Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond and mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.
The following article was written by Dean Hill, Executive Director, Eze Castle Integration and first appeared on Hedgeweek as part of their special report: A Guide to Setting up an Alternative Investment Fund in Europe.
There is no shortage of threats to financial services firms, and the list of requirements from investors and regulators alike is growing at a rapid pace. As a startup, it's important to demonstrate to investors that you take your business seriously, hence, investments in operational excellence are required. On the cybersecurity front, that means leveraging technology infrastructure with robust, security-rich features including intrusion detection and ongoing traffic monitoring, regular vulnerability assessments and next-generation software, firewalls and patches to keep hackers out and firm assets secure.
But beyond technology safeguards, today's successful financial firms require the wherewithal to implement comprehensive cybersecurity programmes – whether you're a seasoned firm or embarking on your first investment venture. The most effective cyber programmes will focus on four critical administrative areas: (1) developing comprehensive security policies and plans to prevent external cyber-attacks or internal breaches, (2) training firm employees on said policies and current cyber threats, (3) cultivating a culture of security awareness from Management down, and (4) managing an effective risk programme via external vendor oversight.
Plan: True cybersecurity defence starts with proper planning. To start, funds need to develop written information security plans – comprehensive documentation of the firm's corporate security initiatives. This should include technical and administrative safeguards being employed to secure confidential data. In the development stage, firms will need to identify systems and plans currently being used, technical procedures and systems in effect, employee access controls relative to confidential data as well as user responsibilities for both prior to and in the event of a data breach.
Unless you’re living under a rock, you’ve at least heard rumblings about the newest app craze to hit the market: Pokémon GO. In existence for a mere 6 days thus far, Pokémon GO has already amassed more daily users than Twitter and Snapchat. And we’re not just talking about kids and millennials here. The app seems to be, perhaps unexpectedly, popular with users of all ages.
The potentially big concern to be aware of is the information users are making accessible to the app’s developer, Niantic Labs. To play the game, a Google login is required (unless you have a login with Pokémon), meaning the permissions you grant to the app include giving access to your full portfolio of Google accounts. That means email, contacts, calendar, photos and files. Even scarier, if you use Google Apps for Work, what information are you unwillingly providing to Pokémon GO?
If you’re a public cloud user and leverage Google Apps for corporate purposes, it’s worth taking the time to research the potential privacy and security impacts if your firm’s users also happen to be Pokémon GO users. At just six days old, there’s likely plenty more to be learned from the app, and the developer will likely be sharing more information in the near future on security permissions and settings.
There's a lot to be mindful of when it comes to cybersecurity. Experienced and savvy hackers. Insider threats. Regulatory guidance updates and subsequent enforcement actions. The list goes on. So how do today's hedge fund and private equity firm managers navigate the changing landscape and stay above the fray? It all starts with planning.
If you missed it, our recent webinar with law firm Sadis & Goldberg explores the regulatory climate for investment firms, recaps recent SEC enforcement actions and the variance in how compliance is evaluted, and provides practical and actionable advice for fund managers looking to address insider threats, education awareness and policy gaps around information security.
If you have a free hour, this one's worth your time.
Watch below or read our joint whitepaper, A Fund Manager's Cyber Security Action Plan.
In an alert posted to its website, the U.S. Federal Bureau of Investigation (FBI) stated that phishing email scams requesting wire fraud transfers have cost firms more than $2.3 billion in losses since 2013.
At the root of a phishing email scam is in-depth reconnaissance during which the cybercriminal delves into employees's personal information and the organization’s processes. During this phase, schemers phish languages within email threads and obtain enough information to pinpoint money-managing employees within the firm. Equipped with this insider information, the criminal sends a spoofed email, assuming the identity of the firm’s CEO or other senior executive, to an employee responsible for managing funds and requests an illegitimate wire transfer. Typically, the message will relay a sense of urgency – a key factor in the fraud's success.
According to the FBI, these email scams have increased by 270 percent (%) since January 2015. With the rise of these incipient, sophisticated attacks, the need for fully managed phishing and training programs grows exponentially. Breaches will happen, but when employees are provided with the tools and knowledge needed to recognize fraudulent emails, risk decreases and a firm’s defense system becomes stronger and more agile.
Last week it was widely publicized that approximately 32 million Twitter passwords were compromised and leaked online. These days, the reality is that password leaks are all too common.
While users must be responsive to leak news and immediately change their passwords, they should also consider being proactive in enabling advanced password protections (i.e. two-factor authentication) provided by many social media and mainstream applications.
Here’s a rundown of some popular social media and other applications that provide two-factor authentication. (Note, if you aren’t familiar with two-factor authentication, read our article What Is Multi-Factor Authentication, and How Can I Use It?)
Apple: By enabling two-factor authentication, your Apple accounts can only be accessed on devices you trust. During the initial sign-in on a new device, you will need your password and six-digit verification code that's automatically displayed on your trusted devices. Once signed in, you won’t be asked for a verification code on that device again unless you sign out completely, erase the device, or need to change your password for security reasons.
Facebook: Facebook calls it Login Approvals, but the concept is the same. Once Login Approvals is activated on your account (here’s how), you'll log in with your password, and a code will be sent to your phone. The code is required to successfully log in.
Google/Gmail: Google's two-step verification allows users to protect their accounts with both a password and phone. Step 1) Sign into Google with your usual password; Step 2) You’ll be asked for either a security code that is sent to your phone via text/voice call/Google mobile app, or you can insert your Google Security Key into your computer’s USB port.
It is worth noting that during Google sign-in, you can choose not to use 2-Step Verification again on that particular computer. From then on, that computer will only ask for your password when you sign in.
Categorized under: Security
If you missed it, last week we shared the first excerpt from our newest whitepaper, A Fund Manager’s Cyber Security Action Plan, which we wrote in conjunction with Sadis & Goldberg. Today, we’re sharing our section on the risks employees pose to firm security, including both unintentional and malicious actions that can wreak havoc on an organization.
With mounting regulatory pressure, Fund Managers can no longer afford to sit idly and rely on technology to protect them from the next cyber-attack. Advanced technology systems and infrastructure protocols are, of course, critical in mitigating cyber risk, however, for the prudent Fund Manager, the list of defense mechanisms cannot end there. Even while the sophistication of perimeter security systems and vigilant monitoring tools increases, the greatest vulnerability to a firm remains within its interior: its own employees – the people who use IT systems to conduct transactions and access sensitive data.
Employees – particularly those with unrestricted access to sensitive information and financials – are a hacker’s easiest access point into a firm. Every day, more employees fall victim to social engineering schemes and phishing attacks designed to fool them.
Entering a password or financial information. Downloading malicious software. Transferring funds. Hackers are well-versed in how to trick users into committing these acts. And while not malicious (though we’ll discuss that also), these employee actions can end up costing their organizations more than money.
Let’s look at unintentional security risks presented by employees – many of which can be addressed through training and creating a culture of security.
In case you missed it, the SEC just announced this week that it levied a $1 million fine to a prominent financial services firm for failing to adopt written policies and procedures reasonably designed to protect customer data. The SEC also stated it expects “SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Eze Castle Integration and Sadis & Goldberg just published ‘A Fund Manager’s Cyber Security Action Plan’ that covers what the SEC expects from managers. You can download the paper at www.eci.com/cyberplan or read an excerpt below.
Cybersecurity has fast become an imminent and pervasive threat to the investment management industry. Investment advisers, including those managing private funds (“Fund Managers”) are required to disclose and report a higher quantum of more sensitive and meaningful information than ever before, via Form ADV, Form PF, CPO-PQR and (for some Fund Managers) Annex IV. Cyber-attacks can be manifested in a variety of ways from multiple sources and can lead to direct losses (e.g., theft of funds, data or other property), reputational harm, regulatory actions, third party litigation and other forms of liability.
While it’s reasonable to believe that a typical CFO would not respond to a “spear-phishing” email from a fictional Nigerian prince, consider the risks presented by a more realistic cyber-attack wherein a personal email is sent to the CFO, purporting to be from your prime broker, auditor or administrator (information discoverable from your Form ADV), mimicking the patterns and style of previous email communications (discoverable from your email server) and asking for confirmation of a recent wire or some other sinister request. Internal attacks such as this are discussed further throughout this paper, and each one has the potential to cripple a fund and/or damage thousands of investors.
The below information is an excerpt from Eze Castle Integration’s 2016 webinar: The Evolution of Investor IT Due Diligence.
Investors have long been asking questions about firm operations and even technology. But with the way IT has evolved over the last 5-10 years, it’s no wonder investor inquiries have changed in both size and scope. Of course, in addition to technology evolution, we’ve also seen influences on the regulatory side, as the SEC continues to examine and evaluate firms’ security practices, which ties heavily into technology.
In looking back, it’s not unfair to say that 10 years ago, technology was what we’d call a “check the box” category. An investor due diligence questionnaire may have been one or two pages and focus mostly on firm investment history, performance, etc. On the IT side, it may have said “are you using an outsourced IT provider” or even “do you have a disaster recovery system” but beyond that, there was very little inquiry into the types of technologies being used at hedge funds as well as the protections in place to mitigate risk.
Of course, times have changed and now we see investor DDQ documents upwards of 5-10-20 pages in length and asking great levels of detail about technology, cybersecurity and operations. So let’s talk a little bit more about the influences for this due diligence evolution.
Categorized under: Hedge Fund Due Diligence Cloud Computing Security Disaster Recovery Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing
In today's Eze Castle Tech Tip: we're discussing myths about Voice over IP -- or hosted voice -- services.