Private equity cybersecurity best practices September 23, 2015 Share Subscribe RFP Private equity firms and their list of portfolio companies may be at increasing risk of cyberattacks. In an interview with The Wall Street Journal, John Watters, CEO of cybersecurity company iSight Partners Inc., warned that “dozens of large private equity firms are currently compromised, and they don’t even know about it.1” Private equity firms have cybersecurity concerns that go beyond their own systems. Many firms increasingly need to consider their broader ecosystems, including their portfolio companies and their intellectual property, which could be the target of cybercriminals — any PE firm with investments in new or emerging technologies or markets should take note. What is preventing private equity firms from getting a handle on cybersecurity? One thing may be that they lack standardized industry-regulated information security controls. But even more important is what Watters calls the “typical hands-off approach” that firms use in managing their portfolio companies, which are given a level of autonomy but may not be large enough to have proper cybersecurity defenses. Watters recommends going to a “community” defense, sharing strategies across the portfolio. In addition, the Dodd-Frank Wall Street Reform and Consumer Protection Act mandates that private equity firms face a more robust compliance regime, including SEC exams. Cybersecurity is a major exam focus, with the hope of protecting investors and preserving market integrity, and this year’s exams are focusing on governance and controls. Firms that score low on exams will face major penalties. In fact, via speeches by its leadership, the Office of Compliance Inspections and Examinations (OCIE) examination program, and a series of new guidance, the SEC has repeatedly highlighted cybersecurity as a major focus for the foreseeable future. Given the rapidly changing nature of cyberthreats as well as the more advanced and pervasive use of technology throughout the private equity industry and within its portfolio companies, it is best to be well-prepared with cybersecurity policies and procedures. SEC exams In 2014, the OCIE conducted sweep examinations of the cybersecurity policies of industry participants in order to assess cyberattack vulnerability. In February 2015, the OCIE released a Risk Alert2 that provided key exam observations, noting that most examined firms: Have written cybersecurity policies Conduct periodic firmwide cybersecurity risk assessments Have undergone a cyberattack in some form Conduct firmwide inventorying, cataloging or mapping of their technology resources Use encryption in some form Provide their clients with suggestions for protecting personal information The new SEC guidance aimed at investment funds On April 28, 2015, the SEC’s Division of Investment Management released new cybersecurity guidance3 specifically aimed at investment companies and advisers. The guidance reflects the fact that “both funds and advisers increasingly use technology to conduct their business activities and need to protect confidential and sensitive information related to these activities from third parties.” The guidance discusses the issue and puts forth cybersecurity measures that funds and advisers should consider, including: Periodic assessments. To help prevent cyberattacks, firms should develop a cybersecurity framework that includes conducting periodic assessments to help them assess, evaluate, manage, and monitor cyberrisks and controls. These assessments should look at (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. A cyberattack defense strategy. Firms should create a strategy designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response (IR) plan. Routine testing could also enhance the effectiveness of any strategy. Implementation planning. The firm should have a plan in place to implement the strategy through written policies, procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts. The guidance also recommends that funds and advisers review their internal operations and compliance programs to ensure that they have adequate policies and procedures in place. For example, a fund or adviser could address cybersecurity risk as it relates to such areas as identity theft and data protection, fraud, and business continuity issues and other disruptions that could affect, for instance, a fund’s ability to process shareholder transactions. In addition, the SEC suggests assessing third parties for adequate cybersecurity measures, especially when those providers have access to a firm’s technology systems and data. On September 15, 2015 the OCIE issued a Risk Alert4 regarding a second phase of cybersecurity exams. These exams will continue to assess firms’ cybersecurity preparedness, including protecting confidential information, plus they will test firm controls. Key focus areas will include: Governance and risk assessment. Whether firms have cybersecurity governance and risk assessment processes for the key focus areas. Access rights and controls. How firms control access to systems and data through management of user credentials, authentication and authorization methods. Data loss prevention. How firms monitor the content that may be shared externally by employees or through third parties. Vendor management. How vendor relationships are monitored in advance and as part of ongoing risk assessment processes. Training. How firm training procedures are designed to encourage employees’ understanding of and adherence to firm technology protocols. Incident response. Whether firms have established policies, assigned roles, assessed system vulnerabilities, prioritized each area’s importance and developed plans to address cybersecurity attacks and potential future breaches. These focus areas are subject to change once the examiners are on site, based on initial findings. The SEC also included a sample document request in the Risk Alert to help firms assess cybersecurity preparedness. Besides preparing for an exam, thoughtfully collecting and updating these documents can be useful in assessing and strengthening a comprehensive cybersecurity preparedness program. The document request includes: Policies and procedures for all focus areas Documents on periodic cybersecurity risk assessments Procedures for the systems or applications used to authenticate access to secure information Cybersecurity language in any third party vendor agreements Training materials for cybersecurity training programs Incident response plan documentation and testing procedures “Cybersecurity should be at the top of a firm’s risk assessment.” — Mary Jo White, SEC Chair ICI General Membership Conference, May 2015 Best practices In its guidance and in a recent speech5 by Marc Wyatt, the OCIE’s acting director, the SEC discusses key best practices that firms should consider. Compliance program management: Private equity firms should create a separate role in the company for the chief compliance officer (CCO) function (compared to the prior practice of grouping this role into the role of the CFO or general counsel) and providing CCOs greater visibility into the business model. Written security policies and procedures: Private equity firms should have robust policies and procedures in place. They should have written information security policies and procedures that outline the safeguards in place to ensure that confidential data is protected (e.g., network firewalls, controlling access to more sensitive data). Having such policies and procedures in place aid in avoiding or decreasing knowledge gaps, as well as educating new hires and helping maintain institutional memory in the event of staff turnover. Assessment of governance and oversight of risks: Fund management should update its board of directors and its portfolio company boards on cybersecurityactions as they are implemented. A best practice is to establish a cybersecurity committee that is charged with monitoring changes in industry practices and championing cybersecurity policies throughout the firm and its portfolio companies (rather than just in the IT environment). Another best practice is to create a chief information security 0fficer (CISO) position, whose role is to be accountable for cybersecurity and closely monitor any third parties that work with firm cybersecurity personnel. The board of directors has a critical cybersecurity leadership role to play. Directors must work with senior management to establish a clear structure of accountability, with defined responsibilities. When additional internal cybersecurity know-how is needed, boards should not hesitate to consult outside sources. Testing and monitoring of systems and controls: Firms should be conducting routine testing and monitoring of systems and controls to ensure that they are current and incorporate the latest security patches. Common types of testing performed include penetration and intrusion testing. IR plans: Firms should have a plan in place that defines rapid response capability in the event of a cybersecurity breach or threat. The IR plan might include an IR team that designates who is responsible for which tasks. Other important factors the IR plan should take into account are the point at which incidents should be reported to clients or counterparties; which regulators or law enforcement agencies should be notified; and what factors or considerations should be weighed in deciding whether to report or not. Firms should also be cognizant of any contractual requirements to provide notice to any individual or entity. Due diligence of service providers: Appropriate due diligence should be conducted on all service providers. This is especially important if the firm is dependent on them to complete activities for the fund. Cyber liability insurance: Advisers should be aware that standard insurance policies (e.g., errors and omissions, directors and officers liability) may not cover cyber-related losses and, therefore, might consider the value of cyberliability insurance in addition to their current insurance policies. In fact, insurance should be considered a key component of a cybersecurity plan because it can provide the necessary tactical and financial support in the event of an incident. This requires an organization to perform the necessary due diligence beforehand, which in itself has the added benefit of identifying and remediating cybersecurity gaps. It’s important to note, however, that insurance is not a substitute for appropriate security policies and procedures. Enhanced training: The weak link in cybersecurity tends to be human error, so effective firmwide training is critical. Once an adequate policy is in place, the next step is to ensure that personnel understand the firm’s risks and know their responsibilities associated with protecting the firm and client data. Training on this topic should be conducted at least annually, and upon hiring of new personnel or consultants. The guidance also proposed that advisers consider educating investors and clients about how to reduce cybersecurity threats to their accounts. Third-party risks Private equity firms often work with interface vendors to facilitate performance reporting from its portfolio companies. Risk should be addressed from the very start of the relationship, and the system architecture should be built with cybersecurity in mind. Monitoring these third parties is critically important, since many funds do not have a hands-on portfolio management policy. Funds that use third parties for critical activities should implement a more rigorous and comprehensive oversight process that includes: Board review of the third-party relationships to determine if activities are consistent with the fund’s strategic goals, organizational objectives and risk appetite Board approval of management plans for using third parties that involve critical activities Board review of the due diligence results and management’s recommendations to use third parties that involve critical activities Board approval of contracts with third parties that involve critical activities Board review of ongoing monitoring of third-party relationships involving critical activities Board oversight of actions to remedy significant deterioration in performance or changing risks or material issues identified through ongoing monitoring of critical activities Board review of periodic independent reviews of the fund’s third-party risk management process 3 tips for contracts with third-party service providers For private equity funds, any third-party contracts should include: 1. The third party’s specific performance responsibilities and duty to maintain adequate internal controls for its services 2. The third party’s responsibilities and duty to provide adequate training on applicable consumer protection laws, and the institution’s policies and procedures to supplier employees or agents 3. Acknowledgment of the financial institution’s authority to conduct periodic on-site reviews of the third party’s controls, performance and information systems to confirm contract complianceConclusion The SEC expects funds to have a comprehensive plan that addresses cybersecurity risks, and also includes controls to mitigate any risks. Each private equity fund must tailor a plan to its own particular set of circumstances. In developing your plan, we recommend that you: Establish a framework. Cyberattacks and their associated costs have exploded, exposing a need for an overarching framework that pulls together governance, risk assessment and monitoring considerations, such as the 2013 Framework. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has offered guidance on how their 2013 Framework can be instructive in helping organizations assess, evaluate, manage, and monitor cyberrisks and controls. By applying relevant aspects of COSO and related frameworks and standards, companies can more effectively assess their vulnerabilities, shore up their defenses and improve their ability to stay a step ahead5. Get leadership buy-in. Senior (or C-suite) executives must be on board with establishing the cybersecurity framework to ensure that all organization levels are involved in the process and that the right business risks are considered. This issue is far greater than just IT strategy — it is everyone’s concern. Assess the current state. Objectively assess the current control environment and decide the target state based on the regulatory and business environment. An objective assessment should ideally be performed by an independent party. Tailor your approach. Do not take a plug-and-play approach to your organization’s framework. Select the framework areas that are both efficient and effective for your current environment. Test your framework. The framework, or risk and controls identified, should be tested periodically to confirm effective operation of the controls. Review your framework. Periodically revisit the framework to confirm it is updated as needed. Remember, your framework should be able to adapt to the changing environment and risks for your industry. Private equity funds are an especially attractive target for hackers due to the number of loosely monitored portfolio companies they interact with on a daily basis. Larger funds may have an in-house IT staff to address many cybersecurity planning issues, but smaller funds may need additional help. No matter where you fall on this spectrum, this is the time to make sure you have your cybersecurity planning well in hand. How to prepare for a breach and how to react if one happens To prepare for a possible breach, we recommend four key steps to lay a solid foundation: Data mapping and classification. Before you come up with a plan to protect your data, you need to know what you are protecting. That’s where data mapping comes in. It’s the digital equivalent of going through your home and inventorying your valuables for insurance purposes. Data mapping can help you answer important questions like: “What are the crown jewels of our business?” “Is intellectual property important?” “Are we an information-gathering or data-hosting firm?” You need to know what your assets are — as well as their value — in order to protect them. Conduct a vendor assessment. You need to account for data held by business partners, vendors and other third parties — not just the data stored within your organization. Are they protecting data with the same fervor you are? To find out, it’s critical to conduct an assessment of your partners’ cybersecurity measures and assess your vendors’ management processes. You’ll need to determine how these organizations will protect your data, either through contractual agreements, assessments or audits. Depending on the size of your organization, your vendor management group may be able to handle this, or it might require a combined effort, with your accounting group and IT security staff working together to look at vendors. Create a risk profile. There’s no way to know exactly how vulnerable your systems are without having someone try to hack them. Hire an outside firm to conduct a vulnerability assessment and penetration test (i.e., ethical hacking). Form a risk profile based on that report, and identify the biggest weaknesses in your systems. The information will help you decide where to allocate your resources and which areas to prioritize. Create an IR team and develop a plan of action. While cybersecurity may seem like a specialized issue, it has a much broader impact than your run-of-the-mill IT matter. Therefore, you’ll want to have a defined IR team at your disposal to help tackle any potential breaches. Some organizations appoint a CISO to oversee cybersecurity efforts and report to the internal audit leader or CFO. The rest of the team should include representatives from all data custodians, such as HR, marketing, accounting, and R&D, as well as the CISO and IT director. In some cases, you’ll also want to include any vendors or partners that have access to your data, as well as members of your PR team, a federal law enforcement official and a specialized consultant who can help you in case of a breach. With your team activated, you can create an IR plan to outline your responses to various scenarios, establish a base of operations and name a single point of contact. Your risk profile and IR plan should be living documents. Ideally, you should conduct a vulnerability assessment and penetration test every six months, updating the risk profile and informing the IR team of the results so they are aware of the evolving strategy. When the unthinkable occurs and you experience a breach, there are several key actions you must take. The first thing to do is notify outside counsel, who will direct your team as they start executing your IR plan. Bring all the stakeholders to the table and keep any relevant parties apprised of your team’s findings. Your IT services adviser should act quickly to assess and report on the extent of the breach, ideally within 12–18 hours. Your adviser will then perform data analytics on server logs, routers and network operations devices to understand anomalies and determine where the breach originated. They will address whether the breach was internal or external, or possibly even employee-assisted. Perhaps your systems were never actually breached, but hackers were able to get in through a third-party channel. The adviser will collect email from servers, as well as review unstructured data to determine whether your organization did what it could to prevent the breach. Finally, upon completing the investigation, the adviser should work with your IR team to preserve your data for remediation purposes, patch holes or remove malware, and get your organization back online to avoid operation delays. After the initial crisis, your adviser will work with the in-house IT team to replace any corrupt systems and implement projects to address security weaknesses. You may need litigation support, project management and PR services. Long term, you’ll likely work with IT analysts, industry experts and other specialists to assess processes and make any necessary changes to the IR plan. Is your organization ready to handle a cybersecurity breach? Our article, “Unprepared organizations pay more for cyberattacks,6” provides more information. How Grant Thornton LLP can help Talk with one of our cybersecurity and privacy professionals to help you create your plan. We understand the complexities and acute needs of the private equity industry. Let us help you be prepared. In addition, many of the processes described in this article may require an independent firm to successfully conduct them. We at Grant Thornton stand ready to provide industry-focused professionals to help you in such areas as: Cybersecurity strategy and planning Enterprise risk management Governance, risk and compliance Regulatory compliance Vendor due diligence Technology solutions IT advisory Forensic, investigative and dispute services Download the PDF. If you have any questions or wish to speak to a Grant Thornton representative, please contact any of the professionals listed. Contacts Michael Patanella Audit Partner U.S. Asset Management Sector Leader T +1 212 624 5258 E email@example.com Grant Rapaport Audit Senior Manager Financial Services T +1 212 624 5267 E firstname.lastname@example.org 1 Dai, Shasha. “Breaches Highlight Cybersecurity Issues at PE-Backed Companies,” The Wall Street Journal, March 10, 2014. 2 SEC Office of Compliance Inspections and Examinations. “Cybersecurity Examinations Sweep Summary,” National Exam Program Risk Alert, Feb. 3, 2015. 3 SEC Division of Investment Management. IM Guidance Update No. 2015-02, Cybersecurity Guidance, April 2015. 4 SEC Office of Compliance Inspections and Examinations. “OCIE’s 2015 Cybersecurity Examination Initiative,” National Exam Program Risk Alert, Sept. 15, 2015. 5 Wyatt, Marc. “Private Equity: A Look Back and a Glimpse Ahead,” May 13, 2015. See SEC.gov for more information. 6 For more information, see Grant Thornton’s article “COSO Framework: Applying a governance structure to manage today’s cyberrisks,” originally published in the CorporateGovernor newsletter on Aug. 26, 2015.