Cyber Safety Tips for Private Equity Managers

By Michael Seek, Director
Internal Audit and Financial Advisory




Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.

  1. Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
  2. Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
  3. System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
  4. Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
  5. Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.

In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.

Watch What You Say: Auditing Cybersecurity Disclosures

David BrandBy David Brand
Managing Director, Leader of Protiviti’s IT Audit practice




In the face of ongoing, persistent and ever-more dramatic data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators – and insurers – are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs – people, processes and technology – are consistent with reality.

These reviews merit attention for several reasons. For example, the price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim.

Questions about disclosures – and inquiries from external auditors related to cybersecurity – have been raised at several conversations with our clients recently. The basis for the questions can be traced back to a U.S. Securities and Exchange Commission Guidance published in October 2011. But the urgency and frequency of the questions in meeting rooms and board rooms have increased, in apparent contradiction to public corporate cybersecurity assurances.

External auditors are generally asking two questions:

  1. For companies making disclosures: What programs exist to ensure the disclosures are accurate?
  2. For companies without disclosures: What controls and procedures are in place to ensure that there is nothing occurring that should be disclosed?

The typical response, to date, has been for management to provide a memo with a general description of relevant risks; a list of the people, processes and technology in place to address cyber risk; a list of relevant internal audit efforts addressing cyber risk; and a statement that management is not aware of any relevant undisclosed breaches.

These responses tend to be quantitative, which begs the question: Should Internal Audit evaluate and weigh in on the efficacy of cyber risk mitigation programs? A 2015 article in the Harvard Law School Forum on Governance and Financial Regulation says yes. I would agree.

Critical intellectual property (IP) – the so-called “crown jewels” – must be identified and protected. In addition to traditional perimeter defenses, companies need to develop and regularly review an intrusion response plan. The plan needs to account not only for theft, but also for the possible destruction of data. Response plans should be tested with live simulations designed to break and fix vulnerabilities before they can be exploited by hackers.

Sounds like common sense, doesn’t it? It has been my experience, however, that all too often, companies tend to address theoretical risks with theoretical responses. A self-assuring, “no stranger danger here” mentality may, in fact, be your organization’s greatest vulnerability. Instead, what companies are better off doing – and what most cybersecurity experts these days recommend – is to assume that they have already been breached, and focus their security efforts on rapid detection, interdiction and recovery.

To that, I would add the need for a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST).

As for internal audit, it definitely should be auditing cybersecurity disclosures to make sure that what management is telling shareholders is consistent with actual risks. Words matter, and the world is watching.

For more on current IT audit trends, views and challenges, download the latest ISACA/Protiviti IT Audit Benchmarking survey or view the highlights.