Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm offering compliance and professional cybersecurity solutions.
getty
Private equity (PE) and venture capital (VC) firms have become prime targets for cyberattacks. Perhaps unsurprisingly, cybercriminals tend to gravitate toward money, and there’s a lot of it in private equity. The numbers are mind-boggling: The average midmarket fund encounters more than 10,000 cyberattacks daily. Advanced Technology Ventures, Sequoia Capital and Plug and Play Ventures are examples of some large VCs that have fallen victim to attacks recently.
Cyberattacks can have major ramifications on VCs and PEs. Deals can fall through, the market cap of compromised (portfolio) companies can suddenly get wiped away, sensitive data can get stolen and, along with consumer trust and competitive edge, unwanted lawsuits, investigations and penalties can emerge, eventually impairing the ability to attract or retain investors.
Financial services firms are 300 times more likely to become victims of cyberattacks than other businesses. While banks might be top-notch from a security perspective, PE and VC firms may not have the same level of security. Here are five recommendations that can help PEs and VCs step up their cybersecurity game.
1. Assess and prioritize your risks.
One of the first steps in designing an effective risk management program is identifying what’s at risk and assessing the countermeasures that are already in place to protect it. Once risks are identified, cybersecurity controls can be designed around them. Remember that certain situations may pose greater risk and demand tighter controls. For example, “significant financial events” such as M&As are at a high risk of ransomware scams, according to the FBI. At a high level, it’s also a good idea to evaluate the security posture of portfolio companies through a common security lens. This allows PEs to understand where the most risk resides and what needs to be done to bring risk back to acceptable levels.
2. Take stock of compliance and regulations.
PE, VCs and registered investment advisors (RIAs) have a fiduciary obligation to oversee cybersecurity readiness and incident preparedness for the sake of customers and shareholders. The SEC proposed new cybersecurity rules relating to RIAs’ cyber risk management, incident reporting, disclosure and record-keeping. The new rules mandate that all RIAs must implement policies and procedures that are designed to address cybersecurity risks. Further, they must review and assess policies and procedures on an annual basis and have incident response and recovery processes in place. They are also advised to maintain records relating to cybersecurity incidents, and victims are also required to report cybersecurity incidents within 48 hours of discovery.
Additionally, there are several regulations (such as SOX, GLBA, PCI-DSS) that might apply to portfolio companies based on the jurisdiction in which they operate. Firms that fail to perform adequate cybersecurity diligence on their portfolio companies can fall under issues with the duty of care framework set out by the SEC.
3. Focus on cybersecurity hygiene of employees.
The human element is the root cause of nearly 82% of all breaches. An unsuspecting employee can reply to a phishing email, download a malicious attachment or visit a malicious URL; a well-meaning developer can accidentally leave servers in the cloud unprotected; and a negligent employee with privileged access can use a simple password that can be hacked or guessed easily. Businesses must therefore mitigate these risks by training staff on cybersecurity hygiene. Employees should understand the latest tactics used by cybercriminals and their responsibility, accountability or liability in case of cyber incidents. Cyber hygiene must be deeply rooted in the organization’s culture (use of strong passwords, secure online behavior, patching and updating software, reporting suspicious activity, etc.). Extend the same training to employees of portfolio companies.
4. Ensure there is a vendor risk management program in place.
Investment funds and advisors are exposed to a vast array of interconnected systems exposing them to several cybersecurity risks. Since most breaches involve hackers accessing systems through an outside vendor or a third party, PE and VC firms should conduct cyber diligence on all their suppliers and suppliers of portfolio companies. Consider evaluating their security history, audits and practices, and how they compare against industry frameworks such as NIST, SANS or ISO. When onboarding a new client, obtain a written commitment from them so that they maintain your information securely and notify you in the event of a breach. Establish policies, protocols and procedures to vet their information security practices regularly. Focus on partner companies in order of their priority and the level of risk they pose to the firm. Ensure portfolio companies follow a standard set of guidelines, procedures and protocols, as this allows PEs to get a holistic view of emerging cyber risks.
5. Test defenses regularly and be prepared for any eventuality.
The attack surface is constantly expanding. Every new system, user, application, device and acquisition adds an additional layer of cybersecurity complexity. It’s important for organizations to establish a process that helps identify security gaps, vulnerabilities and security loopholes regularly before they become major incidents. Hire a security expert to perform a network penetration test and a thorough vulnerability check at least once a year. Perform an extensive audit on internal and external infrastructure, firewall rules, wireless configurations, application code and cloud policy configurations. Rehearse incident response plans and update them. In a worst-case scenario, have cyber insurance in place as this can help offset some costs and aid in faster recovery. Get portfolio companies to opt for cyber insurance as well.
For PEs, having a security-first approach is paramount. Stakes are high, and one mistake, one lapse in judgment, can have dire consequences. In the end, the whole idea is to build an actionable, measurable and repeatable security framework that spans the entire investment portfolio and across the entire M&A life cycle—starting from due diligence, onboarding, integration and exit.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
