Cybersecurity: The dark side of disruption

Cybersecurity has become an important back-office management issue for private equity firms in every major jurisdiction except Asia, where the threat is arguably most severe. To make matters worse, playing catch-up does not appear to be on the agenda. 

Fund administrator Augentius found that 70% of US GPs it surveyed and 64% of European GPs intend to spend more on cybersecurity in 2018, versus only 36% in Asia. Similarly, about 60% of Western firms aim to spend more on technology this year, compared to only 36% in Asia. 

At the same time, service providers are reporting that a steady flow of transgressions around payment transfers are being hushed up by investors that want to minimize reputational damage. This has resulted in an opaque, self-aggravating cycle of poor communication between stakeholders, inadequate comprehension of the danger, and a lack of visibility around mistakes that could be instructive to others.    

“It all boils down to the private nature of our industry that when things like this do happen, a lot of people don’t realize it involves somebody they’ve invested with,” says Alexander Traub, regional executive for Asia Pacific at Alter Domus and a former managing director at Augentius. “There’s potentially no obligation to make it public, even with LPs in the fund that was attacked. Unfortunately, that means people are not addressing the issue and making it part of their policies and procedures.” 

Points of weakness

Private equity is considered uniquely vulnerable to cyberattacks due to the commonplace transmission of millions of dollars between a complex web of partners via relatively manual channels. Especially in Asia, much of the high-level money transfer is conducted through easily hacked emails. Communication between GPs and LPs is considered a particularly defenseless area even though drawdown fraud is seen as the greatest security risk.

Despite the technical nature of cybercrime, attacks on private equity are generally unsophisticated. In a typical scenario, a hacker gains access to a firm’s email, drawdown notice templates are replicated and a forged payment request is made. If necessary, a courteous request for a change of bank details for that particular deal is included. The money is dispersed, perhaps as a cryptocurrency, and it becomes practically impossible to trace.   

As LPs demand more detailed information from GPs, the risk of sensitive communications being intercepted rises. In this light, cybersecurity issues are often framed as concern for more advanced PE ecosystems populated by large GPs that have less trust within their teams and complex relationships with progressive LPs. As a result, the smaller firms that characterize much of the Asian landscape are considered to be at a heightened risk of mistakenly considering themselves under the radar. 

“Small organizations could be lulled into a false sense of security by thinking they’re safer because they have a lower profile,” says Michael Bischoff, CTO at eFront, a private equity technology and services provider. “In fact, smaller organizations tend to be easier targets because they have less money, resources and attention to pay to this. With no backup strategy and no preventative measures in place, they can be completely at the mercy of a broad attack like a ransomware attempt.”

Cyberattack methods aimed at coercing funds from managers are known as phishing and do not require a previous information-gathering hack to be executed. Industry service providers, including eFront, confirm that sufficient information can be gleaned from the public internet to convincingly fake identities. The most tightly targeted attacks of this kind are referred to as spear-phishing and are increasingly seen as an inevitability that requires a standing contingency strategy.   

Intuitus, which carries out cybersecurity assessments for private equity firms, advises managers to establish a written and tested plan to respond to incidents as part of a wider disaster recovery protocol. “We have heard of incidents where spear-phishing attacks were used to divert funds as a transaction closed,” says Alasdair Redmond, head of service delivery and technology at Intuitus. “This speaks to the importance of a strong cyber-aware culture in the business as much as technical controls.”

Best practices

The core understanding here is that cybersecurity is not a technology problem – and that treating it as such would involve an expensive and unwinnable arms race with IT-savvy criminals. Practical infrastructural measures such as mobile device encryption, two-factor authentication, and the use of data room portals to secure transactions are widely endorsed. But the most essential fixes relate to staff behavior, including attack simulation exercises and education around deceptive social engineering practices and basic confidentiality hygiene. 

Appointing a board member with responsibility for cybersecurity is also recommended as a first step, but for smaller players, a CTO is generally not seen as necessary. Use of external specialists, including cloud computing firms and software-as-a-service providers, is considered an effective way for firms with limited in-house capacity to access sophisticated cybersecurity systems. However, service providers warn against reliance on less institutionalized partners that give sensitive data access to non-employee consultants who have not been vetted or controlled with appropriate checks and balances.

Cybersecurity insurance, meanwhile, is perhaps most effective in that it compels underwriters to risk-rate their policies through firm-wide diagnostics, thus clarifying the areas that need to be addressed. Smaller GPs with limited budgets must weigh this option carefully since many policies do not cover human error, which is invariably the weakest link. In this way, insurance offers a potent reminder that the most critical back-office cybersecurity issues can be readily managed without pricey outside help.  

“Organizations are bombarded with vendors who promise that for just a little more money they’ll be a bit more secure, but when you look at the history of cybersecurity, most compromises have been in very basic holes in the defenses,” says eFront’s Bischoff. “Investments in new and cutting-edge technology can be wasted if you haven’t done the basics like patching and upgrading your infrastructure and software, and providing behavioral training to employees.”

• Tweet  
• Facebook  
• LinkedIn  
• Google plus  
• Save this article  
• Send to  

• Topics
• GPs
• Performance
• Technology