Industry Voice: Private equity’s cyber dichotomy
Agio CEO Bart McDonough outlines private equity’s paradoxical relationship with cybersecurity, and explores the four largest threats facing the industry today.
While the private equity industry sees clear value to investing in cybersecurity firms, it has been paradoxically slow to adopt the cybersecurity services and governance offered by their portfolio companies. Now more than ever, limited partners including pension funds and endowments are demanding fund managers assess, report and mitigate cybersecurity risks in their firms as a prerequisite for providing any capital to invest. For these investors, a private equity practice without proper protections can expose them to malicious acts including data breaches, malware infection, and theft of funds.
Despite the high risks of poor cyber defence, most private equity firms underestimate their vulnerability to cybercrime and its increasingly savvy bad actors, who are shifting focus from large financial institutions and regulatory bodies to the less sophisticated fund administrators moving large volumes of capital between investors and sell-side organisations like banks. To avoid a reputation-damaging hack, private equity firms need to swallow a spoonful of the cyber medicine they’ve been investing in.
Today’s top four cyber threats to private equity are listed below, along with explanations as to how cybercriminals are exploiting these ‘vectors’ for financial gain. Also outlined are preventative steps COOs and CFOs should take.
1) DRAWDOWN NOTICES
Increasingly sophisticated cybercriminals targeting private equity are tapping into a larger playbook of tactics that exploit the industry’s inner workings. Take exploitation of drawdown notices, for example. In these scenarios, cyber criminals break into a firm’s internal network, extract lists of fund investors and archived drawdown notices and use this information to falsify drawdown notice templates using different recipient account information. Once these notices are issued, an investor sending capital to a private equity firm can unintentionally direct money to the criminal’s own account. With enough planning, malicious bad actors can yield a multi-million-dollar payload.
Managers need to ‘codify’ their drawdown revisions process, ensuring there is a clear protocol for vetting, approving and communicating to investors any changes to these payment requests, ideally well in advance of any drawdown notice being issued. To further reduce liability and investor risk, managers should also communicate these changes over a closed, secure platform, versus traditional email, collecting written confirmation from their investors along the way.
2) PHISHING EMAILS AND PHONE CALLS
If cyber criminals are shrewd enough to exploit drawdown notices, they’re just as adept at monetising other sensitive information, like deal flows. Private equity transactions are often on public record with their key participants listed by name. Malicious actors use this information in concert with other publicly available social media data to help decipher corporate hierarchies and subsequently shape social engineering attacks targeted at key personnel, like CFOs. These are usually “phishing” attacks, wherein a bad actor attempts to gain private information through deceptive tactics such as posing as a familiar entity to obtain sensitive information. Referencing previous deals is one such method.
Phishing is by far one of the most effective attack vectors for private equity because of its centricity around people and communication. Think of the industry’s reliance on emails, phone calls, and text messages as well as unsecured personal devices like phones, computers, and tablets – all prime end-points for a hacker to compromise accounts, monitor communications, and intercept any exchange of value, such as wire transfers, in real-time. When an associate unintentionally surrenders their account credentials, they open the door to the private equity firm’s inner workings. Hackers can exploit sensitive material such as investor analysis, sales forecasting data and customer information by holding it for ransom (ransomware), using it to further infiltrate networks (such as a firm’s CRM or accounting system), disrupting deal negotiations or even conducting insider trading.
Private equity firms’ first line of defence starts with quarterly interactive phishing training to educate employees how to recognise and report potential phishing attempts. It’s worth noting gamification – providing rewards to incentivize the flagging of phishing attempts – is a particularly successful technique for increasing employee engagement. Tracking those employees, who keep falling victim to social engineering exercises, will also help you target additional training sessions, bolstering your defences and mitigating the risk human nature poses to your firm.
3) VULNERABILITIES IN THE NETWORK
Cybersecurity vulnerabilities can hide in mundane places, like office equipment. Printers are just one device type susceptible to cyber-attacks where cybercriminals use malicious code or abuse outdated operating systems to recover cached administrator credentials. These assets, in turn, help hackers connect to a firm’s ‘closed’ production network, allowing them to access the valuable information in its databases. The degree to which these ‘everyday’ devices are overlooked as risk exposure is underscored by a recent Securities and Exchange Commission report, which found that 57% of investment firms fail to run penetration tests on potential weak points in critical settings, while 26% of managers do not conduct regular risk assessments for cyber security threats and vulnerabilities.
To tackle this threat, firms must establish a formal process to monitor device inventory. This can help companies uncover configuration errors and cyber vulnerabilities long before bad-actors can identify and exploit them. In addition, establishing a firmwide process to better manage passwords can help ensure credentials aren’t repurposed, giving bad actors fewer opportunities to breach a firm’s back-end system.
4) INSUFFICIENT LOGGING
It sounds tedious, but logging and monitoring changes to a company’s networks, applications, databases and physical devices is one of the most effective ways to detect suspicious activity and, crucially, ensures a fast and effective response to any cyberattack or data breach. The importance of this approach is underscored by the latest ‘Risks to Web Applications’ report provided by the Open Web Application Security Project (OWASP), which added “insufficient logging and monitoring of systems” as its newest critical vulnerability. Failing to periodically review adequate logs is equivalent to owning a vehicle and not checking under the hood for maintenance until a problem arises and it’s too late.
For more visibility into a firm’s system changes and proprietary information, onboard security information and event management (SIEM) software to gather and retain logs; acquire a dedicated security team tasked with managing the SIEM, either through outsourcing or building a team in-house; and put in place preventative and reactive controls for likely risk scenarios, as part of your firm’s Incident Response Plan.
Despite rampant private equity deal-making in cybersecurity, firms remain at great risk of exactly the issues their portfolio companies were created to solve. The combination of vulnerable legacy technology, evolving cyberattack strategies and ambiguous cybersecurity accountability leaves private equity firms with an abject lack of sufficient governance to prevent a potential attack. If executives think their firm’s small size and low public profile are enough to keep them off the radars of cyber criminals they are grossly underestimating their appeal as a high-yield target. The industry-wide ‘wait-and-see’ approach to cybersecurity resembles the deployment of dry powder.