How to Build a Cybersecurity ‘Threat Model’ for PE

Cyberthreats aimed at a private equity firm are coming from two directions, and each requires different due diligence.

A cyberattack can hit the PE fund itself, explains Daimon Geopfert, national leader of security and privacy services at RSM US LLP, compromising the information of investors and portfolio companies. Attacks can also target a portfolio company directly, impacting day-to-day business and customer data. “If it’s breached at the portfolio company level, it can lose a ton of value,” he says. He terms the portfolio company “intellectual property. Private equity is an industry, but also a conglomeration of other industries.”

PE firms are experiencing increased pressure to increase cybersecurity preparedness efforts. The Securities and Exchange Commission recently issued regulations intended for private equity firms, following in the footsteps of the payment card industry, says Geopfert. “You’re going to the see the SEC move away from guidance that is very generic and starting to move towards full security monitoring and effective incident
response systems.”

The challenge is that each cyberthreat or attack requires different strategies depending on the firm or portfolio company, and no two situations are alike.

Get Out in Front of a Threat
—
One of the most important things a PE firm and its portfolio companies can do is a fund-level threat assessment. Geopfert says it’s important to delve into how someone would attack a fund, how someone would go through a portfolio company to attack a fund, or how someone could reduce the value of a company through a cybercrime. “You have to sit down with someone who hacks and have them tell you, ‘If I was going to hack you, here’s how I would do it.’ If you can force the attacker to get out of their comfort zone, if you can defeat their first two to three attempts, they will move on.”

Monitor Your Portfolio Companies
—
“The biggest thing with portfolio companies is to make sure they’re compliant,” he says. “We deal with a lot that aren’t compliant with the basics of their industry.” In many cases, Geopfert says, when a portfolio company is breached, it’s through simple ways: via an email or phone call asking for financial information, or a fake executive or vendor asking for an employee to wire them money. It may be a breach of a small company where they get to its bank account and do wire transfers. “They’re more concerned about protecting customer data,” he says, referring to the companies. “The most common issue is these lowtech hacks.”

For these kinds of low-tech hacks, actively monitor the company’s financials so you can act quickly should a suspicious money transfer occur, Geopfert says. “If you can move fast enough, you can get the money back. They try to move the money, and the second it hits, they have someone waiting to withdraw it. It’s a race between you and the attacker.”

A firm can make sure its portfolio company is taking steps such as frequently changing passwords and setting up two-factor authorization. “Anything to make the attacker work for it,” says Geopfert. For larger hacks that access customer data, and that involve law enforcement being contacted, he notes that a firm should be prepared to be told that they can’t help because it’s out of their jurisdiction. Other steps involve calling the insurance agency, if there’s a cyber insurance policy, and having someone on retainer to manage the response for the firm.

Get the Right People and the Right Tools
—
Cybersecurity threat assessment can be bolted onto a firm or portfolio company’s existing risk management policies and actions, but security expertise that goes beyond the basic knowledge is required. Specifically, a firm needs professionals who understand the technical dimensions of threat planning, detection, and response. “How do you control third parties? How do you do vendor management? When you share data, how do you protect it?” asks Geopfert. He notes that PE groups often complain that the cybersecurity people they do find often have a very narrow focus and are only interested in selling tools and software rather than helping proactively prevent a breach, or mitigating fallout when one occurs. “They often say, ‘Stop trying to sell me a thing, and tell me how to actually control security over time.’ The pool of people to do that is very shallow.”

Technological preventive measures still include old standbys like firewalls and anti-virus products, but PE firms are being pushed hard to move to newer solutions such as network-level malware detection, egress controls, and security monitoring solutions that flag abnormal behaviors. “For attacks targeting employees, make sure you are constantly updating security awareness training, spam filtering, and controls around how corporate bank accounts can be accessed,” says Geopfert.