“We can’t do that,” was the response from IT. The request came last year from counsel after the private equity firm decided not to move forward with a new acquisition, which meant it needed to remove all related deal data from its systems. Mergers and acquisitions deal data was all over the place—in emails on the firm’s mail server, on the network file share, in online file-sharing sites, and in backups. And these were just the locations the firm knew about. They had not been tracking who downloaded or forwarded files about the deal, and sorting that out after the fact would have been completely impractical for the firm’s small IT team. How would you respond to a request like this?
Fast forward 12 months, and this particular PE firm made a deliberate decision to secure its deal data by implementing specific technical and administrative controls. A lot had changed, and they went from being low-average to now one of the most secure PE firms for its size, activating a defense-in-depth approach to protecting their firm’s and their investors’ information.
Here are some of the ways they do it.
Updated Written Information Security Policy & Data Map
A WISP is the cornerstone of a firm’s security and governance posture. The WISP communicates a firm’s security requirements and risk tolerance by what it includes and what it leaves out. When this PE firm decided to secure its deal data, it updated its WISP to state not only how the deal data should be stored and transmitted, but also how it should not. It made clear prohibitions on using email to transmit and network shares to store this information. The firm also reviewed its data map, which documented all the systems that stored or processed data; noted how that data was classified and who had access to it; and made sure it accurately reflected on-premise, cloud, and third-party systems that stored all data used by the firm. To make sure it stayed up to date, the firm added policies requiring an annual review of the WISP and biannual review of the data map, including a process to track that these were completed. It’s worth noting that a lot of our PE clients sign up for our SEC Cybersecurity Governance Program so we can help them through this process – things like reviewing their policies or developing them if they don’t already have policies in place, as well as creating their data map. We take our clients step-by-step so fortifying their deal data in this manner doesn’t become overwhelming.
Data Loss Prevention (DLP)
The most secure firms integrate DLP at multiple levels. Email systems are configured to scan messages and attachments for key words or patterns, cloud DLP and next-generation firewalls view network traffic, and endpoint protection can track activity on laptops outside the corporate network. All of these systems can alert administrators or outright block any messages or traffic that is not allowed. Multi-level DLP is not a simple implementation, but taking incremental steps and carefully tuning each system configuration provides greater security without disruption of the firm’s business.
Virtual Data Room (VDR)
The number one tool PE firms use to manage the cybersecurity of their due diligence deal data and content governance is a virtual data room. Not only can it be used for document storage, but the most secure firms use VDRs for all deal communications. Similar to the way your doctor communicates important health information, instead of including important details in an email, all questions and notes reside within the VDR. Participants tag each other, generating an email notice to log into the VDR to review the updates. In the cyber-healthiest of PE firms, executive leadership gets on board and understands the extra time it takes to log into the VDR is miniscule compared to the risk and cost of poorly managed deal data. VDR solutions, such as SS&C Intralinks, iDeals, and Box, have different features, with the most secure solutions including:
- Strong encryption of data at rest and for uploads/downloads
- Multi-factor authentication
- Audit logs, alerts, and reports of all user activity
- Secure data destruction
When it comes to the crown jewels of a PE firm, deal data is it. So the question is – what are you doing about yours?