Why PE Needs DLP
As we talk with our private equity (PE) clients, we’re finding that data loss prevention (DLP) is a top concern. Unauthorized loss of data can be disastrous to a firm’s finances and reputation. While most firms have some means of implementing DLP, the number of ways data can leave their systems and the cloud presents challenges. Similarly, while many firms secure some DLP channels and data types to meet basic SEC compliance, PE firms need a comprehensive plan to prevent all critical data from being lost to external attackers, malicious insiders, or accidental disclosure.
An iterative risk-based approach has proven to be the best process to meet compliance requirements as well as to protect critical but unregulated data. Here is part one of a two-part white paper series of some of the gaps PE firms face regarding DLP and how to address them. In this first part, I will review the fundamental question of why PE needs DLP.
Data loss prevention is the ability to detect and prevent unauthorized access, exfiltration, and destruction of sensitive data. To be compliant with SEC cybersecurity guidelines and privacy requirements, PE firms must have DLP. Firms that are registered investment advisors fall under the SEC Office of Compliance Inspections and Examinations (OCIE) guidelines and Regulation S-P requirements for cybersecurity and privacy.
Going back to its Cybersecurity Risk Alert of April 15, 2014, the SEC OCIE asked registered investment advisors (RIAs) to explain how DLP software is used in their firms. The following year, OCIE again focused on DLP, noting
“Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.”
Later that year, OCIE requested to review firm policies related to DLP and details on
- Data maps, with an emphasis on how they track personally identifiable information (PII) and who in the firm has ownership of the data;
- Tools used to prevent, detect, and monitor for the loss of PII data as well as access to customer accounts;
- Data classification policies, including data classification types, risk levels of each class, and how each classification assignment is determined with regard to risk; and
- Policies, procedures, and evidence related to the monitoring of data exfiltration and unauthorized disclosure of non-public information outside of the firm, including through channels such as email, printed copies, removable and physical media, and file transfer over the internet.
In its August 7, 2017 Risk Alert, OCIE referenced examination of seventy-five firms and noted all firms had some form of systems or tool to monitor for PII data loss. In OCIE’s 2019 and 2020 Exam Priorities, it again specifically emphasized a need to focus on data loss prevention. And in its Risk Alert of May 23, 2019, OCIE noted that in its most recent observations it found “ insufficient data classification policies and procedures”—which are the cornerstone of a successful, strong DLP.
Effective DLP processes are a core part of SEC compliance. The January 2020 Cybersecurity and Resiliency Observations has gone the furthest in detailing sufficient DLP practices that it has observed during its inspections. The SEC here takes a much broader view of DLP including—in addition to data governance—vulnerability and patch management, perimeter security, detective security, hardware and software inventories, encryption, and network segmentation. This more comprehensive view allows firms to see that other existing controls are part of their overall strategy to prevent data loss.
Data Governance, Data Classification, and Information Security Policy
The SEC focuses on the security of personally identifiable information of investor data and the privacy of non-public personal information (NPI). Other types of data, such as position data, investor statements, deal room data, business plans, trade secrets, algorithms, portfolio company data, anonymized customer datasets, or intellectual property, may not fall under SEC review but are equally crucial for the firm to secure.
When determining data governance—the prioritized management of the security and usability of the firm’s data—the first step is to review all applicable laws for each set of data. Regulation S-P is the main focus for PE. After these regulations comes the review of compliance requirements or guidelines, such as payment card industry data security standard (PCI DSS) for the protection of cardholder data or SEC OCIE exam priorities. Next comes all other data essential to the firm such that its loss or disclosure would pose some harm to the firm.
From this data governance evaluation, the firm should create a grouping of data into data classes. Data classes should be as simple as possible. The simplest is a two-class system of public data and private data, but the most widely used is a three-tiered approach that includes public, sensitive, and protected data. Protected data falls under some protective regulation and outside framework which stipulates how the data must be handled and how any breaches must be reported.
These data classifications should lead to information security policies that specify how each type of data must be protected. Is encryption at rest, and in motion required? How is access to that data class approved and audited? What are the notification requirements if that type of data is breached? These policies will establish a solid basis for protecting sensitive data and responding if unauthorized access occurs.
Data Loss Risk Management
PE firms have different areas of risk to manage related to data loss:
- Gaps in compliance with Regulation S-P, SEC OCIE guidelines, international General Data Protection Regulation (GDPR), and state privacy regulations.
- Reputational damage and loss of investor confidence if personal data is breached.
- Positional data compromised by an outsider or a disgruntled insider.
Determining the level of risk based on the impact to the firm can guide where and how much to invest in DLP tools.
Data loss prevention tools can focus on specific data channels. Email DLP is most common and easiest to implement out of the box. Other tools focus on endpoint or workstation protection, making sure that rules are enforced when a laptop is off the firm’s network. These tools can also protect web traffic by alerting or blocking data uploaded or downloaded to other sites or Software as a Service (SaaS). Specific storage DLP tools can protect network storage and apply additional rules to lock it down.
A basic set of DLP tools that focus on preventing investor PII from leaving the firm’s control may check the box for SEC OCIE compliance but could still leave the firm exposed to actions by disgruntled insiders, sophisticated outsiders stealing other valuable data, or simple accidents sending the data to the wrong parties. In part two, I will explore the use of DLP as security beyond compliance and look at some of the tools available.