Even though most private equity firms grasp cybersecurity risk at a high level, the individual employees I speak with don’t really see how cyber risk affects them personally, which in turn always impacts them professionally. Folks tend to make comments like, “We aren’t much of a target for cybercriminals—as long as we satisfy the SEC and other regulations, we’re set.” Unfortunately, with the “follow the money” approach we see hackers trending towards, industries like private equity are in for a rude awakening. Furthermore, when a firm assumes they did their cybersecurity due diligence by complying with the Securities & Exchange Commission, it’s a little like complying with the IRS by filing your taxes every year while using a malware-infected computer—it’s not a golden seal of cybersecurity.
Private equity firms need to go beyond reactive SEC compliance and focus on proactive protection of their firm assets. One of the greatest challenges a company faces is how to accurately identify, prioritize, and implement risk mitigation strategies for known security vulnerabilities that pose a threat to their investment management.
In this post, I define the primary risks targeting private equity firms. Staying informed of these risks is the first step towards a holistic risk management approach, i.e. keeping investments safe, firm reputation intact, and empowering financial growth potential.
Top 5 Risks, Defined
1. Phishing/Vishing (Voice Phishing)
Phishing—a form of social engineering where a bad actor attempts to gain information through methods of deception, such as phishing emails and voice phishing calls—is a significant attack vector for people-centric businesses like private equity firms, who rely on email, phone calls, and text messages to generate alpha and expand their portfolios. These communication methods are common vectors used in a cyberattack and can be difficult to protect when there isn’t a mobile device management program in place to secure, monitor, and manage smartphones, tablets, and laptops.
Here’s why hackers care about you:
- Stealing Wire Transfers
Cybercriminals target key individuals in a private equity firm, compromise their email account to monitor exchange communications, and steal wire transfers when they are about to happen.
- Harvesting Credentials
When an associate clicks on a malicious email link and enters their account credentials on a phishing website, they hand over the keys to the equity kingdom.
- Exploiting Firm Secrets
Bad actors can steal and hold ransom your sensitive deal documents and models.
To combat the bad guys, we recommend conducting phishing attack defense training quarterly, educating your employees on how to identify and report potential phishing emails. If you have a formal cybersecurity governance program in place, then biannual training will suffice. The big thing with your training, regardless of cadence, is to ensure it’s entertaining and interactive. If you bring in a speaker who’s a snoozefest, then the session becomes obsolete, as employees mentally check out due to boredom. It’s worth noting that leveraging gamification, i.e. dolling out rewards for those who successfully identify phishing emails, goes a long way as well. Finally, zero in on those employees who don’t actively identify and report potential phishing attacks for more training. This is something Agio does for clients all the time.
Malware can spread through phishing attacks, social engineering schemes, insider threats, or a breached internal network. These attacks mainly focus on disrupting private equity firm operations, such as locking you out of your computer, inhibiting exchanges to take place, or even something as serious as destruction (by way of deletion) of your firm’s valuable data.
The ever-popular ransomware, a specific type of malware, gains access to an associate’s machine and proceeds to encrypt the data, holding it for ransom. The bad actor will usually leave behind a ransom note with payment instructions for you to potentially obtain a decryption key, unlocking your data, but this isn’t a guarantee. We don’t recommend gambling the firm’s investments with cybercriminals; rather, follow appropriate incident response steps to identify, contain, eradicate, and recover data.
The prevention method for ransomware is reliable system backups; I know, it sounds boring, but boring can be the difference between disaster and a tiny inconvenience. If something does happen, we recommend contacting federal and local law enforcement to report the cybercrime, and check www.nomoreransom.org for a potential decryption solution for the ransomware infection.
Without backups, and no decryption tools available, paying a ransom might seem like the only option, although the FBI advises against this. Ultimately, it’s up to you, the private equity firm, and your retained cybersecurity consultant, to work together to make the decision. If you do end up paying the ransom, you’ll need access to Bitcoin, as the cryptocurrency is usually the only form of payment accepted.
3. Insider Threats
Private equity firms often overlook the threat of bad actors who are on the inside. We get it, you want to trust your employees, however, we tell our clients to live by the “trust, but verify” rule; it’s better safe than sorry.
Here are some signs you may have an insider threat lurking within your firm:
- Access control changes, such as access roles created with only a few users in them.
- Asset management gaps where devices were never registered and managed.
- Associates who depart for a competing firm, disgruntled or not.
- Large data transfers to external cloud sources found in outbound network traffic.
- Manipulation of application programs, which can be found using code scanning tools.
4. Human Error
People make mistakes; it’s human nature. Associates can send intellectual property to the wrong recipient, lose their laptops and smartphones while travelling, or accidentally divulge too much information on their social media accounts. Mistakes are easy to make, and bad actors love to take advantage. When your end users post job responsibilities or the portfolio management tools they use on their LinkedIn profiles, a cybercriminal can leverage the hundreds of phishing attack strategies at their fingertips to gain access to the firm’s proprietary network and data.
Here’s what you can do:
- Educate associates on the dangers of mixing business with personal accounts.
- Ensure associate social media accounts are private and instruct them to verify the identity of any person who requests to connect with them—it might just be a cybercriminal in disguise, looking for a way into your firm.
5. Lack of Visibility
Recently, the Open Web Application Security Project (OWASP) published the newest edition of the top 10 security risks to web applications. Guess what’s new on the list? Insufficient logging and monitoring of systems is now considered a critical vulnerability. If you don’t have adequate logs for your networks, applications, systems, and physical security devices—as well as a way to properly combine, collect, monitor, and review them—then the cybersecurity of your private equity firm is at risk. Not performing system log management is equivalent to owning a vehicle, but never checking the dashboard maintenance lights to see how the car is operating. Eventually, you will run into a problem.
Here are three methods to gain more visibility into your firm’s systems and how your valued proprietary information is flowing:
Obtain and manage a SIEM solution to gather and interpret your logs.
- Preventative vs. Reactive Support
Ensure you have a dedicated security team to manage the SIEM and create preventative and reactive controls for all types of cyber risk situations.
- Rapid Incident Response
Build and test procedures for each scenario in your Incident Response Plan so once an incident happens, your security team reacts quickly. Time is literally money in these situations.
Get Agio’s Help
I wish I could tell you these are the only cybersecurity risks your private equity firm will face, but that’s far from the truth. Agio works with private equity firms every day to strengthen their defenses against a cyberattack. Contact us to discuss how we can work together.