Q&A: Managing data privacy and cyber security risks for private equity funds
September 2015 | SPECIAL REPORT: PRIVATE EQUITY
Financier Worldwide Magazine
FW moderates a discussion on managing data privacy and cyber security risks for private equity funds between Mike Gillespie at Advent IM Ltd, Sharon R. Klein at Pepper Hamilton LLP, and Luke Scanlon at Pinsent Masons LLP.
FW: Could you provide an overview of the types of risks facing private equity fund managers in terms of their data privacy and cyber security protocols? Why makes the data held by fund managers particularly attractive?
Scanlon: There are transparency risks. Private equity funds find it difficult to communicate to their clients and others with precision the purposes for which they are storing and analysing data. There are also risks in terms of how data are shared and used. Illegal profiling activities is a growing risk, particularly as provisions restricting the creation of profiles gains exposure as part of the EU General Data Protection Regulation (GDPR) reforms. In terms of cyber risk, like any business that handles customer and market sensitive data, private equity funds are susceptible to data breaches that can cause exposure of customer information, valuable know how and trade secrets, and to outages that can cause significant business interruption. Hackers, organised crimes, state actors and disgruntled employees are some of the sources of the threats.
Klein: Private equity firms collect and hold data from a variety of sources, including limited partners, firm employees, portfolio companies, investment targets, counterparties and vendors. This diversity makes their data particularly attractive. And fund managers face a number of risks related to this data. There’s an investment risk if their portfolio companies don’t comply with privacy and security regulations because that would have a great impact on the return of the PE firm’s capital investment. There’s also legal risk because of increased scrutiny from the SEC and other regulators and more class actions and regulatory enforcement actions. Funds also face reputational risk if the government, or target or portfolio companies have questions about the privacy and security of personal information entrusted to the funds. Finally, firms face operational risk when trying to manage a privacy and security program in an effective and cost-efficient manner. This cost may be shared across a family of funds if centralised privacy and security measures are in place. The Ponemon Institute estimated that a breach in the financial services sector would cost $217 per record. For example, for Target’s 110 million records breached, the costs would be substantial enough to put a fund out of business.
Gillespie: Insider data loss is a key threat. Insiders can cover a range of areas including contractors or consultants, temps and interns, ex- employees and accidentally inept or badly trained employees, as well as those who have potentially been coerced into nefarious activity or are basically well aware of what they are doing. Social engineering attacks such as spear phishing is also a major, and one of the most prolific and successful types of attack. This involves finding out personal or pertinent information about key employees in order to use in an exploit which is personally tailored to appear like a legitimate communication or interaction but which triggers and enables a cyber attack. Distributed Denial of Service (DDoS) attacks are also very common and vary in intensity from a broad based sweep to a highly targeted and effective knock down of specific servers and websites. The data held by fund managers needs to not only be secure but maintain its integrity so there is more at stake than a ‘simple’ data loss – decisions are made on information held by fund managers and if the integrity of the data has been compromised it adds to the risk that needs to be considered and mitigated. There is a possibility of sabotage to facilitate poor investment decisions and this may go undetected if the integrity of data is not monitored as closely as loss prevention or leakage. Don’t forget the information held by fund managers may be from a variety of sources and will command a high value on the black market.
FW: To what extent are emerging legal standards for data protection, as well as regulators’ expectations, impacting on the private equity funds landscape? Are private equity fund managers fully aware of their regulatory compliance obligations and, equally, understand the potential penalties under enforcement actions?
Gillespie: Fund managers are required to process, manage and store more client data than ever before. They should be concerned about, and understand, their obligations – especially with the new Data Protection Regulation coming online at the end of 2015, which has the power to impose fines of €100m or 5 percent of annual turnover for breaches of personal information. There is helpful guidance available from the SEC Office of Compliance Inspections and Examinations, financial regulators and the Information Commissioner’s Office (ICO). Understanding the reputational damage that can come from a breach is so important. Long after fines have been imposed and clients informed, the damage can continue and many businesses have not lasted the course after a major breach. The increase in monetary penalty for a major breach will only increase the risk of this happening more frequently and to more fund managers.
Scanlon: To date, the European Parliament has not moved away from its position that fines for data protection infringements should amount to €100m or up to 5 percent of annual worldwide turnover, whichever is higher. The difficulty for private equity funds is that the GDPR is in a state of transition. There is hope that the GDPR will be finalised before the end of 2015 but when you look at the draft positions of the three European bodies negotiating it, you can see that there is still a long way to go. This makes it very difficult for private equity funds to understand the regulatory landscape and have any clarity as to what can be done to future-proof their businesses in terms of data protection compliance.
Klein: The SEC, OCIE and other US government regulators have issued guidance to provide a structure for financial services firms, including PE funds, to comply with privacy and security standards. The National Institute of Standards and Technology’s (NIST’s) cyber security framework is the overarching standard by which the government is evaluating PE funds and investment advisers. The SEC advises PE companies to periodically assess the information they collect or store, their technology systems, the internal and external cyber security threats they face, and the security controls and processes currently in place. The companies should also examine the possible impact of their information or systems being compromised. An effective assessment of these items should help identify potential threats and vulnerabilities so companies can better prioritise and mitigate risk. They must create a strategy to prevent, detect and respond to cyber security threats and implement that strategy through written policies and procedures and training. Despite regulators’ guidance, an OCIE review of registered broker-dealers and investment advisers indicated that most had implemented information security plans, but less than half had designated a chief security officer or established policies governing the use of third-party vendors.
FW: In your opinion, is there a widespread appreciation within the private equity industry as to the importance of maintaining robust data privacy and cyber security systems and processes? Are they falling short on this front?
Klein: Although many private equity firms are generally cognisant of the importance of maintaining robust data privacy and cyber security systems and processes, some anecdotal evidence suggests that, despite this awareness, many of these firms are not currently focusing on cyber security. However, according to a 2015 global private equity survey conducted by EY, entitled ‘Positioning to win’, CFOs at private equity firms expect to focus more on cyber security issues in the future. As data becomes a valuable asset for portfolio companies, PE funds must enforce data protection compliance on their portfolio companies or the revenue stream that was counted on from clean data will be diminished. Funds should also ensure that they and their portfolio companies keep current on the latest security patches. Some entities are 18 months behind on installing patches that would mitigate some risks.
Gillespie: Private equity firms have an understanding but because they are part of the highly attractive financial sector, it is uncertain whether they are able to understand where their specific threats come from. The threat is highly nuanced and it is impossible to accurately say if the response and mitigation they have in place is equally nuanced. There is certainly growing coverage of cyber issues in the financial press and a look at the data coming out of the ICO will tell you that finance is a major target and also a major contributor to the level of overall data breach, in the UK at least. Looking at the insight that came from The Economist’s Cyber Incident Response Survey for Business Leaders, more than 20 percent of respondents were from board level in financial services. The responses to areas that questioned the knowledge and understanding of senior teams about data protection matters indicated a lack of confidence in awareness levels of regulation in data protection. However, the same report also indicated that the senior teams also felt they were prepared or somewhat prepared for cyber incidents.
Scanlon: There seems to be a lack of coverage across the different levels of obligations that private equity funds must have in place. While many may have organisational and technical measures in place to deal with cyber security threats, fewer have well-rounded incident response plans and a full understanding of their notification obligations to both data protection and financial services regulators when a data breach occurs.
FW: What advice would you give to private equity fund managers on establishing secure, vigilant and resilient systems that will help to mitigate cyber threats?
Scanlon: Mitigating cyber threats is not simply about having the right technology in place. Equally important is ensuring that the business as a whole knows how to respond. Legal teams, PR advisers and technical staff must all work together under the guidance of a clear senior figurehead who assumes overall responsibility. Ensuring that a business-wide solution to cyber threats is put in place and continues to evolve in response to the changing threat landscape is essential.
Gillespie: Fund managers should implement a layered approach to information security that covers people, policies and procedures and is not just focused on the corporate network. There is no point paying for the most sophisticated privately managed network if one of your employees is not trained sufficiently to understand the basic principles of information security. Within your layered approach you need to have effective attack and breach detection systems, linked to a well-tested incident response process. There should be no shared login credentials and unused credentials should be disabled. Password quality is vital and an established minimum requirement should be enforced along with mandatory regular changes and confirmation of non-duplication. Data segregation is also very important to ensure that only those individuals who actually need access to particular data sets will be allowed access. This will limit the exposure and also help with the integrity of the data because it will be clear who has been able to edit or delete data and help provide an audit trail where necessary.
Klein: PE funds should focus on the five basic steps in the NIST cyber security framework: identify, protect, detect, respond and recover. They must first develop an organisational understanding to identify and manage the cyber security risk to systems, assets, data and capabilities by performing comprehensive risk assessments. They should also implement appropriate administrative, technical and physical safeguards to protect critical infrastructure services. These safeguards include strong passwords, encryption and firewalls. For detection, funds must undertake activities to timely identify the occurrence of a cyber security event. Funds should utilise intrusion detection systems and security logs. When responding to a detected event, funds should take action to contain the impact and notify as appropriate. Funds should engage an interdisciplinary team, including IT, HR, legal, finance and PR, that has been trained to respond through a tabletop exercise. Finally, funds must maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event. They should launch business continuity plans once an incident has been contained and incorporate lessons learned into incident response plans. In addition to the NIST guidelines, funds can also look at ISO 27001 or 27002 for standards.
FW: What measures should be taken to protect private equity funds from the data security risks associated with vendors and other third parties? How should fund managers go about ensuring that effective controls are in place?
Klein: Third-party risks have been responsible for most of the major breaches, such as Target and Home Depot, resulting in multimillion-dollar exposure for companies. PE funds have been using cloud and networked data rooms to diligence investments. Such third-party access to sensitive data can be fraught with risks of cyber fraud, extortion, terrorism and espionage, malware, privacy breaches, destruction of data, and intellectual property liability. When engaging with third parties, have contractual provisions in place, such as responsibility for data security and privacy compliance, indemnification and cyber insurance. If third parties can access the PE fund’s data, insist that the third party provide a comprehensive risk assessment annually. Remember that although the PE fund can outsource certain functions, the PE fund is ultimately responsible for regulatory compliance.
Scanlon: Real and effective processes for monitoring and auditing technology supply chains take time, effort and persistence to maintain but are essential to ensure that a measure of effective security is in place. It is not enough simply to rely on contractual provisions or other documentation of arrangements.
Gillespie: All external relationships that involve data sharing need careful management from a risk- based approach. ISO27001 covers a variety of areas that are of concern. It includes a structure for mitigating risks associated with supplier access to information assets and requires documented agreements. This would also apply to partner IT infrastructure in relation to your organisational information assets. Organisations should regularly monitor, review and audit supplier service delivery. Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and reassessment of risks. In essence, what we are trying to do is extend our security expectations to encompass all organisations or individuals with whom we intend to share information.
FW: How are private equity fund managers responding to recent guidance issued by the SEC in May 2015 on steps to be taken to assess and mitigate the risk of a cyber attack?
Gillespie: We can’t honestly say specifically how fund managers are responding, but what is clear is that anything less than fully embracing good quality guidance which is risk-based – as the SEC guidance is – will mean that the reputational harm that comes to those who do not embrace it will possibly see fewer fund managers post EU Data Protection Regulations taking force. The financial sector in general has been a key target for a long time and that does not look set to diminish, although having said that, the attack vectors may flex.
Klein: Fund managers have inventoried their risks and have established written policies and procedures that would comply with the SEC’s guidance. However, the PE funds have not applied these standards to their third-party vendors or portfolio companies. Portfolio companies must have proactive processes in place to comply with legal requirements and protect their data. Otherwise, much of the PE fund’s investment in the portfolio companies will be an expense used to shore up noncompliance and not revenue-generated income to repay the investment.
FW: Where do you see the main data privacy and cyber security risks arising in future? What final piece of advice would you give private equity fund managers on addressing the data security and cyber risks they face?
Scanlon: With so much digital innovation changing financial markets, there needs to be a balance between data security and enabling innovation. Threats arise as start-ups and small and medium size organisations become part of larger supply chains without often having the experience or the resources to adequately deal with security threats. But businesses that ignore the opportunities presented by greater access to data and new technology and services will be left behind. All of this means that businesses need to work hard to ensure that they have the right people in place to balance security and innovation.
Klein: Fund managers need to be proactive. Get ahead of the problem by focusing on both your technology and your people. According to Verizon’s 2015 data breach report, 23 percent of recipients open phishing messages and 11 percent click attachments, which is why all employees and authorised users must be trained to protect sensitive information and to avoid social engineering and phishing schemes. Funds should also be aware of some of the factors that increase the risk or cost of a cyber security event. Evaluate your relationships with third parties to make sure they are protecting your data. Educate your employees on the dangers of lost or stolen devices, and implement a plan for dealing with these incidents. When a breach occurs, do not rush to issue notifications until you have all the facts. The good news is there are a few easy steps that can help decrease the cost of a cyber security event. Establish an incident response team, appoint a chief information security officer, ensure the board is involved with cyber security issues, and obtain insurance for cyber security incidents. Funds should also be sure to utilise encryption for their sensitive data.
Gillespie: Looking ahead, the overarching threat will change very little, although the landscape will become increasingly nuanced as technology changes and attackers find new exploits. The risk that comes from poorly trained staff, poor policy and process, and how this can be exploited by attackers, will remain – and attackers will continue to make the most of it. Supply chains may be an enhanced risk area as attackers find increasing security maturity challenging, and so try to attack through more vulnerable areas of a fund manager’s supply chain as an easier route in. Although it wasn’t a private equity fund, the Target breach is a good example, as an air conditioning contractor was leveraged as a route in to the business. It should always serve as a great reminder that all areas of a business should be protected, regardless of whether it is part of the corporate network or not – if it is internet enabled, it needs to be treated as a potential access point.
Mike Gillespie is the managing director of Advent IM Ltd. He is also director of Cyber Strategy and Research for The Security Institute and a member of the CSCSS Global Cyber Strategy Select Committee. Mr Gillespie is a security professional and CLAS (the CESG Listed Advisor Scheme – CESG is the technical arm of GCHQ) consultant of many years’ standing. He can be contacted on +44 (0)121 559 6699 or by email: firstname.lastname@example.org.
Sharon R. Klein (CIPP/US) is a partner in the Corporate and Securities Practice Group of Pepper Hamilton LLP and chair of the Privacy, Security and Data Protection practice. She handles a variety of corporate and intellectual property matters, in particular, helping technology and outsourcing clients grow and succeed. Ms Klein advises businesses on planning, drafting and implementing privacy, security and data protection policies and ‘best practices’, compliance with applicable laws, regulations and rules. She can be contacted on +1 (949) 567 3506 or by email: email@example.com.
Luke Scanlon is a consultant technology lawyer for Pinsent Masons. He has extensive experience advising on a full range of technology media and telecommunications matters and focuses on strategic legal planning for technology procurement, data governance, cloud solutions, social media, IP assets management and technology as it is used in the financial services sector. He can be contacted on +44 (0)20 7490 6597 or by email: firstname.lastname@example.org.
© Financier Worldwide