Cyber Safety Tips for Private Equity Managers

By Michael Seek, Director
Internal Audit and Financial Advisory

 

 

 

Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.

  1. Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
  2. Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
  3. System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
  4. Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
  5. Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.

In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.

Building Cyber Resiliency Is the Path to Better Brand Protection for Consumer Products and Services Companies

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Last week, I wrote about customer loyalty, and how a strong cybersecurity program can help ensure the trust of consumers. Here are some fresh stats about the business impact of cyber threats that consumer products and services executives should know about: In 2016, one in five businesses lost customers due to a cyber attack. Nearly 30 percent lost revenue. About one-quarter lost business opportunities. And when a breach occurred, brand reputation was one of the top areas of the organization to be affected, right behind operations and finance.

These unsettling findings are from the Cisco 2017 Security Capabilities Benchmark Study, featured in Cisco’s latest cybersecurity report. Combine these data points with all the news about recent hacks and breaches involving major retailers, restaurants, hotels, and other consumer products and services companies, and it becomes crystal clear why industry executives are extremely concerned about cyber threats.

In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, which I referenced in my recent post, respondents from consumer products and services businesses also cited the following risk among the top five for their industry group in 2017:

Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage our brand.

The research also shows that the risk score for this concern increased significantly from the 2016 survey.

Consumer respect and trust are at stake

For consumer products and services companies that spend millions of dollars annually to cultivate and promote their brand image, a hack or a data breach can be devastating to their reputation — and their bottom line. These events can lead not only to long-term brand damage, but also the loss of the public’s respect and trust. This is especially true if customer data is compromised or stolen, leaving people at risk for financial loss and identity theft. Even if a company can recover quickly from such an event and make things right with its customers, its image will likely remain tarnished for some time to come.

Unfortunately, cyber threats (and privacy concerns) will become only more severe as businesses and consumers increase their reliance on technology in all aspects of their lives; digital commerce and mobile payments continue to grow; and the emerging Internet of Things (IoT) expands. Over time, consumer products and services companies will need to significantly increase the data they collect to provide highly customized products, services and experiences to their customers.

These trends underscore why consumer products and services businesses must make improving cybersecurity and building cyber resiliency even higher priorities — starting now.

Developing a world-class response to a high-profile crisis

Most executives today understand that a cyberattack is not a matter of if, but when, for their organization. Taking steps to prevent hacks or breaches should always be a high priority for any business, of course. But what is even more important is creating a well-thought out and tested action plan that will allow the company to respond swiftly to a cyber incident, mitigate the impact of that event on the business and its customers, and protect the brand.

A recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some insight that can help consumer products and services companies better protect their brand reputation in an increasingly treacherous cyber threat landscape. One of the “10 essential keys” to risk management outlined in the document —developing a “world-class response to a high-profile crisis”— is particularly relevant to the cyber threat discussion.

Creating a world-class response requires that the board of directors and executives ensure, long before a crisis hits, that:

  • The risk assessment process has been designed to identify areas where preparedness is needed.
  • A crisis management team is in place and prepared to address a specific sudden crisis scenario; otherwise, a rapid response will be virtually impossible.
  • Response teams are supported with robust communications plans that emphasize the importance of transparency, straight talk and effective use of social media.
  • Response teams update and test their rapid response plans periodically.

These actions can strengthen organizational resiliency. When developed with cyber threats specifically in mind, they help to build cyber resiliency. Preparing to reduce the impact and proliferation of a cyber event is paramount for any modern business. For consumer products and services companies, it can make all the difference in maintaining their customers’ trust, preserving the long-term health of their brands, and being able to confidently face the future.

PCI DSS 3.2 – What You Need to Know

Jeff SanchezScott Laliberte

By Jeff Sanchez, Managing Director, IT Security and Privacy

and

Scott Laliberte, Managing Director, IT Consulting

We’ve been getting a lot of inquiries from clients on the new payment card industry (PCI) compliance standard issued by the PCI Security Standards Council in April. The new data security standards (DSS) release, dubbed PCI DSS Version 3.2, contains some major changes from the previous version.

The changes are explained pretty clearly in our May 9 Flash Report, but we recently had the opportunity for a more interactive discussion and to answer questions via a webinar we held on August 18. In a future post, we will follow up with some of the questions we did not have a chance to address. Here, we’d like to focus on the upcoming changes.

Some of the upcoming changes may require a significant effort to achieve. This affects all entities transacting business by credit, debit or cash cards and could result in many organizations being out of compliance for an extended period of time.

The biggest changes affecting all organizations (effective Feb. 1, 2018) are as follows:

  • Multifactor authentication will be required for administrative access to any system within, or connected to, the cardholder data environment (CDE), even when connecting from within the corporate network. That means that, in addition to a password, anyone seeking to access the system must present some other form of identification, such as a fingerprint or optical scan. This requirement already applies to users, administrators and third parties accessing the system remotely. Note: Companies currently using multifactor authentication as a compensating control for technical noncompliance will no longer be able to list this as a compensating control after it becomes a requirement.
  • File integrity monitoring (FIM), or some kind of change-detection solution, will be required for all in-scope systems, which includes all systems connected to – not just those within – the CDE. Many organizations do not currently have FIM technology on point-of-sale terminals or administrative workstations.
  • Change management is an area of increasing concern for the Security Standards Council. PCI 3.2 requires organizations to carefully document all changes to in-scope systems, plus any controls that might be affected by each change, and prove that the controls have been tested post-implementation and that corrective action was taken, if needed, to restore an effective control environment.

Service providers face even greater scrutiny under the new standards.

  • Security controls monitoring needs to be able to detect failures, and the provider must have supporting processes that document how to fix control failures, as well as processes for documentation, determining root causes and getting security systems back into operation.
  • Executive management responsibility is another hot-button issue. PCI 3.2 requires service providers to assign a member of executive management to be responsible for protecting the CDE. This executive will oversee testing and sign an attestation of compliance.
  • Operational reviews must be conducted quarterly. Service providers are required to perform quarterly reviews of operational processes, including, but not limited to, daily logs, firewall rules, configuration standards, security alerts and change management procedures.
  • Penetration testing on segmentation controls will have to be conducted at least every six months under PCI 3.2, versus annually in 3.1. The scope of penetration testing needs to be coordinated to ensure that the CDE remains secure, even in the event of a total administrative takeover of a segmented system.
  • Service providers are also now required to provide auditors with a documented description of cryptographic architecture used in the CDE. This must include all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date.

PCI version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on Oct. 31, 2016. However, many of the new requirements in 3.2 do not become effective until Feb. 1, 2018. As we said in the webinar, we strongly recommend that organizations work with a Qualified Security Assessor now to ensure compliance and avoid unpleasant surprises under deadline pressure.

Global Instability, Cybersecurity on the Minds of Manufacturing and Distribution Industry Executives

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the manufacturing and distribution industry.

 

Sharon Lindstrom

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

Not surprisingly, economic conditions and financial market volatility top the list of manufacturing and distribution concerns for 2016, and the degree of concern is higher than in prior years. Manufacturers, to a greater extent than many other industries, depend on global sourcing so it’s no wonder that manufacturing executives would be more concerned than usual, given the widespread and growing uncertainty about the financial stability of key U.S. trading partners around the world on whom U.S. manufacturers depend for everything, from polymers and resins to product assembly.

In addition to supply chain concerns, manufacturers worry about sales. Global instability makes it harder to predict where production and inventory will go. Top of mind at the moment: the concerns over Great Britain’s withdrawal from the European Union, as well as economic turmoil in China and Brazil.

Cyberthreats surged into the top five risks for manufacturers for the first time this year. We interpret that as a growing concern for critical systems and infrastructure that we haven’t seen previously in this sector. The concern is indicative of a growing awareness by directors and executives of the vulnerability of networked devices in an increasingly connected global economy with increasingly sophisticated data harvesting and analytic tools.

Unlike, say, retailers, who might be primarily concerned with protecting customer data, manufacturers are primarily concerned with protecting trade secrets and the integrity of networked production equipment. Within manufacturing IT, we’re seeing more focus on security architecture, specifically related to robotics and embedded technology communicating machine-to-machine via the Internet of Things.

Given these changes, it is perhaps not surprising that manufacturers cited recruiting and retaining top talent as one of their top 5 concerns. There is an increased demand for accurate and timely analytics with which to counter market uncertainty – and personnel capable of extracting actionable intelligence from the overwhelming and growing amount of available data. Automated manufacturers are also aware that they need a higher level of cybersecurity expertise to thwart potential disruption and maintain a competitive edge.

Finally, regulatory risk appears in the top five again, as it has for three years in a row. Manufacturers have a significant and fairly consistent compliance burden when it comes to occupational, environmental, health and safety requirements. More recent concerns have included ethically sourced materials and labor. Regulatory challenges change over time, of course, but history suggests that compliance with regulations will remain a fundamental performance concern for executives and directors.

You can read the key findings and additional commentary in our manufacturing-specific report, which you can access here. The entire survey is available here.

A Matter of Trust: Taking a Look at the CISA Controversy

Kurt UnderwoodBy Kurt Underwood
Global Leader of Protiviti’s IT Consulting Practice

 

 

 

Back in October, we issued a Flash Report on a senate move regarding a proposed law that has spurred controversy at home and abroad. The bill is intended to improve cybersecurity in the United States through enhanced sharing of threat information.

Now out of committee, and potentially up for a floor vote in the Senate soon, the Cybersecurity Information Sharing Act (CISA) would allow (but not require) the sharing of Internet traffic information between U.S. government agencies and technology and manufacturing companies, making it easier for companies to share cyber threat information with the government.

The bill provides legal immunity from privacy and antitrust laws to companies that provide threat information from, say, the private communications of users, to appropriate federal agencies and other companies. It also permits private entities to monitor and operate defensive countermeasures to detect, prevent or mitigate cybersecurity threats or security vulnerabilities on their own information systems, and, under certain conditions, the systems of other private or government entities.

Although the bill includes provisions to prevent the sharing of personally identifiable information (PII) irrelevant to cybersecurity, some worry whether those protections are adequate.

The U.S. Chamber of Commerce, National Cable & Telecommunications Association, and other advocacy groups support the measure, on the grounds that the information in question is already flowing freely to spies and criminals around the world. Others, including the Computer and Communications Industry Association and various prominent technology companies, oppose it as a violation of personal privacy.

In the end, it all boils down to trust. Repeated high-profile security breaches of PII and other sensitive data have raised questions regarding the ability of government and large corporations to secure their data. It is interesting to note that the Department of Homeland Security, the designated entry point for all submitted data under the proposed law, is among those opposed to the bill.

The concern crosses international borders. A European court recently struck down an agreement that previously allowed U.S. companies to import the personal information of EU citizens and store that information within the United States. The agreement was called into question over a lawsuit questioning the protection of PII from the U.S. government.

For a more detailed analysis of CISA, you can download the Protiviti Flash Report, Proposed Cybersecurity Information Sharing Act Sparks Controversy. I am interested in your take on the issue in the comments section below.

Cybersecurity Looms Large at Debate on Geopolitical Risk

By Shawn Seasongood
Managing Director, Finance and Operational Transformation

 

 

 

The mission of St. John’s University Center for Excellence in Enterprise Risk Management is to “become a leading center that brings together students, academicians, executives, and board members for the purpose of developing and sharing knowledge, tools, and best practices in enterprise risk management.” The Center did just that when it hosted a panel discussion on geopolitical risk on October 15, 2015. Four noted experts of diverse backgrounds participated in the discussion, which focused on the growing instability in the world with traditional places of peace becoming more fragile and regional hegemony rising in the Middle East.

The panel included:

Panel leader: Fran Townsend, Executive Vice President for Worldwide Government, Legal and Business Affairs at MacAndrews and Forbes, and a member of Protiviti’s Advisory Board. Ms. Townsend served as Homeland Security Advisor and counterterrorism assistant to President George W. Bush and chaired the Homeland Security Council.

Fellow panelists: Guillermo Christensen, a senior associate with global law firm Baker Botts, who specializes in national security and international trade law; Roger Schwartz, a senior vice president in the political risk practice at Aon; and Zachary K. Goldman, executive director of the Center on Law and Security and adjunct professor of law at New York University School of Law.

The esteemed panel covered a wide variety of topics, ranging from the current political situations in China and Russia, to the continuing problems in Syria and the overarching threat of cyberattacks.

Following are some of the highlights of the discussion:

  • The panel agreed that the West, and the U.S. specifically, is so interconnected with China that the state of China’s economy is of paramount concern and that it’s in the West’s interest for it to perform well. And although China’s cyber infringements could, and indeed have, made the country a “strategic opponent,” China nevertheless remains a strategic ally in the Asia-Pacific region.
  • The panel dispelled the notion that Vladimir Putin is an “irrational” leader, since he has presented many thoughtful plans to restore Russia as a superpower. At the moment, the U.S. is giving little pushback on the actions being taken by Putin, particularly in Syria where he is receiving Iranian assistance to support the Assad regime.
  • Focusing on Syria specifically, the panelists agreed that the genocide currently taking place there would result in steep consequences for the society’s youth, who are either killed or left without any access to education, providing a rich pool for Islamic extremists to tap into. The U.S., however, has done little to address the problem, said the panel. They agreed this will be a job for the next U.S. president.
  • There was a general consensus among panelists that sanctions on Iran have been an effective deterrent to Iranian adventurism and sponsorship of mischief in the Middle East. However, under the Superannuation Industry (Supervision) Act (SISA), millions of dollars in assets are being freed, which, unfortunately, will not be used for the benefit of the Iranian people but rather to support Hezbollah.
  • Cybersecurity dominated the entire discussion and permeated all of the topics referenced above. The panel discussed the need for mutual cyber deterrence – governments need to have a deeper and more comprehensive understanding of what countermeasures will be used, and in what instance, in response to a cyberattack. The sense was that the West needs a more mature doctrine in regards to its cybersecurity strategy. The first step in such a strategy is to understand exactly where the vulnerabilities lie. The private sector in the U.S. runs almost all of the critical IT Infrastructure and is also the most vulnerable to cybersecurity threats. In the U.S., there isn’t one single government agency dedicated to cybersecurity that has the absolute authority to assist the private sector whose data and systems are under constant threat. For those private firms, cybersecurity must be a board-level issue and will need to remain so to cope with the persistent and growing cyber threats.

In summary, the geopolitical environment the West faces is highly dynamic as economic uncertainty continues, tensions rise in the East China Sea and the Middle East, Russia flexes its muscles, and cyber threats expand unabated. All of this presents U.S. policymakers with daunting challenges as they evaluate policy options.