In February, the US Securities and Exchange Commission proposed a raft of new cybersecurity risk management rules for private funds, designed to improve investor confidence in their advisers’ resiliency against cyber-threats and attacks. The proposals, which are subject to a 60-day consultation period, require funds to implement written cybersecurity policies, to report significant incidents, and to publicly disclose risks and incidents to investors.
Christina Powers, a cybersecurity specialist and managing director at digital services firm West Monroe, says: “The bulk of the proposals are around getting better at cybersecurity and getting more visibility into the reporting of cyber-incidents. This has not been enforced in the past, so it is going to require people to have better processes around how they do that, who will be responsible for it, and what is captured.”
Powers says most firms are already tracking incidents internally and have robust cybersecurity governance in place, but they are not necessarily sharing that information. “The work to understand what has happened and its impact is already being done,” says Powers. “There may be some work needed to make sure investigations are happening in a timely manner, but the biggest challenge is going to be reporting this information and making sure you are giving out the right information.”
George Ralph, global managing director and chief risk officer at cybersecurity provider RFA, agrees that formalised information security plans are broadly already in place across the private equity landscape, but he says that incident response plans are lacking. “This is a reaction by the SEC to breaches that have happened during covid,” says Ralph. “A lot of firms haven’t had good enough awareness and have been phished, and now the Ukraine situation is scaring people further.
“Everyone should have an incident response plan in place, but that also needs to be tested regularly. There is no point in having an information security policy if you don’t make sure that everyone in the business reads it and understands it.
“For incident response planning and business continuity planning, I encourage my clients to do an annual test that’s disruptive and then another one that is a table-top exercise to really scenario-test who will do what in the event of a breach. People need to understand their responsibilities because you can often be in a situation where everyone is panicking and nothing gets done.”
The risks that private equity firms face around cybersecurity continue to escalate, not least as a result of a shift to remote working that has upended operating models and left businesses more exposed. The volume of phishing and ransomware attacks is only set to increase, as attackers seek to siphon off money during the course of a complex deal or to lock down operations in return for payment.
“Private equity portfolio companies have always been an attractive target for attackers”
Christina Powers, West Monroe
Powers says: “Private equity portfolio companies have always been an attractive target for attackers and will continue to be. Attackers know that, once a company gets acquired by a private equity firm, there are deep pockets behind that, so they often look for the news releases around acquisitions and then look to demand higher ransoms for business disruption or data breaches.”
There is also a growing risk to private equity firms of getting embroiled in situations involving third-party vendors, where the impact radiates to involve many players.
Patrik Bless, chief information security officer at Partners Group, says the key to managing cyber-risks is accountability.
“Without proper accountability in a firm, nothing will happen,” he says. “You need to think about risk management – what are the risks and what is your exposure? That risk management approach and tolerance then needs to be agreed by the board, so that there is a broad understanding of what you want to protect and what you want to protect against. Then it’s really about making plans, adopting a framework and implementing that.”
Sourcing first-class talent in this area is a huge challenge for every industry, and private equity is no exception. As a result, many opt for a partial expert outsourcing solution, says Bless: “Outsourcing to a specialist third-party provider makes a lot of sense, and does give access to that specialist talent.
“But the private equity firm needs to make sure that once it puts all the pieces of that puzzle together, it still has the oversight, control and prioritisation that it requires. Depending on the size of the firm, you need to build up a capability internally and have a sufficiently large group that educates itself and challenges itself, because the landscape is changing so quickly.”
Greg Michaels, a managing director in Kroll’s cyber-risk practice, says the SEC proposals will require a much more substantive approach from funds: “The level of comprehensiveness will have to change, moving from a gap analysis to more of a true risk assessment. That requires a deeper level of analysis and testing of security controls to make sure they are functioning the way they should be and really protecting the assets and confidential information of the firm.”
Man the watchtower
Private equity firms will also need to step up monitoring, says Michaels: “Being able to detect an incident takes a lot of technology, money and resources, and really requires having dedicated 24/7 team members.
“That’s difficult, especially for small and medium-sized firms, but it’s going to be important here, with the guidelines being explicit on wanting firms to have mechanisms to be able to detect incidents, determine how significant they are, and then report them within a short timeframe. That’s going to require a level of effort, both internally and working with third parties.”
The SEC is not the only regulator upping the ante on cybersecurity, with private equity firms globally having to address other legislation such as the EU’s General Data Protection Regulation and California’s Consumer Privacy Act, which increasingly mandate cybersecurity.
Bless says: “The SEC is focused on bringing more formalisation and more harmonisation to the industry in this area and, if done right, more resilience against threats. We are present in multiple countries and have exposure to many regulators, so we have seen a lot of these themes coming through already and we are no strangers to the policy objectives. If you have exposure to the European Union specifically, then a lot of this is not new.”
New or not, the SEC’s move to tighten cybersecurity governance will once again lift information security up a gear and raise the stakes for those failing to adequately monitor, question and evaluate risk across their portfolio businesses.