Getting your cyber house in order
The issue of cybersecurity, and the rising, fast-evolving threat of cyber attacks, is high on the agenda for many private equity and real estate managers. The threat is relatively new, often poorly understood, and the consequences – financial, regulatory, and reputational – can be severe.
Cybersecurity is the process of applying security measures to ensure the confidentiality, integrity and availability of data. It attempts to assure the protection of assets, which includes data, desktops, servers, buildings and – most importantly – humans. The goal of cybersecurity is to protect data both in transit and at rest.
Large breaches are now a staple of the news agenda. The list of recent victims encompasses some of the biggest names in finance: Lloyds, Barclays and JP Morgan have all fallen prey to attacks over the past eighteen months, while cyberterrorists allegedly caused a flash crash at NYSE. Even central banks – the lynchpins of the global economy – are highly vulnerable. In March, a criminal gang managed to extort $80 million from Bangladesh’s central bank through what amounted to a simple phishing operation. If it hadn’t been spotted in progress, the losses could have run as high as $1 billion.
But although it is the banks and similarly large institutions that tend to make the news, cybersecurity is arguably an even bigger threat for the smaller firms that characterise the PERE sector. These firms tend to lack the technical resources that larger organisations have at their disposal, and in the US last year more than 60 per cent of all cyber attacks were targeted at small businesses. While the JP Morgans of the world will likely continue to attract business despite an attack, smaller fund managers competing for capital in a highly competitive marketplace do not have the same luxury. In a survey of global institutional investors with more than $3 trillion AUM conducted by KPMG last year, an overwhelming 79 per cent said they would be discouraged from investing in a business that had been breached. Importantly, in addition to the security of the asset management side of their own businesses, private equity managers must additionally consider the security of their portfolio companies.
Given the recent events, the issue is understandably high on the global regulatory agenda. In the US, the SEC has been conducting a series of inspections and examinations with a focus on technology and cybersecurity. In October last year, it announced the latest round of examinations via a Risk Alert and set out its cybersecurity priorities for 2016. The pattern is reflected in Asia, where last year Hong Kong’s SFC issued a circular relating to cybersecurity risk stating that all licensed businesses must undergo regular self-assessments of risks and controls pertaining to the threat. Both Hong Kong and Singapore’s monetary authorities have since re-emphasised the importance of risk management in this area. In the UK, while the FCA has not issued any specific new guidance related to cybersecurity, its existing policy on data security very much still applies. The FCA’s latest Risk Outlook in its 2016/17 Business Plan makes clear that cyber security is high on its agenda as well.
It is impossible to guarantee that you will withstand a cyber attack. However, there are various counter-measures laid out by regulators that can be put in place in order to increase the security of data and mitigate the risk. These include, but are not limited to, access control, awareness training, audit and accountability, risk assessment, penetration testing, vulnerability management and security assessment and authorisation.
The specific details of what is required vary across jurisdictions, and of course each manager is different and operates their business in slightly different ways. Nonetheless there are some basic hygiene points and things to consider that apply universally. Key questions to ask yourself include:
1. Which cyber threats and vulnerabilities pose the greatest risk to the business and its reputation?
2. What are the key assets that need to be protected?
3. Do we have the right people (either in-house or through a third party) to manage this – both in terms of quality and quantity?
4. Do we have good cyber threat management practices, including protective, detective and response capabilities? Is it fully integrated with our business strategy and processes?
5. Do we have the right gauges to measure the success of our cyber threat management programme?
Businesses need to make cybersecurity part of their day to day life, with documented policies and procedures – it cannot be considered a one off and must be built into the wider day-to-day culture of compliance. Managers and Fund Boards should consider this to be a frequent Board agenda item. In addition, the nature of private equity means that these same considerations must also be applied to companies held in the fund’s portfolio.
Cybercrime is here to stay and will only get more complex and challenging. In our annual survey of fund managers across the globe, 51 per cent indicated that they would be increasing their spend on technology on 2016, while nearly a third intend to increase the scope of their outsourcing. Both of these will bring further cybersecurity considerations. For a more detailed understanding of specific ways to combat the threat, managers would do well to consider soliciting third party advice. In the meantime, these considerations provide a good overview and starting point on the road to getting your cyber house in order.
By Ian Kelly, CEO of Augentius