Cyber Safety Tips for Private Equity Managers

By Michael Seek, Director
Internal Audit and Financial Advisory

 

 

 

Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.

  1. Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
  2. Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
  3. System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
  4. Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
  5. Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.

In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.

Cyber Vulnerabilities of Energy Companies’ Control Systems Can Be Addressed Safely and Successfully

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and

Michael Porier, Managing Director
Technology Consulting – Security and Privacy

 

The realization is growing across the oil and gas industry that the major cybersecurity threats to upstream, midstream and downstream data and operations are often aimed at operational technology (OT) systems and equipment – usually older, legacy models – rather than at the information technology (IT) side. Those operational technologies typically include industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and other related technologies implemented at operational facilities, such as plants, pipelines, terminals and rigs.

A recent survey of more than 300 oil and gas companies found:

  • More than 60 percent of companies have suffered a security compromise in the past year, which exposed confidential information and disrupted OT systems and operations
  • Two-thirds of companies believe risks to OT systems have increased substantially in recent years, and 59 percent believe they face greater risks in OT than in IT
  • Only one-third of companies report that OT and IT are fully aligned in their organizations
  • Just 35 percent rate their readiness to address cyber threats as high
  • Close to half of all attacks on OT are going undetected

These survey findings appear shocking – but they are also consistent with Protiviti’s experience in performing cybersecurity assessments for energy and utility clients, particularly evaluating their OT systems. We often find unprotected field terminals with inadequate physical security of connection points, live ports that lack deterrents, and an absence of intrusion detection capabilities. We also commonly see flat networks that are not segmented to appropriately segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization.

Obviously, OT systems with any of these shortcomings present significant cybersecurity risks for the energy and utilities industry. The threat is multiplied by the fact that energy and utilities organizations are deemed critical infrastructure, whose exploitation can have devastating effects to broad geographic regions affecting multitudes of people.

More and more ICS/SCADA technologies allow for the capability to connect (via IP) to the broader corporate network infrastructure. While this provides for certain efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated OT systems are linked to sophisticated IT networks so data can be shared, managed and analyzed.

Despite this newfound connectivity, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability perspective, for fear of creating interruptions or process errors. This reluctance often leads to a failure to adequately test or update systems to optimize security and minimize cybersecurity risks.

The concerns are legitimate, but only up to a point. In our experience, there isn’t sufficient justification to hold OT systems “off limits” for cybersecurity evaluation and upgrades, given the high potential for targeting by sophisticated opponents and the alarming numbers cited in the survey. To this end, assessments should still be performed, but they must incorporate a series of precautions designed to assure both operational continuity and a complete threat risk review. These precautions include:

  • Well-defined rules of engagement, including identification of the types of reports and system information to be compiled prior to conducting a vulnerability scan
  • Performing security evaluations in a test, rather than production, environment
  • Collaboration with both engineering and IT security personnel to define the scope of the review engagement
  • Reasonable limitations on initial tests so sensitive systems can be excluded if needed to allow for the development of workarounds
  • Establishment of clear lines of communications so any network or system irregularities are reported and evaluated during testing

Working within these parameters, the end goal of testing the security control environment of the ICS/SCADA environments should achieve the following:

  • Evaluate the key security risks prevalent in the ICS/SCADA network architecture
  • Identify the network vulnerabilities and test the connectivity to the enterprise network
  • Assist with the development of a vulnerability management program specific to the ICS/SCADA infrastructure

Ideally, what energy and utilities companies want is to ensure they have an ICS/SCADA environment that can function in a secure and effective manner, and that they can be highly efficient in detecting and responding to breaches and attacks. This requires technical expertise, collaboration between departments, appropriate planning, and leveraging vulnerability assessments to periodically test security.  Testing these systems requires more work, but it is not impossible, and it should not be considered “out of the question.” In fact, testing is an essential practice to preserving the integrity of any critical system.

Top Technology Challenges for Internal Audit: Results From Protiviti’s IT Audit Survey

By Gordon Braun, Managing Director
IT Audit

 

 

 

Process automation and digital transformation are near the top of most corporate agendas, and the IT audit function has never held a more crucial role. The results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations.

I had the opportunity, along with my colleague David Brand and ISACA director Ed Moyle, to discuss the results at length in a recent webinar. You can view an archived version by registering here. In the meantime, I wanted to give you a quick rundown of the top technology challenges expressed by respondents, and how those challenges compare with the previous year’s results.

No surprise on the top tech challenge: Nearly all organizations are struggling with data privacy and cybersecurity. It’s an area where boards want assurance — even with an understanding that assurance can never be 100 percent, regardless of the amount of money spent. The challenge for IT audit, therefore, lies in determining the right amount of IT audit time and focus to be dedicated to cyber risk and ensuring coverage is in alignment with the risk appetite and priorities of the organization. Though cybersecurity is always a business issue, the risk is typically assigned to IT. IT audit’s effectiveness in this area is strongly related to the experiences and discreet knowledge that the IT auditors in the group bring to the audit. There continues to be a strong push for education and for using the right tools, frameworks, approaches and resources; all are critical elements to ensuring IT auditors to stay in front of the cyber risks they are auditing.

Emerging technology (automation, digitization, cloud, etc.) remains a top challenge for IT auditors, though not ranked as high as last year. Effective IT governance in the face of emerging tech remains a goal for many organizations, and those that ignore it or get it wrong are going to struggle. IT auditors can help their organizations in this area by challenging the effectiveness of IT governance from both a design and operating perspective — this healthy and critical evaluation of the  alignment between the business and IT is required in today’s environment. In organizations with enterprise risk management (ERM) functions, there may be a natural overlap in interest between IT governance and ERM and IT auditors are well-positioned to seek out this partnership to share and receive perspectives from the ERM group.

Infrastructure management, regulatory compliance, and budget/cost concerns all moved up the list this year — a risk triumvirate that I think contributed to the return of third party/vendor management as a top-ten challenge, after dropping below the top ten last year. Infrastructure management and third-party vendor management are closely related as organizations increase reliance on infrastructure as a service (IAAS) and software as a service (SAAS) providers in an attempt to reduce their IT footprint. To ensure maturity in third-party risk management and ease related challenges, IT audit should be involved in the early stages of significant infrastructure projects, evaluating the processes and controls around third-party vendor management, ensuring upfront due diligence activities are completed, and reviewing service level agreements (SLAs) and contracts before they are signed. There are a number of efforts in the market to provide IT auditors with more avenues for assurance for these relationships – an area I fully expect will continue to see growth.

Missing from this year’s top-ten list is big data — a surprise, to say the least. In all my conversation with colleagues, big data remains a top priority, and is closely tied to many of the other top ten challenges. Its absence on the list, in my opinion, has more to do with the temporary elevation of other priorities, and a growing familiarity with the features, risks and benefits of big data, rather than any lessening of focus. Big data also looms large in this year’s Internal Audit Capabilities and Needs Survey, so the conversations around it are certainly not over.

Last, but certainly not least, staffing and skills cut across every other top technology challenge mentioned. Although it dropped slightly from last year’s ranking, it remains a top-five challenge — a reflection of the critical need for internal audit functions to hire and train tech-savvy auditors capable of understanding IT risks. This is particularly relevant for addressing the top challenge of cybersecurity, where expertise is key to gaining the cooperation and trust of IT. Co-sourcing, or even outsourcing of IT audit, can provide that expertise without straining internal resources. Each organization must decide on whether and how to augment its skills based on its specific level of reliance on technology.

Clearly, there is much to unpack from this year’s IT Audit survey results, and we will continue to analyze the findings and track progress in how companies address them. For the full ranking of challenges and a more in-depth analysis, visit our 6th Annual IT Audit Benchmarking Study page.

 

The IPO Market Appears to Be Heating-up – Are You IPO-Ready?

By Steve Hobbs, Managing Director
Public Company Transformation

 

 

 

If the past month is any indication, the lull of 2016 is in the rear view mirror and we’re headed into an uptick in the IPO market. As more well-known and highly anticipated companies are going public, there are rumors of who might be next. With that said, history has shown the public offering windows opens and close quickly, and in order to take advantage of a healthy market, when IPOs tend to fare best, companies must be prepared when the market is ready. Below are several points on getting a company IPO-ready:

Prioritize. When the market is hot, it’s easy to want to ride the wave. But, trying to skip ahead or take shortcuts could put an IPO at risk. Conversely, shifting full focus to IPO readiness activities can cause the day-to-day business to suffer. In cases like this, working with partners to help prioritize activities and plan the IPO can be a good decision as it frees up time for management to focus on the business while keeping all strategic initiatives in sight.

Set the tone.  As every C-suite executive knows, major transformations, like launching an IPO and operating in the public realm, require a great deal of both internal and external communication. Public companies operate in a fishbowl of disclosure and regulatory compliance. Therefore, executives need to set a positive tone early on to ensure that every single person in an organization – not just the functions at the center of an IPO – is aware and supportive of the process. The executive team must promote a compliance infrastructure not just as a system of controls, but as a tool for growth and scalability.

Scale your infrastructure. The internal infrastructure of the company must be able to support and withstand the transformation requirements of going public. With new requirements and regulations, companies need to review their financial reporting applications and systems to identify and correct scalability issues.

Think cybersecurity. IT security should not be an afterthought to growth. Organizations need to scrutinize their IT systems for readiness and security, particularly when selecting and implementing an enterprise resource planning (ERP) system. We now hear almost daily of major cyberattacks against public companies. When customer data and/or company IP are at risk or actually compromised, shareholders and regulators take notice.

Learn from others. The basic requirements for transforming a company from private to public rarely change. A new legislation or new requirements might pop up but, at the end of day, every CEO who has taken their company public has a similar story to tell – one of hard work, sleepless nights and serious commitment to the goal. It’s important to take the time to hear these stories from the frontlines, understand what CEOs and CFOs say they wish they had done differently, what they could have avoided, or what wasn’t worth the trouble. To this end, I invite you to join us at our upcoming webinar with executive Vice President and CFO of GOGO, Norm Smagley, who will be sharing his stories from the frontlines.

To learn more, also check out our IPO FAQ guide, available for a free download here.

The Four C’s in Overseeing Internal Audit

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

By Brian Christensen, Managing Director
Internal Audit Global Leader

 

 

 

In 2016, The Institute of Internal Auditors and Protiviti conducted the world’s largest ongoing study of the internal audit profession — the Global Internal Audit Common Body of Knowledge (CBOK) study — to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. Several imperatives for internal audit emerged from the responses of the participants in the study. Among them: focus more on strategic risks, think beyond the scope of the audit plan, and add more value through consulting.

Continue reading

Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

Data Security Alarms Should Be Sounding for Oil and Gas

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Oil and gas industry executives don’t need to see a new Wikileaks story about secret CIA hacking tools or hear more about the electronic penetration of presidential campaigns to understand the seriousness of a potential digital hack to their operations.

But it’s a large step from knowing a risk exists to being ready for it. Achieving confidence in the ability to manage such risk can involve substantial new investments and operational adjustments, even for an industry accustomed to meeting regulatory, operational and market challenges.

Protiviti’s recently released 2017 Security and Privacy Survey indicates that oil and gas companies are facing their cybersecurity challenges in ways similar to other industries. The survey’s main findings include:

  • Nearly one in five companies cannot confidently identify or locate their “crown jewels,” or most valuable data assets, because they lack an effective enterprisewide data classification scheme and policies.
  • How well companies manage their vendors’ security practices marks a notable difference between top security performers and the rest.
  • Companies with a high level of board engagement in information security issues rate considerably higher than those without such involvement in nearly all facets of information security best practices. These companies also report a higher level of confidence in their ability to prevent an opportunistic data breach.

These findings largely correspond to what we have seen among our own energy clients. One difference we have noticed, however, is that energy companies tend to have little to no formal documentation on testing of security incident response plans, compared to other industries. This could mean that energy executives have not substantiated a basis for the same level of breach-prevention preparedness as some other industries. I would argue that as a critical infrastructure, they should.

Although Protiviti energy clients indicate they are committed to security, we see about the same 38-percent level of compliance with implementation of the five core information security policies identified in the Protiviti survey: acceptable use, records retention/destruction, data encryption, information security, and social media policies.

In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes at E&P companies (i.e., escheat and royalty owner payments) do involve sensitive information protected by state privacy laws (e.g., individual tax ID numbers are actually Social Security numbers). Further, company confidential information, such as reservoir data, land acquisition data, and merger and acquisition activity, would be considered data that requires identification and protection. Very commonly, even where these processes are mostly manual, this information is digitized (e.g., scanned documents) or entered into a system. If the company does not know what data exists and where, it will have a difficult time protecting it.

Energy executives and boards would be wise to ask themselves some worst case scenario questions and know the answers now rather than having to discover them under fire later:

  • If our data assets were compromised, could they be reconstructed, and how long would it take?
  • If field operations were disrupted by an attack on the operational control system, how much revenue would be lost per week? Per month?
  • If competitors or counter-parties were able to learn confidential details of our strategies and plans, where would our company be most vulnerable?

The bottom line is that what you don’t know, such as where your critical data is, can, and eventually will, hurt you. With all issues of cybersecurity, it’s only a matter of time.

Alyssa Brister and Luis Castillo from Protiviti’s Technology Consulting practice contributed to this post.