Too many private equity firms are vastly underestimating their vulnerability to cyberattacks. While most managers are still implementing basic cybersecurity measures, criminals are eyeing them up for attacks that showcase a higher level of brazenness and financial intellect.
The PE response to cybercrime has been relatively slow – thanks in part to some cognitive dissonance.
As attacks have moved from major institutions like JP Morgan to central banks and regulatory bodies, PE executives have realised that the cybercrime will inevitably touch every corner of the industry. Yet, a size bias has persisted among many of the same executives, where they believe that – in spite of the evidence – they are too small to be on any hacker’s radar.
Of course, this is not the case. The number of reported attacks on private equity firms is creeping upwards.
In response, PE firms are playing catch up on their cybersecurity frameworks. Often believing that hackers will use the same techniques that cracked the other financial institutions, managers are focusing on areas like phishing and ransomware.
However, cybercriminals targeting the PE industry are using a different playbook. Rather than relatively generic methods of attack, they’re navigating the inner workings of the PE world to better disguise and enhance the efficacy of their work.
Drawdowns are one such example. Cybercriminals break into internal systems and extract lists of investors as well as drawdown notices. Once they have the notices, they forge and amend the details, directing the funds to their own account. The forged drawdown notices are then issued to the investors. Without proper verifications, the investors unwittingly hand over the funds.
This drawdown tactic seems quite far-fetched, but it has reportedly been successful at a number of different firms.
There is also the risk of hackers tapping into sensitive information on deal flows. If cybercriminals are financially-savvy enough to take advantage of drawdowns, they are just as capable of monetising deal information. Indeed, there have been instances of hackers using stolen company data for insider trading.
The vulnerability of PE managers is further compounded by the risk of their portfolio companies coming under attack. It’s common knowledge that mid-market companies are some of the most unprotected businesses, despite their significant volumes of trade. Any attack on a portfolio company will bring the owner’s stewardship – and reputation – into question.
And it’s the reputational risks that PE firms must be concerned with. A global bank is large, diversified and entrenched enough to continue attracting business in the wake of a cyberattack. Most PE managers don’t enjoy the same luxury, playing in a densely populated space with a smaller pool of available capital. Investors are much less likely to allocate to a firm that has been hit.
Thus, it is imperative that PE firms anticipate threats of varying complexity and entry points. But are firms anywhere near adequately prepared? Not really, according to a recent review by the SEC’s Office of Compliance Inspections and Examinations.
The review, done in the wake of the global WannaCry attacks that paralysed the NHS in May 2017, found that 57% of the investment firms examined failed to run penetration tests on potential weak spots in critical systems. Shockingly, 26% of managers did not regularly conduct risk assessments for cybersecurity threats and vulnerabilities.
It goes without saying that PE firms need to strengthen the foundation of their cybersecurity defenses. Alongside that, they need to take a hard look at the processes that are specific to their unique structure, such as drawdowns.
Managers need to review and codify drawdown processes, ensuring that there is a clear protocol for how any change in payment details is communicated to investors well in advance of any drawdown notice.
To help reduce their own liability, managers should consider using a secure platform. By communicating on issues such as drawdowns via such a portal, managers would significantly remove any risk to LPs.
Finally, PE firms would benefit from having action plans in the event that an investor inadvertently pays money into a hacker’s account. If not in place already, this will likely need to be addressed in future LP agreements.
If PE firms think they can fly under the radars of cybercriminals, they are grossly underestimating their appeal. The more that hackers realise that smaller financial institutions are lucrative and vulnerable, the more that PE firms will be prone to increasingly daring and substantial attacks.
Ian Kelly is CEO, Augentius