Something Worth Stealing: Why Private Equity Firms Should Prioritize Cybersecurity Why are PE Firms Under Attack?
Private Equity International (PEI) recently conducted a survey of 100 international private equity ﬁrms to assess their cybersecurity hygiene and identify larger industry cyber trends.
Biggest Cybersecurity Threats
Who Owns Cybersecurity? Cybersecurity today is no longer just an IT issue or a compliance issue, but a ﬁrm-wide issue that requires complete buy-in from all partners and employees, regardless of their roles in the organization. When it comes to leadership, the report showed that most ﬁrms believe the CFO is in charge, but the COO and CTO are also taking ownership.
SSL encrypted threats
High-value Information They store customer and market sensitive data that they cannot aﬀord to expose in the event of a breach.
Low Tolerance for Risk They are highly susceptible to outages that can cause signiﬁcant business interruption or reputational risk.
They Don’t Think They’re a Target They have not put enough focus on cybersecurity, with regulators focusing on higher-proﬁle ﬁnancial ﬁrms like hedge funds and banks.
of PE companies are not conducting a cybersecurity assessment as part of their due diligence when acquiring portfolio companies.
Brute force attacks
Cybersecurity Practices: What are PE Firms Doing Now?
Infected mobile devices
of the businesses surveyed allow their employees to use personal devices (mobile phones, laptops etc.) for work-related tasks.
of respondents do not issue any cybersecurity guidelines to staﬀ around the use of diﬀerent device types (mobile phones, laptops, etc.).
of respondents say they have a fully operational SEC-compliant cybersecurity program.
of PE companies have no standard processes for systems integration following a merger and acquisition.
Cybersecurity should form a fundamental part of the due diligence and selection of third parties. Agreements between funds and third parties should contain explicit mention of cybersecurity issues with clear steps outlined for mitigating risk as well as set out the compensation that will be owed in the event of a breach.
No matter how much ﬁrms achieve through their deal-making capabilities, cyber weaknesses in the back oﬃce have the capacity to undermine even the most stellar reputations and undo years of hard-earned success.’’ ~Dan Gunner, Director, Research & Analytics PEI
The Survey Says... Overall, the survey highlights three primary cybersecurity vulnerabilities that PE ﬁrms should consider.
Many small and mid-sized ﬁnancial ﬁrms (wrongly) consider themselves too small to be of interest to cyber criminals and choose to ignore the threat, leaving them open to attack. Private equity ﬁrms are particularly vulnerable as most operate with small cybersecurity budgets and limited IT staﬀ.” ~ Eldon Sprickerhoﬀ, Founder & Chief Security Strategist, eSentire Inc.
Attitudes of PE Firms about Cybersecurity Encouragingly, 46% of respondents recognize that having a robust cybersecurity program can be a competitive advantage for their business.
75% of survey respondents feel that cybersecurity is a relatively high risk to their business operations.
More than 50% of respondents think that regulatory compliance is of the highest importance to their businesses’ cybersecurity management.
The absence of current cybersecurity programs.
Unmonitored and unsecure devices.
A lack of requisite expertise among staﬀ to develop eﬀective cybersecurity protocols.