Owen Morris, Operations Director at Doherty Associates
Even prior to the pandemic, research revealed how over a quarter of private equity professionals felt their firms’ due diligence to protect against cyber security was poor. Prior to Covid-19, some Private Equity firms wanting to maintain secrecy used their office buildings as physical firewalls and some even used sound-proof meeting rooms to avoid sensitive data leaking out. Now, fast forward to today’s virtual workplace borne out of the crisis, where a greater number of PE professionals are benefiting from the flexibility of working between home and the office.
Home working can result in greater productivity, but a rush to fully remote working and inadequate remote security systems can suddenly make a PE firm’s dispersed workforce an ideal target for cyber attackers seeking lucrative, highly confidential financial data.
It’s therefore no surprise that PE firms are frequently asked to sign nondisclosure agreements (NDAs) by prospective portfolio companies, protecting against a breach of confidential information including cyberattacks. This demand by clients for tightly worded NDAs will only rise as remote access to information becomes ever more commonplace.
Not every company may want to sign an NDA due to the associated constraint on operating within an industry sector and possibly with competitor companies. Implementing appropriate information security controls can both avoid the need for an NDA by satisfying partners of appropriate levels of safety, or, if one is in place, ensure that the obligation for confidentiality can be met.
Starting Out
Start with defining a location where any data under NDA is stored and where controls are enforced. This means that policies can be applied that allow the data to be controlled to meet the requirements of the agreement. When choosing a platform, it’s important to ensure that it offers features to label the data as being protected and either prevent data leaving the protected location or to protect it even if downloaded.
Securing in place
Once a location is created and data is stored within it, it’s important to understand where the data will be physically located and whether it’s properly protected. Encryption is one of the main risk mitigation tools that should be in place across the board. Where companies might previously have looked at this for mobile or laptop devices only, the pandemic has meant that devices are now dispersed much more widely, or conversely, might be in largely unattended locations. Theft is probably a bigger risk than ever. Encrypt all devices across the board, and ensure that a remote wipe facility is in place.
Where data can be shared with third parties or could be stored on home machines in a ‘bring your own device’ scenario, encryption remains an option. Some next generation products offer encryption within documents that can be used to allow features such as ensuring that documents can only be read by the person that they are sent to and cannot then be forwarded. These features can also be used to allow documents to be ‘timebombed’ – for example, documents could be made inaccessible after an NDA expires.
Knowing the right people have access
A successful information control ensures that the right people have access to the data and people that shouldn’t, don’t. Being sure of the identity of the people accessing the data therefore is paramount. Unfortunately, passwords are no longer sufficient as a way of identifying users and multi-factor authentication (where you have a combination of something you know – the password, and something you have – a phone or biometric like a fingerprint) proves it is you. Locking down sharing of documents to specific people or organisations is a key way of ensuring this.
Keeping your data close
The flip side of the coin to sharing with other parties is ensuring that data doesn’t leak out to other people that shouldn’t be able to access it. Some next generation platforms come with Data Leak Prevention features that can identify documents as having been marked as protected and prevent them being sent by email or shared through the platform to untrusted parties.
Getting rid of the data when you’re done
The best way of reducing data protection risk is not to have the data at all! This is where using technology can help. By marking the data as being under the NDA it allows organisations to trace where that data is (potentially even outside the organisation) and automatically remove it when it no-longer needs to be kept using features such as retention policies.
What do we do in a breach?
The job of responding to a breach is made much easier by having a defined, rehearsed breach response process. Once this is in place, implementing the technological controls above puts companies in a good position to confidently respond to a breach. By knowing where the data is stored, forensic investigations are made much easier. Device management, wiping and encryption reduces risk of data loss and strong access controls plus data leak prevention can reduce the likelihood of data being accessed and exfiltrated.
