Private equity staff tend to be a hardworking tribe, but limited partners impressed by their work ethic should bear in mind that this can, in one important respect, be a harmful characteristic.
Jay Leek, chief information security officer at Blackstone, the private equity firm, in New York, explains the problem. “Staff may want to work on a confidential deal using their Gmail account over the weekend. Good intention, but not a good decision – we want to keep that work within the firm.”
For this reason, Blackstone insists that any confidential data stays within the Blackstone IT system: Gmail is forbidden for the firm’s business.
The threat of diligent employees breaching security by accident during out-of-hours toil underlines his assessment of where the biggest cyber danger to private equity firms lies. “By far the number one threat to any organisation is well-intentioned non-malicious insiders: authorised individuals who need access to confidential information to do their job. They make a mistake along the way and put the organisation at risk,” says Leek.
To counter such threats, Blackstone runs a scheme called the Human Security Censor Program, which teaches staff how to protect the firm from cyberattack. This includes the testing of employees, who will, if they perform badly, attend cybersecurity training.
Bill Murphy, chief technology officer and Leek’s manager, says he and Leek look at about 100 new IT security systems every year – an amount whittled down after preliminary sifting. It hires a company to attempt, twice a year, a penetration of its systems, as well as using its own automated solutions to scan its system constantly to look for weaknesses. Blackstone also formulates an assessment of how to improve portfolio companies’ security systems as part of the standard 100-day plan customarily implemented by general partners in the few months after the takeover of a target company.
It is an expensive business: Jay is part of a team of nine staff dedicated to cybersecurity; on top of this, the firm has to consider the cost of buying products and services from external consultants.
Many firms also have their systems backed up by a third party – a cost put by the chief operating officer of one mid-sized private equity firm at between $75,000 and $100,000 a year.
What, when it comes to cybersecurity, do private equity firms tend to be weak at?
Luke Scanlon, technology law expert at Pinsent Masons, the law firm headquartered in London, has concerns about firms’ second line of defence: the damage limitation put in place when a successful cyber breach is made. He describes it as “amazing” that so many private equity firms do not have an “effective incident response plan” in place to minimise or eliminate the damage caused by these breaches.
To Vikram Bhat, financial services industry leader for Deloitte Advisory’s Cyber Risk Services business in New York, the “crown jewels” that most need protecting includes information on the fund’s dealmaking, intellectual property held by a portfolio company that might give it a key competitive advantage, and – intriguingly – information on high-profile executives.
“People at private equity firms are sometimes board members of other companies. They may be people in sensitive positions, perhaps with backgrounds in politics,” he says.
“Sometimes the private equity firm may get caught up in the cyberattack not because the malicious actor had any interest in the portfolio, but because they were interested in the people.”
Bhat says it is essential for general partners to work out what the most sensitive information is, so that they can consider whether to put extra measures in place to protect it, such as encryption or identity management systems.
More even than the loss of commercially sensitive data, Murphy of Blackstone emphasises the value of keeping the firm’s reputation.
“It’s less about specific risks caused by the theft of a specific set of data, and more about a broader perception of trust, and making sure that our reputation stays as strong as it can be,” says Murphy. “That underlies everything we do. That’s why investors trust us with their capital.”
Taking the private equity industry as a whole, limited partners have yet to be convinced fully that GPs are doing a good job – though they are also far from excoriating. In this year’s Private Equity International survey of LPs, only 32 percent said they were “very” or “somewhat” satisfied with the current cybersecurity policies of their fund managers. Six percent were “very” or “somewhat” dissatisfied, with 62 percent sitting on the fence.
When asked to rank the most important of a list of six cybersecurity issues, they put in first place the imperative to “complete a cyber risk/cyber threat analysis”, in line with the practices outlined by Blackstone.
On the positive side, industry observers say that private equity firms are becoming better at cyber warfare. But then so, too, are the malefactors – and if general partners forget this, investors will remind them.
“This is an important and growing issue,” says Brian Murphy, managing director at Portfolio Advisors, the Darien, Connecticut-based fund manager and advisor specialising in private equity and credit. “The risks are growing as the criminals have more and more tools and achieve more success. Every fund will have to upgrade what they currently use or they will be at risk in the future.”