Private equity and hedge funds’ cyber security demands converge
Tom Cole, managing director - UK & Europe, Abacus Group, charts private equity’s increasing needs for robust cyber security, which are akin to those of its hedge fund counterparts. And with more complex demands, what questions do operational leaders need to be considering?
As an IT services and solutions provider to the alternative investment community, historically our perception has been that the hedge fund community is more professionally paranoid towards cyber security. However, this is changing and we are witnessing the private equity sector’s expectations in regards to cyber security converge to what we see with hedge funds. Why is this?
From a technology standpoint, hedge funds often have more moving parts to support their trade life cycle, whereas private equity workflows historically don’t require as many specialised systems. Private equity firms can flourish with a (relatively) minimal technology footprint, using systems such as Office 365, an internet browser, and a data room. Whilst they differ in how they consume technology, the cyber security threat is equally as prominent. The private equity sector is now prioritising digital transformation to better realise opportunities, arguably becoming more technologically hungry. With this comes a heightened cyber risk.
Sector specific service providers
When talking with small- to mid-cap private equity firms who are not a client, we are naturally curious to know how their technology is delivered. Whilst not common, some are reliant on a tech-savvy member of their team. What is more common is private equity firms partnering with a small-scale IT service provider, with little to no sector experience and limited depth and breadth in the cyber security field. Credible service providers, on the other hand, use best of breed cyber technology solutions, enabling firms to realise operational maturity nearly immediately. Put frankly, many private equity firms have outgrown their current technology operating model, and have come to realise first-hand that there is more to IT service providers than just reselling Microsoft Office 365.
Investor and regulatory pressure
A recent WSJ article recognized a correlation between cyber attacks and deal announcements, considering private equity firms with an inadequate cyber security program tend to be ‘low hanging fruit.’ The SEC is also bolstering its stance with respect towards cyber security, security, including for private equity firms, with the goal to enhance cyber security preparedness. Investors also have a laser sharp focus on cyber security. The sophistication of questions is increasing and the ‘trust but verify’ mantra is being promoted. Box ticking compliance for cyber security is becoming (if not already) a thing of the past.
To close, it is important to consider cyber security as a management issue, not just a technology problem. This message and mindset are reminiscent of when business continuity planning (BCP) was considered solely an IT problem. We observe fund managers considering cyber security as just a technology problem. Leadership needs to appreciate that cyber security is as much of a people and culture problem as it is technology. Have you disabled multi-factor authentication for your CIO because it’s a hindrance? Does your investment team not have time to complete cyber security training exercises? Do you give everyone full local administrator access for ease? Now more than ever it’s time to look at your firm in the mirror and find a better balance between security and usability.