Private equity & cybersecurity: Dark clouds

Work-from-home has played havoc with private equity firms that didn’t have the IT protocols in place to manage the shift from storing data on office servers to relying on the cloud.

Those lacking proper plans and guidelines saw a 50% increase in cyberattacks last year, according to Henry Lin, founder and CEO of Hong Kong-headquartered fund administrator Linnovate Partners. “The number, to some extent, is scary,” says Lin. “No one would expect that cyber-attacks would grow with such enormous speed.”

The cost of cybercrime globally will reach $6 trillion in 2021, security and risk management portal CSO projects. Organizations of all types and sizes are vulnerable, but private equity is seen as a target-rich environment. GPs manage large sums of money, they often have modest cybersecurity measures, and attacks are rarely reported for reputational reasons.

Despite the preference for secrecy, anecdotal evidence of recent attacks is plentiful. In one case, a director at small-cap GP opened a PDF attached to an email, unleashing a virus that placed its back-end systems behind an encryption wall. The firm had back-ups, so it didn’t need to pay a ransom and lost only one week’s worth of data.

“We have seen a rise in business email compromise (BEC) attacks,” says Cecil Su, head of the cybersecurity unit at BDO in Singapore. “It’s never a random email; it is crafted in a way to gain the recipient’s trust. The hacker studies the person on social media and carefully plans the attack.”

Common sense is often an adequate defense mechanism. For example, an individual who receives an email from a colleague asking for help verifying some documents might recognize on closer inspection that the sender’s name doesn’t match the email address, or the message isn’t in the firm’s standard format. The key is knowing what to look for.

“The biggest weakness in cybersecurity is people. You can have all the safety nets and firewalls, but if you aren’t adequately training your people, someone will click on something and it will come back to haunt you,” says Michael Octoman, COO of Navis Capital Partners. “Half the battle is training.”

Asian weakness

Indeed, it is claimed by some that Asian private equity firms are more vulnerable than their US or European peers because the industry is less developed. This is true of GPs and LPs, contends Alexander Traub, group chief commercial officer at fund administrator Alter Domus.

“There is a prevalence for first-time fund managers that are committing relatively large amounts of money to small investee companies,” he explains. “On the LP side, groups investing in Asian private funds probably don’t apply the same level of due diligence rigor to a GP as they would in Europe or the US.”

Drawdown fraud is a classic area of weakness for smaller GPs in Asia. In one instance, a manager issued a drawdown notice to an LP via email without realizing that hackers had already infiltrated his system were monitoring the communication. Thirty minutes later, the hackers sent a forged email to the LP explaining that the bank details had been changed, using a similar account name to that of the GP and replicating the drawdown template.

Once the transfer was made to the new account, the money was immediately moved on to 10 other accounts and from there to 20 more accounts in different jurisdictions. “It was impossible to trace,” a source close to the situation tells AVCJ.

This begs the question of who bears responsibility – the GP or the LP – but it’s a moot point. In the event of a fraudulent drawdown, GPs have been known to compensate LPs through discounts on management fees or carried interest, according to Traub of Alter Domus. This is the price of retaining a long-term relationship.

Most sophisticated LPs have established call-back practices to verify payment details, while some prefer to communicate with GPs through secure portals instead of via email. In addition to taking preventive measures, Su of BDO recommends managers draw up – and test – critical incident response protocols as part of wider disaster recovery plans.

In addition to money, hackers routinely target commercial information. Another recent breach involved a Singapore-based private equity firm releasing vendor data, according to sources familiar with the situation. A system administrator accidentally allowed external access to a directory containing around 4,000 records and transaction notes.

A third-party service provider was engaged to perform a vulnerability assessment and penetration testing and patch up the system. The GP also had to report the breach to Singapore’s Office of the Privacy Commissioner for Personal Data, which hired the third party to search for evidence of people selling or exposing the data in the deep web.

Entry points

Accidental breaches are common, according to Rich Itri, a senior vice president of professional services at managed cloud, cybersecurity and digital transformation services provider Eze Castle Integration.

“Internal risk is far more prevalent and often hard to mitigate because you don’t want to hamper the business,” he says. “When having conversations around security programs, a good place to start is getting an understanding of the business and how it operates, as well as defining its most prized assets which require to be protected and mitigated."

With more people working from home and relying on online file-sharing services, a breach might be as simple as someone forgetting to remove the default setting that makes a folder publicly accessible or using free versions of Zoom that don’t allow encrypted URLs.

Private equity firms are trying to preempt any problems by investing more in cybersecurity. Navis, for example, has supplemented its internal IT manager with two IT and enterprise resource planning specialists. Meanwhile, an external cybersecurity player monitors systems around the clock and frequent tests are conducted at GP and portfolio company level.

“We started doubling down on cyber about two years ago; because we had become quite aware of how vulnerable a dispersed business could be. Today, because of ISA3402 certification [an international assurance standard for internal controls] as well as reviews by external providers, we are in reasonable shape - but you cannot stand still,” says Octoman.

The most common way in for a hacker is a back door – any method through which they get around normal security measures and gain high-level user access to a computer network. BDO’s research has found the most successful cyber-attacks on PE firms and portfolio companies have used email as the preferred threat vector.

The prelude to an attack is a phishing email, typically containing a file attachment that triggers a back door on being opened. However, the threat might only come with the third or fourth message. This is because the hacker wants to build up trust and collect information that forms part of the social engineering process, says BDO’s Su.

However, threats are constantly evolving, with third-party technology providers increasingly used to create back doors and launch indirect attacks. With more and more private equity firms relying on artificial intelligence and big data analytics, hackers may compromise these technology tools and modify the algorithms.

"Now everything is on the cloud, you’ve actually become more vulnerable,” says Linnovate’s Lin. “You have to share the resources with others and rely on big technology providers more than at any time in the past.”

The most high-profile recent example was US-based IT management software provider SolarWinds, which was compromised as a back door into US organizations. Hackers inserted malicious code into an update that was installed by some 18,000 customers.

Meanwhile, US cybersecurity specialist FireEye was attacked by a highly sophisticated threat actor. Hackers accessed FireEye’s assessment tools for testing user security, seemingly to obtain information on certain government customers.

Portfolio probing

These attacks on a broad base of users are not only problematic for private equity firms, but also for portfolio companies that might vary markedly in their cybersecurity competencies.

“I work with a number of different portfolio companies across industries, which often due to a lack of IT and operational leadership, focus predominantly on building out their customer base, growing revenue, and thus find themselves neglecting their IT infrastructure and the operational aspects of running a successful business," says Itri.

BDO cites the example of a sportswear distribution company owned by a US private equity firm, which fell victim to a cyber ransomware attack in 2019. Hackers demanded over $3 million in cryptocurrency within 24 hours or they would destroy most of the company’s operational data and valuable intellectual property, and release or sell personal identifiable information of all employees and key members of the PE firm.

They eventually agreed to a $1.5 million payout, with a cyber insurance company reimbursing the company for most of the ransom.

Private equity investors can help companies establish adequate cybersecurity infrastructure, but ongoing knowledge sharing is just as important. Robert Thorpe, COO of Australia-based Allegro Funds Group, notes that he shares lessons learned on cyber risk exposure with the CFO and COO of every portfolio company.

“The risks are very different for a fund manager than for Pizza Hut Australia [an Allegro portfolio company], so we are coming at it from different angles. This means Glynn Wright at Pizza Hut is thinking about things he’s never had to think about before, and equally, I hear things from him that I’ve not heard before,” Thorpe explains. ”We are both learning.”

• Tweet  
• Facebook  
• LinkedIn  
• Google plus  
• Save this article  
• Send to  

• Topics
• GPs
• Advisory
• Technology
• Asia
• professional services
• Cybersecurity
• Navis Management
• Allegro Funds