By Michael Seek, Director
Internal Audit and Financial Advisory
Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.
- Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
- Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
- System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
- Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
- Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.
In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.