Cybersecurity for Investment Partnerships, Private Equity and Real Estate Funds - Responding to a Growing ThreatAnchin AlertJuly 30, 2018
Investment partnerships, private equity and real estate funds are tempting targets for cybercriminals thanks to their financial assets, sensitive customer information, and access to institutional counterparts. And the threat is growing quickly. Recent studies report that fifty five percent of limited partners in private equity funds expect a serious cyberattack on their firms within the next five years. How can you keep your fund safe? Let’s take a look at the current threats and latest recommendations from the SEC.
How Hackers and Malicious Insiders Target Funds
When hackers or malicious insiders target funds, their managers and advisers, they are focused on stealing information and money, or in some cases on the simple disruption of business operations. Social engineering (e.g. email phishing) remains the most common method of attack, accounting for 90% or more of targeted external attacks; however, ransomware, other forms of malware (including malware that targets mobile and IoT devices), and other forms of remote exploitation, continue to increase in terms of their frequency and severity.
Once an attacker has gained access to an internal system, which can begin with the compromise of a home network or public wireless access point, they can capture credentials and private data records, or generate fraudulent requests to cash out funds, and then pivot to other internal or external systems and data repositories to which they have access.
While these are a few of the most common cybersecurity risks affecting funds today, there are many others.
The State of Fund Cybersecurity
In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) examined cybersecurity at broker/dealers and investment funds. They found that the financial industry has taken big steps forward compared to their first review in 2014.
Today, nearly all funds conduct risk assessments of their critical systems, follow a process to keep up with regular system maintenance and have some sort of response plan for dealing with a cybersecurity incident. But OCIE found there is still room for improvement.
Only about half of funds examined conduct penetration tests; a crucial step for catching system vulnerabilities and a necessity in terms of assessing the impact of a potential breach event. Even when firms conduct penetration tests, many do not address high-risk issues quickly enough after they are discovered. While nearly every firm had cybersecurity best practices, the guidelines are often general and do not clearly explain how to handle different situations. Finally, the examinations found that many funds do not provide enough employee training for cybersecurity, and fail to perform adequate due diligence on vendors and other 3rd-parties who have access to sensitive data, infrastructure, or both.
Steps to Improve
Funds can take a number of key steps to improve cybersecurity.
Comprehensive network, application, and device vulnerability scanning should be conducted regularly and funds should rank any vulnerabilities detected as well as prioritize specific steps for remediation.
Funds should use qualified independent 3rd-party penetration tests as a means of detecting and evaluating the impact of potential vulnerabilities.
Funds should develop cybersecurity protocols with clear instructions on how they will be followed in different situations. For example, if sensitive information is ever compromised, the fund should have a written incident response plan that includes specific procedures for containment and eradication as well as specific notification procedures and a pre-designated breach response coach (often a law firm) and incident response team to support day-to-day IT resources.
Cybersecurity training for employees should be mandatory, both when they join the firm and periodically after their arrival. The training should cover acceptable use of the firm’s network and teach employees how to safely use their devices, work remotely, and how to identify and respond to basic indicators of compromise.
Senior management should be involved with vetting and approving cybersecurity protocols. When management is engaged, it shows employees that this is a real priority. Finally, fund managers should consider bringing in an outside cybersecurity specialist to go over their procedures and make sure everything is running properly.
Above all, investment funds should not think they are too small to be a target. Hackers expect smaller organizations to have weaker cybersecurity infrastructure and they become a more likely target. Vigilant, proactive cyber defenses are essential and vital to funds and their protection in today’s environment.
Our affiliate, Redpoint Cybersecurity, works with funds early in the process to help design and implement effective cyber practices and to provide assessments and testing of security controls. Please contact your Anchin relationship partner for an introduction and free, no-obligation, preliminary assessment.