Cyber Safety Tips for Private Equity Managers

By Michael Seek, Director
Internal Audit and Financial Advisory




Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.

  1. Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
  2. Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
  3. System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
  4. Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
  5. Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.

In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.

Public Breach Disclosure Laws Up the Ante on Security – But Do They Work as Intended?

david-taylorkall-loperBy David Taylor, Managing Director
Technology Consulting, Security and Privacy

and Kall Loper, Director
Technology Consulting, Security and Privacy


On January 3, The Massachusetts Office of Consumer Affairs and Business Regulation announced that it will report all data breaches to a publicly accessible state website. Previously, this information could only be obtained with a public record request. The new site includes summary information of the breach and is organized by year. The breached organization’s name, the magnitude of the breach and the type of information exposed (Social Security numbers, credit card numbers, etc.) are included in the summary, among other details.

The Massachusetts office’s decision follows other recent examples of states tightening their breach notification statutes and definitions of what constitutes sensitive information. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted laws requiring companies transacting business with residents of their state to report data breaches.

Any law that intends to protect consumers is, on its face, a good one. However, we feel that a direct, pain-stimulus motivation such as Massachusetts’ public breach notification reporting may work against a more effective approach to remediation by forcing short-term, technical responses that do not necessarily ensure security over the long term.

Faced with a public breach disclosure, there is a tendency for companies to seek to end the pain of public exposure as quickly as possible. But rather than encouraging breached companies to address the complex causes of the breach, public breach reporting encourages narrowly tailored investigations and short-term remediations. A quick-to-implement response such as a firewall or an intrusion detection system may remediate the specific problem found, but not the class of vulnerabilities, or any security architecture failings, employee practices or organizational data use patterns.

Often, system-wide vulnerabilities are not addressed for fear of finding more problems that require reporting, potentially causing further erosion of public confidence, brand value or market capitalization. This ostrich-like approach is surprisingly common, and lengthy, expensive lawsuits are often the result. Unfortunately, direct reporting laws, like the recent one from Massachusetts, only intensify the desire to avoid further discovery for fear of immediate penalties.

In addition to the business risks mentioned above, a technical knowledge gap often holds companies back when it comes to remediating the vulnerabilities leading to the breach. Holistic breach recovery requires a broad range of capabilities, from expertise in technical security practices and organization security practices, like identity and access management, to expertise in public relations, legal and electronic discovery processes, project management and information governance policies.

Without an appropriate formulation of goals and planning, a post-breach remediation can be an expensive exercise in seeking psychological comfort and not much more. Vendors will flock to the breached company’s executives with “solutions” that often do not address the root causes of the organization’s failure. Solution-based answers are good if the goal is to show a lot of activity and reportable benefits; however, when the cash stream ends, the solution vendors depart, leaving the company without a long-term plan toward a more secure organization.

Effective post-breach remediation is a planned set of specific activities that ultimately becomes part of the ongoing information security structure. Among these activities are:

  • Organizational change to address the security practices of end users through employee training and implementation of a company-driven plan to grow security awareness
  • Information policies that take into consideration data protection priorities and are designed to eliminate unnecessary risk and minimize unavoidable risk
  • Information governance, to make information available only to those who need it, but also keep it accessible and flexible based on the company’s needs
  • Agile and responsive security through solutions appropriate to the company’s sustainable efforts and long-term goals.

The developments in laws intended to protect consumers’ personal information from exposure point to a trend – there will be more, not less, required of companies in that regard. The sooner and more comprehensively the complex causes of the breach are addressed, the less there is a chance of a repeated event. Only through a comprehensive and thoughtful response will companies lessen the long-term damage to their public image, brand value and bottom line.

Brexit Raises Questions About Personal Data Protection

mark-petersBy Mark Peters, Managing Director
IT Audit Practice Leader, UK




Not all border crossings are visible. The decision by the United Kingdom earlier this year to leave the European Union (EU) brings a basket of challenges and opportunities for the management and protection of personal data through cyber checkpoints, once the UK goes its own way. Personal data is a crown jewel of commerce, and the secure transfer and storage of data across national and regional borders is a hotly contested topic.

We examine this issue in our recent point-of-view paper, Responding to the Challenges and Opportunities Presented by Brexit — Data Protection and Management Implications, available for free download from our website.

Under current regulations, personal data can be transferred between countries within the EU, but it can only be transferred to outside countries that guarantee an adequate level of protection. The new EU General Data Protection Regulation (GDPR) — effective May 2016, with enforcement to begin May 2018 — which aims to harmonize existing data laws and strengthen data protection rules, was a long-time coming, and carries fines of up to four percent of global revenue for noncompliance.

Some UK companies have incorrectly assumed that, following Brexit, GDPR will no longer apply, and have drawn the conclusion that Brexit will simplify data governance. In fact, the timetable for GDPR compliance is likely to run ahead of the UK’s formal exit, which means UK companies will have to comply with the GDPR, even as UK regulators craft their own personal data rules and negotiate transfer terms with the EU. It is likely, as well, that the EU will require companies in the UK to continue to meet GDPR standards as a condition of access to the EU market.

The split also raises questions for UK companies with data centers and cloud providers in the EU, and vice versa. Even if not required by the GDPR, many EU companies restrict suppliers from exporting personal data outside the EU, as part of their internal data risk management policies. That means some EU companies are likely to require suppliers to move data out of the UK and into EU data centers. Now would be a good time to take inventory of data locations and develop contingency plans.

Similarly, any ongoing business change projects approved before the Brexit vote and involving a significant IT investment should be reassessed and modified to address any implications on data storage and transmission. Given the broad definition of personal data under GDPR, virtually all projects will be affected. As a priority, all organizations should evaluate their data center strategy for these projects and decide whether it might be prudent to move or split data centers across different territories.

Organizations that utilize cloud service providers should determine what arrangements those providers have made for segregating data for EU and UK customers.

Client contracts should also be reviewed, and modified as needed, to clarify expectations on data residency and exchange.

As with any significant change, human factors can make or break the transition. Organizations should identify key decision makers who are likely to require early awareness training in order to keep abreast of potential changes in data protection legislation. Areas most likely to be affected include customer management, marketing, legal, compliance, human resources, IT, facilities, contracts, and project management.

We will continue to monitor this situation and revisit, as needed, as details become available. The above is just a summary; download the full paper here.