Cyber psychology

Since 2020, private equity firms have seen an acceleration in the volume and sophistication of cyber attacks it has experienced. According to ACA Aponix’s 2020 Cybersecurity Compliance Programs Survey, of 160 financial services professionals, 95% of firms are concerned about cyber security.

Reassuringly, a large majority (84%) of respondents said their firms engage in cyber risk assessment and gap analysis, and many conduct vulnerability and penetration testing. However, only 62% of firms conduct vendor diligence annually. But even more worrying, less than half (40%) said they partake in tabletop incident response exercises. This tells us that few firms are prepared to face an actual incident because they’re not paying attention to how individuals react in threatening and emotionally charged situations.

Against this backdrop, what should private equity firms be doing to increase the importance of cyber security as a business risk, and ensure that protections and security measures are robust and proportionate?

Critical levels

Christopher Conradi, chief digital officer at FSN Capital Partners says the cyber threat is growing faster than the market can keep up with. “I’m puzzled as to why the industry isn’t taking this more seriously than what I’ve seen so far,” he says. And he has a point.

According to ACA Aponix’s survey, the cost of cyber crime in financial services is estimated to reach $6trn by 2021. This figure is already larger than the total global PE and VC AUM, which according to Preqin, reached $4.74trn in June 2020.

Says James Tedman, partner at ACA Aponix, “35% of respondents confirmed they’d had a security incident.” Of course, this percentage only accounts for those firms willing to admit they’d suffered an attack. A survey by cloud-enabled security provider Barracuda, titled: The state of network security in 2021, found 81% of IT professionals across various industries including financial services, said their organisation had been the victim of a security breach once in the last year. Additionally, 74% said they’d been a victim of at least one
ransomware attack in the last 12 months.

“We regularly speak to firms which have had a breach, and in most instances it’s a payment fraud attack,” Tedman says. “The PE space is an interesting target for an attacker because there are countless payments between GPs and their LPs, service providers, as well as portfolio deals.

“A PE firm makes large payments in a highly stressful environment, which creates opportunities. We’ve seen numerous instances where firms are targeted, sometimes resulting in very significant losses. We’re talking millions of dollars, sometimes many millions of dollars.”

LPs are also on high alert for cyber threats. According to Graeme Keenan, partner and chief risk officer at Pantheon, the firm’s systems are monitoring more than a billion data points a week in an effort to protect their network. Keenan has seen numerous attacks related to the call and distribution process in the last few years. “I’ve seen threats, for example, impersonations of GPs by attackers getting behind the GPs’ emails and accounts,” he says. “These threats have been around for well over a decade. However, now for the first time, the industry is experiencing credible threats, where attackers actually test the security that both the GP and LP have in place for protecting payment policies.”

Everyone, including myself, can become a victim of this and fall for the scams. At the core, you need systems in place to protect yourself because the burden is too big for each individual to bear.

Keenan notes there have been numerous attacks on third parties in the last 18 months because of the information and data they are privy to. “Third party links create the potential for exposure, particularly around personal data but also financial risk,” he says. “It’s no longer important for LPs to just consider who the GP is and their portfolio companies. We also need to know who they use as service providers as well as how they are sharing data.”

Red flag

A robust cyber strategy ultimately protects LPs; it is their capital under threat. However, EY’s 2020 Global Private Equity Survey, which received responses from 100 PE COOs, CFOs and financial executives, found only 40% of investors believe their managers have adequate cyber security policies and procedures in place.

Keenan explains when diligencing a GP, Pantheon scrutinises two areas. “The first is the GP itself, including how the firm protects its own IP, policies and data protection, controls around the call and distribution process as well as the sharing of information between the GP, their service providers and their LPs,” he says. “Second, is the GP’s understanding of cyber security and their underlying companies, including how they ensure the cyber defense for each portfolio business is protecting their own IP.”

For Keenan, a poor cyber security strategy is a red flag and can deter an investor from committing capital as it indicates the firm is likely to have weaknesses in the rest of their control environment. “That has been a gating factor for us in the past in some investment opportunities where we felt the investment case and the back office were vulnerable,” he explains. “A poor back office usually signifies some issues in the front office too. These tend to be weaknesses in operational and cyber security processes. Therefore, it’s likely there are probably weaknesses in the investment processes as well.”

However, more rigorous checks on a GP’s cyber security set up can result in a checkbox approach, rather than a robust way of working. “I think most firms implement a cyber security programme because of pressure from regulators and investors,” says Tedman. “They end up trying to satisfy specific DDQ questions, rather than actually tackling the business risk holistically.”

Resource constrained

It isn’t uncommon for GPs to think of cyber security simply as an IT issue, and here is where private equity’s major weakness lies. “It’s a much broader risk that encompasses every business unit and division within the organisation than people realise,” says Tedman. “It needs very senior sponsorship and oversight. That’s something we’d like to see change in the industry. The problem is, GPs are resource constrained. They often don’t have a head of information security, so it’s tricky to manage internally. Payment fraud for example, is it right for the head of IT to be tasked with securing payment flows? Probably not. For many firms, the problem is understanding the right way to manage cyber security risk.”

On top of a poor regard for cyber risks, the move to remote working intensified the issue.

“Remote working certainly increased the frequency of threats, and those firms without a clear policy and cyber security defence have been tested,” says Keenan.

Tedman agrees, “Covid created opportunities and many attacks were facilitated through email. There was a very rapid move to the cloud to facilitate remote working. In some instances, that was done in a hurry without sufficient thought and planning about how to do it securely. It was done primarily with remote working and convenience at the forefront of peoples’ minds. That meant there were certain compromises.”

It needs very senior sponsorship and oversight. That’s something we’d like to see change in the industry. The problem is, GPs are resource constrained. They often don’t have a head of information security, so it’s tricky to manage internally. Payment fraud for example, is it right for the head of IT to be tasked with securing payment flows? Probably not.

But Conradi explains convenience is often reduced when security is increased. “I feel the industry leans too much towards convenience and that needs to change,” he says. “People in my position should ensure security is convenient, but there still isn’t enough discussion around that. By not thinking of convenience as part of your security strategy, you’re actually hurting yourself and shooting yourself in the foot.”

Human behaviour

George Ralph, managing director & CRO at RFA explains a major risk around cyber security is human error. “Users that aren’t educated enough at spotting a phishing attack, for example, are the ones most likely to click on it. Cyber security prevention is about removing the possibility of human error, and one way of achieving that is automation.”

According to the FCA’s handbook, SYSC 13.7.5 on IT systems: “Automation may reduce a firm’s exposure to some ‘people risks’ (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.”

“Firms now understand they need to ensure more processes are automated because if the team isn’t in the same office, they can’t follow their existing manual processes,” adds Ralph. “Automation is far more than simply providing operational efficiency, it’s part of cyber attack prevention.”

Brain freeze

While many firms put the onus on everyone in the team to maintain a secure workspace, Conradi doesn’t think this is the best approach. “Some companies deal with cyber security passively, so they put the responsibility on each individual, but you can’t do that,” he explains. “Everyone, including myself, can become a victim of this and fall for the scams. At the core, you need systems in place to protect yourself because the burden is too big for each individual to bear.”

According to a March 2021 blog post by Lorena Gutierrez, manager, crisis and resilience at PwC UK, which discusses the human responses of a crisis management team to a cyber attack, responding to a crisis activates the ‘fight or flight’ threat circuit in our brains. “Our human instincts try to avoid or get out of a situation as quickly as possible,” she writes. “This may lead people to try and come up with the ‘fastest solutions’, rather than considering the wider, long-term impacts of each decision.

“The emotional response to a crisis also has an impact on how responder teams communicate with one another and with other stakeholders. Under pressure, people’s tolerance for operating with limited information, as well as for discerning opinions, tends to exponentially diminish. The likelihood of impulsive reactions increases at a time when clear, direct communication is of utmost importance.”

Taking control

According to Ralph, the National Cyber Security Centre (NCSC) provides Cyber Essentials certifications for small businesses, detailing cyber security requirements every firm should have. “The NCSC encourages having a risk management process where you list the risk topic, what you’re doing to mitigate it, what potential, additional things you can do to mitigate it, and checks you’re doing to ensure those mitigating actions are taking place.”

The NCSC standards state each firm must list a director who is responsible for checking the checks. This falls in line with the FCA’s SMCR initiative, which launched in 2018 and requires a director to take named responsibility for each area of the business. “While it was mainly thought of for finance divisions and governance, cyber security falls under this remit too,” adds Ralph.

Playing a role

Taking into consideration the criticality of a robust risk management plan, but in an effort to reduce the team-wide burden, FSN’s Conradi conducts tabletop exercises as part of its incident response plan. “The idea is to have a plan of action, and if that person is unavailable, there is always a plan B,” he says. “By running through various scenarios and adding surprise spice here and there, we give our team autonomy, as well as some authority to specific individuals that wouldn’t normally have that responsibility, but who could handle it.”

Tedman believes this type of preparation is key because it reduces the risk of taking a wrong step which could make the incident worse; something he’s seen on a number of occasions. “Firms may have had strong technical control and good, strong staff awareness, but they didn’t have an incident response plan,” he says. “It’s not about just having a plan, it’s about actually testing it. In high pressure instances, everyone waits for someone else to think of a plan, but by then it’s too late. It’s absolutely critical the incident response plan is mapped out and there are scenarios defined with playbooks so employees know exactly what to do, how to behave, who’s involved and the order of actions to take in any cyber incident. It makes a very stressful environment less stressful.”

On a day-to-day basis, everyone has a part to play to ensure their individual technology is secure because successful cyber attacks are largely down to human error. That said, the overall responsibility is still too great for individual team members to handle.

“Acknowledging the human reactions that responders may experience should be part of any organisation’s crisis planning,” Gutierrez explains in her post. “No matter how sophisticated a cyber attack may be, an effective response will ultimately depend on your people, and their ability to think clearly and strategically.”

By increasing automation, and assigning specific responsibilities to individuals in times of crises, firms could have a fighting chance against cyber crime, ultimately instilling confidence that they do have robust operations in place for every eventuality.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Preview data from ACA Aponix’s upcoming 2021 Cybersecurity Compliance Programs Survey, in partnership with NSCP

95%
Respondents who said cyber security poses a serious risk to their business

83.8%
Respondents concerned about ransomware attacks

83.3%
Respondents who conduct a cyber risk assessment at least once per year

66.7%
Respondents conduct information security vendor DD annually

51.3%
Respondents engage in tabletop exercises at least once a year