Fund Administration Special
Any discussion on cybersecurity should focus on risk tolerance and management. It should not be seen as a purely technical conversation to be led by the IT function within the organization, but instead be bolted on to the organisation’s existing and approved company-wide risk levels.
The challenge is knowing where to begin. The seven cost-effective steps detailed here can mostly be taken by internal staff without third-party assistance. They build on the foundational risk assessment work, security training and awareness programmes, and the current-state assessment conducted by a trusted third party.
1. Identify your data and know where it resides
Few companies have a well-defined map clearly detailing where all the company data resides. Usually there is considerable institutional knowledge of systems inventory across different areas of the firm, but it is often not documented. Customer relationship management, HR management systems, fund accounting, file storage and a slew of other systems probably constitute the core of most platforms used in private equity firms, but what about your third-party fund administrator, payroll provider or outside counsel? Are they using systems that store sensitive employee or investor data?
Once this is considered, a firm quickly realizes that sensitive data is stored across dozens of different systems, some managed by the firm itself, some in the cloud and some with third parties such as attorneys and tax consultants. A private equity firm must therefore map out exactly where its data sits.
This can be created using a simple Excel spreadsheet, which will help develop a process to protect this data. Within the spreadsheet, list the name of the system or the application, followed by a brief description of what it does for your business. From there, add a column that defines who the business owner of the application is and what type of data it contains. Other data points to consider include whether the application is on premise or not, vendor contact information and whether there is a secondary business owner.
2. Establish a data classification system
The classification of data is a critical step in the systems inventory process and it should be a separate column in the spreadsheet. An example could be public data vs confidential data vs highly confidential data. Classification can be time-consuming and should identify the business lines that own the information.
The classification system also needs to have controls in place to ensure data confidentiality, integrity and availability are secure and understood by all employees. LPs want to know the private equity firm, as the data steward, is safeguarding their sensitive data. This systems inventory highlights which systems require attention and who, internally, should have access to them.
3. Know who has access rights to your data
Develop a quarterly or biannual entitlement review process of the systems that contain confidential or highly confidential data. An entitlement process requires the business owners of each system or file share that is storing sensitive data to confirm the correct individuals in the organisation have the appropriate access. People change departments and leave the organization, so this ensures movements within the firm are accurately reflected within the permissions of various systems. If a member of the investor relations team, for example, moves to a different department, they may no longer need access to highly sensitive investor subscription documents and should have their permissions removed.
4. Use a password management strategy
Passwords are an important first step in managing access to systems containing sensitive data. Much has been written about the reliability of passwords to protect critical systems and about a future without them. However, we remain dependent on them. Of course, nothing is foolproof and passwords are an elusive means to truly protecting what is important to us all.
Require employees to change their passwords frequently, for example, every 90 days. The important thing is to choose one and make it enforceable with no exceptions. This will not prevent a cyber-incident, but it will help catch accounts that slip through the cracks, like interns and temporary employees who have left the firm. Their accounts would automatically terminate after their passwords expire.
5. Use two-step authentication and single sign-on
Many are familiar with RSA tokens issued by banks over the last decade. This technology has become ubiquitous and less complicated in the last few years and can help mitigate risks associated with access to key systems. Think of multi-factor authentication, or MFA for short, as using two bits of information you have access to in order to gain access to your sensitive data.
The first is something you know – your password. The second, the MFA piece, is something you have – a token. The two together offer a high degree of protection as you cannot access key corporate systems without both of them. Protecting platforms such as Microsoft Office 365, the corporate VPN and CRM with multi-factor authentication ensures only employees with access to the issued token can gain access to important platforms.
The technical aspects of SSO are beyond the scope of this article, but think of it as an extension of the firm’s identity management system. Many private equity firms today leverage systems in the cloud, which requires separate user names and passwords. With an SSO platform, company-based username and passwords can be extended to these cloud-based platforms. Having one user name and one password greatly simplifies how employees can securely access an expanding world of applications.
6. Prepare an incident response plan
Without an incident response plan already designed and tested, the firm is facing a very grim 24 hours. Securing the guidance and support of a cybersecurity third-party consultant to help develop an incident response plan will be of tremendous value.
Consider significant variables, define roles and responsibilities and properly manage communication in the event of a breach. Additionally, there are breach notification laws that differ from state to state and country to country, which are difficult to track and in some cases understand.
The bottom line is that when – not if – your private equity firm suffers a data incident or a loss of data, you may have a legal obligation to report it and you certainly have a fiduciary responsibility to manage it. Having a clearly defined plan on who should be involved internally and which external resources to contact makes resolving an uncomfortable and stressful situation easier.
Do not wait to develop a response plan until you are in the middle of an actual cyber incident. Make it a priority to meet with your cybersecurity steering committee and the firm’s management team to build out an incident response plan.
Many firms would benefit from seeking guidance from a third-party consulting firm or a legal cyber practice group to help shape and develop an incident response plan that best suits their culture and legal obligations. In many cases, it is also helpful to speak with an insurance broker about cyber liability policies as a means to manage and mitigate risk.
Many cyber liability policies have panels of experts that can perform legal guidance and cyber forensics work. Both are essential during a cyber incident investigation.
The cyber world of today has many moving targets. As cyber-criminals better understand private equity, most firms will become targets. Start analysing your internal risks and developing the strategies outlined in this chapter now in order to position the firm to manage both the cyber regulatory requirements and LP requirements of the future.
Taking appropriately measured steps will do much to mitigate current and future cyber-risks.
An effective cybersecurity program will take months, possibly years, to have a stable foundation that you can build upon as needed. The regulatory environment will continue to change and expectations from LPs and third parties will evolve. So too must your cybersecurity programme. It is a vital tool for protecting critical assets. Next time you think about the firm’s cybersecurity status, ask these two questions:
What will happen to the firm’s reputation if proactive steps are not taken to protect data?
Will this affect the firm’s ability to raise the next fund?
It is impossible to know, but taking no action is not a viable option.
7. How to respond to a breach
Although written in 2014, the cybersecurity guide by the British Private Equity & Venture Capital Association and PwC remains relevant and speaks directly to how a firm should prepare for when it suffers a loss of data. It provides excellent steps to take the minute a cyber situation occurs:
“[The incident response plan] should include aspects such as: who internally is responsible for leading the breach response; who to call if external technical response is required; what to do if the response needs to be conducted under legal privilege – how to tell and what to do; how to handle the PR side of a breach; if you have lost customer data for example, what is the communication plan to stakeholders.”