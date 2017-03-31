When it comes to cyber risk, private equity is not immune

31 March 2017 By Jason Lawrence*

There has been a lot of talk on cybercrime this year, with well-publicised attacks on major companies such as Santander, Yahoo, and Talk Talk amongst others. Yet, the general consensus is that private equity (PE) and real estate funds are too small to receive the same criminal attention. Wrong. Similarly, the industry considers the companies that PE invests in to be too small to be at risk. Also wrong!

This is what a typical attack looks like against funds: cybercriminals break into the internal systems and extract lists of investors along with their drawdown notices. They will then amend the bank details in the notice (to their own bank account) and issue a forged drawdown to the investors. Despite the far-fetched nature of the crime, there have been a number of instances where this has reportedly taken place within the industry. Cybercriminals know how funds work just as much as the firms.

As for portfolio companies, it’s a well-known fact that mid-market companies are some of the most unprotected businesses despite their significant volumes of trade. Portfolio companies are a real target for cyber criminals, so what can be done to protect them?

The biggest threat for both PE firms and their portfolio companies is from inside the business. The fastest route into a business for a criminal is internally via an email link or guessing an employee’s password. Complex password protocols are now a necessity, as are rigorous procedures to deal with suspicious emails. A firm must have procedures and protections in place to handle this.

Ensure everyone in the business creates diverse passwords that combine numbers, symbols and other factors to ensure it is safe and secure. Not only should this be protocol for all systems but employees should also be advised to change passwords every few months.

Regular training of all employees is essential – how to deal with suspicious emails, how to look after laptops, phones and tablets (all of which are access points into your systems). Privacy training is a must.

Networks should be updated at all times. Pay attention to all notifications regarding updates to your operating systems, anti-virus software, web browsers and firewalls. Ignoring any of these essentially leaves cracks in your defence system.

Third-party providers, whether they be fund administrators or cloud service providers, need proper protections around their systems and must constantly update their security and manage penetration tests on the firm’s behalf.

Finally, if a firm runs its own systems, it must carry out regular penetration tests. If they close the “holes” in the system, it will stop others getting in.

And how to overcome the drawdown scam?

Managers must consider the processes in place, to ensure that any change in payment details are properly communicated to investors (and acknowledged) well in advance of any drawdown notice.

Managers should consider using a secure portal, such as Investran Data Exchange or Pear Online. By communicating on issues such as drawdowns via such a portal, the manager would significantly reduce the risk to limited partners (LPs) from the process, and it is something LPs should insist on.

Consider what mitigations and responses are in place if an investor does receive a fraudulent drawdown notice and pays money into a hacker’s account. Should this be covered in future limited partnership agreements if not covered in your current agreement?

Investors must consider what processes are in place to validate that the payment details on the drawdown are correct.

Are the payment details the same as the last drawdown notice? If there is a change, has it been notified in advance?

The world is becoming a more dangerous place every day, and it is imperative that everyone has the right protections in place, either in their own systems or via third parties.

*Jason Lawrence is IT director and group information security officer at specialist administrator Augentius