Alex Bransome, Chief Information Security Officer at Doherty Associates discusses tougher compliance in the financial services landscape, and how PE’s, in particular, can remain secure in a challenging climate.
Accenture reports that financial services firms globally are investing heavily in financial technologies, including big data technologies and predictive analytics, as well as the necessary infrastructure to be GDPR compliant. The Private Equity industry is also focusing on technology and cybersecurity, with the recent acquisition of UK technology firm Sophos by US PE firm Thomas Bravo as an example. Yet the PE industry itself is one of the biggest and most lucrative targets for cyber criminals.
Private equity funds are a naturally high value target for cybercriminals. Firms, many of which are small enterprises, collect and hold a wealth of sensitive client and market information, not to mention the large sums of funds moved on a regular basis leaving them wide open to significant risk of a data breach.
Neil Hampson, Partner, UK Cyber Security Leader at PwC commented “The threats are enormous. 80% of [private equity and portfolio] organisations have had a breach in the last 12 months and the time it took for the organisation to discover that they had been breached was 8 months. In Private Equity, he continues, “it applies in three areas. First there is a private equity organisation itself; secondly it’s the deal they are doing and then the third one is the management of the portfolio company thereafter.”
With the lure of high net worth customers and market-sensitive data a key driver for attackers, it is often a case of when – not if – this data falls into the wrong hands. The consequences of such a breach can be severely damaging to the company portfolio, causing extensive business interruption and financial loss. Types of data that attackers are particularly attracted to include:
Sensitive information about investors – undue disclosure, negotiation or communication of information may have serious consequences, such as tailored and targeted fraud attacks that leverage disclosed information to increase their authenticity. The resulting financial losses and reputational impact can have significant impact on both for the person involved and the Private Equity company’s future. Furthermore, sensitive personal data loss will have consequences from a data protection perspective, with tougher penalties now being used more frequently.
Investment strategies, trade secrets and other proprietary information – for all companies, not least those in PE these intangible assets represent the majority of their value and are therefore highly valuable. This data is not only valuable to cyber criminals, but also malicious nation-states and advance threat groups, looking to use this information for their own countries gain. When it comes to safeguarding this data in our ultra-mobile environments, we need to leverage technology that bakes protection into the data itself, rather than rely on traditional perimeter protection.
Information about vendors, portfolio companies and employees – present multiple opportunities to cyber criminals to target through the back door via supply chain style attacks. Attacks conducted by compromised trusted third parties are difficult to detect as the human pre-existing trust relationship is already established. This is where a holistic approach is so important, as no one control is going to successful prevent this threat. Successful attacks of this nature often lead to password compromise, malware and ransomware infection, corporate data loss and financial fraud.
Data from limited partners, counterparties and other sources – as Accenture notes, “Financial services firms are awash in data, both from traditional internal structured sources and, increasingly, from external “unstructured” sources ranging from social media to newly accessible government and third-party databases.” In essence, it’s the volume diversity of this data that makes it so attractive as valuable resource to hackers and cybercriminals.
How can PE firms be cyber secure and compliant?
The right technology can be a proven enabler to security, compliance and data protection. Data is the key to differentiating a firm’s DNA, competitive advantage and portfolio growth, so it is imperative that it is managed correctly.
Using data effectively gives a business the winning edge, and firms need to implement better data management processes to harness its’ power and make better data driven decisions. Leveraging data can help make better investment decisions and meet reporting requirements, while implementing big data and cloud technologies such as Advanced Analytics can help meet investor and regulator demands for rich, seamless and transparent data.
Enforcing data protection compliance across the whole client portfolio is a key strategy to ensuring that the armour is protected and revenue stream uncompromised. Staff should be regularly educated on the latest regulatory requirements, alongside the latest cybersecurity risks. Your people hold the keys to the kingdom. Therefore, it is imperative to implement mandatory cyber security policies and processes, such as incident response readiness and security focused risk management to remain robust and resilient. Improved cybersecurity practice across the firm will protect your investors, safeguard your strategies and scale the reporting processes to meet regulatory and compliance requirements.
Developing a business continuity plan is also key to remaining resilient, should the company be compromised. Despite being protected there is always the risk of an attack. Having a tactical business continuity and incident response plan (that everyone is aware of and up to date with) will help minimise the damage caused and ensure optimum agility in dealing with the incident, fall out, and resuming operation efficiency as quickly as possible.
There is no silver bullet when it comes to security in Private Equity and Financial Services, but by adhering to and implementing these key approaches will help to build a strong and resilient security strategy into your Private Equity business as it continues to build its ecosystem of technology and digital transformation.