEC’s regulations could become more rigorous; as it stands, they are less prescriptive compared to how other industries are regulated. Healthcare players, for instance, face obligations like setting up firewalls whereas the SEC’s approach to data privacy thus far has been to set guidelines only as recommendations.
That being said, a new administration could always come in and bring along a different view on data privacy and consumer rights at the federal level. The change is already happening across certain states. California, with a growing venture capital and private equity scene, adopted this year a GDPR-like system that goes into effect in 2020; in some areas, we see it as actually a little more aggressive than GDPR itself. As it typically happens with progressive policies in the US, New York state could follow the lead with similar policies, and as for the other states – so many people do business with California and if they want to continue doing so, they’ll have to comply with these rules.