“An attack on a portfolio company could lead to a devaluation of the asset or a potential derailment of a deal”

The most serious cyber risks in 2023 are the same ones that have plagued the industry for years. It's the 'quality' of attacks that has changed, with the explosion of bot-aided phishing, and AI-enhanced communications. Paul Loefstedt, Principal Solutions Consultant at SS&C Intralinks, who is set to moderate the forthcoming Zero One Hundred Conferences webinar "How to Secure Data and Protect Investors" on Wednesday, October 11th, at 4:30 PM CEST, sheds light on this shift.

What new risks and cybersecurity challenges are currently impacting private equity (PE) funds?

Cyber risks can be more prominent for PE firms given the number of portfolio companies they own with varying degrees of policies, safeguards and corporate cultures. Companies infected with ransomware can completely shut down operations. An attack on a portfolio company could lead to a devaluation of the asset or a potential derailment of a deal.

Spyware can lurk on corporate servers, evading detection and consequently resulting in the loss of intellectual property, data breaches that compromise investors, and the theft of critical intelligence which compromises the competitive posture of the firm. None of these threats are new their magnitude is greater than ever, and the industry is far from uniformly addressing these threats with the urgency they deserve.

How can Private Equity firms proactively prevent and mitigate these threats?

The first step is appreciating the risks. Well-publicized data breaches tend to get our attention, but firms are too often lulled into a false sense of confidence regarding their vulnerability. Eventual cyber compromise should be viewed as likely if not inevitable. Both preventative and recovery plans are required. How firms respond to cyber compromise is every bit as important as how they prepare for prevention.

From a preparation POV, the fundamentals need to be continually reinforced, whether they are smart password policies, cautious and watchful user behaviors, or adoption/enforcement/review of good practices and the technology to enable them. Even large financial organizations that adopt security best practices - Single Sign-On, for example, and multi-factor authentication - often have numerous exceptions to policy to avoid operational 'disruption.' 

How can PE firms reinforce investor risk management?

PE firms often get pushback from individual investors on such basics as the need to log in to a portal to see a report. Navigating those waters from an IR perspective is tricky; PE firms could help investor-facing teams by arming them with better talk tracks, well-articulated policy requirements, and superior software solutions to win over influential investors. Investor risk management has been a central topic of discussion at many industry conferences. Speakers from the FBI, SEC, cyber defense firms, and corporate leaders have recounted the self-inflicted wounds resulting from not adhering to the most basic good practices.

Notwithstanding the low-tech essentials suggested above, the reality is that cyber risk mitigation is a specialty demanding the aid of experts. Network security, server scans, IT controlled updates that ensure all connected corporate devices are adequately governed are all table stakes in the battle against malicious actors. 

What should PE firms consider when building proper cyber risks protocols?

Disaster recovery and mitigation strategies play a crucial role in determining the speed and cost at which compromises are resolved, directly influencing the event's impact on reputation. Technology investments to identify and assess network and system exposure are only part of what needs to be a comprehensive plan, with operational, training, and device configuration considerations. PE firms need to hire and engage experts who specialize in this most dynamic and complex area.

Of course, the portfolio of companies/assets that comprise PE holdings represents a particularly high level of exposure to cyber threats. Cyber diligence requires specialized knowledge of systems and policies, the recognition of risk factors, and a dogged insistence on evidence.

How much capital is compromised every year due to data security problems?

Any estimate would be difficult to state with confidence. However, we do have details on publicly known incidences (Equifax, Capital One with $124M and $575M in settlements or fines) of the cost of cyber compromise, and statistics assembled by experts on trends. IBM's 2023 report Cost of a Data Breach cited an average cost of $4.45M, while many sources suggest that over 90% of company networks are 'breachable' - in the sense that their network 'perimeter' can be penetrated and access to local network resources gained. With PE firms in particular, capital compromise can take the form of diminished fund performance due to cyber compromise of a portfolio company, or the perception of risk that may bias market perception of the value of that company. Additionally, the reputational risk associated with a data security breach can affect a PE firm considerably. 

Besides cybersecurity, what other challenges do Private Equity firms have regarding data availability and management?

PE firms often have an ecosystem of poorly integrated systems that span CRM, accounting, and reporting - to name a few. The challenges of ensuring data consistency are often addressed through manual 'review and update,' which often falls to overtaxed investor relations teams to accomplish.  There is widespread investment in the integration of complex software topologies, with mixed results.  Some software is more amenable to integration than others due to poor, non-public, or non-existent APIs, for example. Working with technology providers that allow for easy integration into internal systems is a must for PE firms.

Paul Loefstedt, Principal Solutions Consultant at SS&C Intralinks will be moderating the Zero One Hundred Conferences webinar "How to Secure Data and Protect Investors" with top industry speakers Paul Harragan, Portfolio's Global Cybersecurity Lead KKR, Nigel Diesveld, CFO and Chief Risk Officer at HPE Growth; Julia Dudenko, CISO at Haniel, and Thomas Baasnes, Cybersecurity Director at Verdane.

The online event will be held on Wednesday, October 11th, at 4:30 PM CEST.

Free registration here