Last March, SEC Commissioner Luis A. Aguilar noted “mounting evidence that the constant threat of cyber-attack is real, lasting, and cannot be ignored.” During the past year, high-profile corporate breaches have reinforced that statement—and they represent just a fraction of affected businesses. “More managers have become more aware, through stories of people they know, as opposed to a newspaper story,” says Lindsey Simon, founder of Chicago-based Simon Compliance, a boutique securities compliance firm.
The threat is reflected in a report from the SEC’s Office of Compliance Inspections and Examinations, which assessed the cyber vulnerabilities of financial services firms. Most respondents indicated they had experienced cyber-related incidents (88 percent of broker-dealers and 74 percent of advisers). Cybersecurity has also become a priority for the Obama administration. In February, it announced the creation of the Cyber Threat Intelligence Integration Center to coordinate the efforts of federal agencies that monitor cyberthreats.
“It’s not a ‘sky-is-falling’ type of situation, but it’s certainly something that should be high-priority for firms,” says Simon. To that end, here are several tactics to help batten down the hatches.
Create mandatory, annual employee training (and beware phishing)
“When it comes to cybersecurity, staff typically ends up being the weakest point,” says Bob Guilbert, managing director at Eze Castle Integration Inc., which provides IT solutions for the investment industry. To prevent employees from becoming unwitting gateways for attacks, educate them about the signs of malicious activity and techniques used by hackers. At Guilbert’s company, employees receive training online, with quizzes to confirm comprehension. It’s mandatory and takes place every year—an approach Guilbert recommends for all companies.
Phishing attacks represent the biggest problem for middle-market private equity firms, says Simon. She knows firms that changed account wiring instructions based on email requests from a limited partner or an operating partner—and then discovered that the requests actually came from hackers. “Anytime anybody affiliated with your firm requests a change of bank wiring information, you need to follow up with a phone call,” she says.
Dave Dalva, vice president of security science for the digital risk management firm Stroz Friedberg, agrees that phishing poses the biggest threat for middle-market private equity firms. When employees click on phishing links, it can result in malware installations that steal the firm’s banking credentials. “I’ve seen phishing attacks lead to the illicit transfer of tens of thousands of dollars, minimum,” he says.
Hire someone to hack your firm
To boost phishing awareness, PE firms can try to trick employees into opening “bad” emails. Dalva’s company has provided this service for several private equity firms. In one phishing campaign for a middle-market PE firm, the domain closely resembled the firm’s, so recipients who weren’t paying attention would think it was an internal email. The email instructed recipients to click a link. “Within 20 seconds of sending it out, we got a hit,” says Dalva. “These campaigns are so important to educate people and show them what can happen. And there’s a little bit of an embarrassment factor, so it’s very good at raising awareness.”
Remove administrative rights
Removing administrative rights from employees’ computers will help protect against malware that tries to embed itself in the operating system. “There is definitely a strong trend to remove these rights, and most of the firms I speak with have either done this, or are planning to,” says Dalva. One of his clients noticed a dramatic decrease in infections from botnets—a form of malware—immediately after removing administrative rights from employee computers.
Keep patching up to date
For diligence with software updates to fix bugs and security holes, Dalva rates companies overall as “so-so.” That’s a problem, because it represents one of the most important processes firms can implement to reduce risk, he says. Don’t limit your focus to updating Microsoft Windows or other operating systems, says Dalva—it can be even more important to update all third-party software.
Create an incident response team
When a breach occurs, firms need to act quickly and not scramble to establish next steps or assign roles. That requires an incident response team to ensure the SEC’s cybersecurity recommendations are addressed, says Simon. The team must develop an incident response plan that describes what actions to take (and by whom, and when) in the event of a cyberattack. Be sure to include a senior level partner on the team, she says, adding: “It lends credibility once you get buy-in from the top.”
Look for vendor vulnerabilities
PE firms should scrutinize their IT vendor selections with the same rigor they apply to investment decisions, says Guilbert. When vetting IT vendors, he recommends a list of questions Eze Castle compiled for investor due diligence. Meanwhile, Simon suggests having IT vendors review the SEC’s cybersecurity guidelines.
Dalva has observed heightened third-party risk management—and not just for IT. All vendors have the potential to create cybervulnerabilities, he says. The data breach at big box retailer Target is a noteworthy example: It affected more than 110 million consumers and reportedly began with a phishing campaign that hit Target’s HVAC vendor.
Ensure that vendors have appropriate governance and security programs to reduce risk, says Dalva. That includes confirming the employees working on your account are the only ones with access to it.
Encourage better cybersecurity within portfolio companies
Last year, Stroz Friedberg developed a methodology for the private equity firm KKR to assess cybersecurity risk for dozens of its portfolio companies. That included ranking each company’s overall risk as low, medium or high.
Dalva led that team and says he’s working on a similar project for another large private equity firm. He hasn’t seen middle-market private equity firms express the same concerns over security at portfolio companies—yet. “I think we’re still in the early adoption phase of portfolio risk management,” he says, noting a growing awareness of cybersecurity’s financial implications. He recalls an executive at a large PE firm who expressed relief about the timing of a portfolio company sale—three weeks later, a data breach became public and the stock price was cut in half. Says Dalva: “I don’t know if there’s a better example of how cyberrisk contributes to financial risk.” //
Sandra Swanson is a freelance writer based in the Chicago area.
Let us know whether you feel your company is equipped to deal with cyberthreats by responding to the anonymous Quick Poll on the right-hand side of our homepage.