Investment advisers, including private equity (PE) firms, should take steps to effectively manage cybersecurity risks, especially as firms increasingly put technology into effect in their activities and the Securities and Exchange Commission (SEC) continues to scrutinise the PE industry.
In response to the growth of cybersecurity risks, in 2014, the SEC launched a cybersecurity initiative. What is more, in 2015, the SEC issued a guidance update pinpointing a series of protections it expects advisers to take to address cybersecurity.
THE SEC’S GUIDANCE
As a general matter, advisers should:
• Conduct periodic assessments of: (1) the nature, sensitivity and location of information the firm collects, processes and/or stores, and technology systems; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk;
• Create a strategy to prevent, detect and respond to cybersecurity threats; and
• Implement the strategy through written policies, procedures and training that provide guidance to the firm’s officers and employees.
PE firms can mitigate exposure to cyber threats by adopting compliance policies that address threats as they relate to identity theft and data protection, fraud and any other disruptions in service that could affect a firm’s ability to process transactions.
The SEC has warned that there is no one-size-fits-all approach and each firm should tailor its compliance programmes based on the nature of its business.
To effectively manage cybersecurity risks, it is important to understand where they can arise. PE firms collect data from numerous sources, including portfolio companies, LPs, counterparties, acquisition targets, vendors, and employees.
• Third party risks: The SEC highlighted that cybersecurity threats do not necessarily come from the PE firm itself, but may arise through third parties – for example, placement agents, vendors. PE firms should conduct due diligence on protections used by third parties, including reviewing the third parties’ cybersecurity policies; obtaining commitments from third parties that they will maintain your information securely; implementing indemnification provisions in the event of a cyberattack, and mandating that the third party use specific safeguards.
• Portfolio companies: PE firms must continue to balance providing portfolio companies with sufficient autonomy to operate, while maintaining sufficient oversight. Because risk profiles for each business are different, portfolio companies should tailor their protections accordingly.
• PE-designated directors: PE firms should ensure that their portfolio company board designees are conversant in managing cyber risks, including ensuring that portfolio companies have designed and implemented adequate policies and procedures.
• Prospective portfolio investments: It is important to conduct due diligence on how well an investment target protects its information from cyberattacks. This can be addressed through discussions with the company’s CIO about the cyber safeguards used. Security standards also can be incorporated into representations in acquisition agreements.
It is important for advisers to be prepared for a cybersecurity incident because the fallout can be wide-ranging: from required notifications in the event of a breach to concerned LPs and portfolio companies.
Advisers should ensure they have appropriate policies in place to protect against attacks, taking a multi-disciplinary approach to dealing with cybersecurity and considering the legal and technical aspects.