Service Provider Spotlight: September 21, 2017

Why Private Equity Firms Are at Risk of Cyber Attacks

EisnerAmper‘s Service Provider Spotlight is a regular entry to our Alternative Investments Intelligence Blog featuring service providers. If you’re interested in being featured, please contact Elana Margulies Snyderman.

Threats to private equity firms continue to grow both in scope and sophistication, meaning cyber strategies and practices require equally complex and progressive thought. Particularly for firms with limited (or nonexistent) security resources, it can be a daunting task to stay on top of the new and evolving risks at hand. However, meticulous attention needs to be employed to mitigate these ongoing threats.

Unfortunately, once hackers gain access to your network or data, there is a lot that they can do to wreak havoc for private equity firms. In fact, with rogue hands on the right information, the consequences can be downright destructive for a firm’s business operations and integrity

• With stolen passwords and login credentials, hackers can gain access to company systems and networks – not an insignificant feat.
• Inside your email, a hacker can access, send and delete communications at will, potentially intercepting company sensitive material, financial data or personal details they can use to further infiltrate networks.
• Hackers can decipher corporate hierarchies and send phishing emails to CFOs, for example, requesting fund transfers to provided bank account numbers.
• A stolen or shared password could also unlock access to a firm’s CRM or accounting system, which may contain customer and potential customer information (company and personal), financials, investor analysis, sales forecasting data, etc.
• With their hands on deal flow or portfolio acquisition information, there’s a chance hackers could disrupt M&A or deal agreements or leak company material in advance of confidential negotiations.
  
  To gain a comprehensive understanding of their security posture, private equity firms should conduct a thorough risk assessment and consider exploring industry frameworks to design comprehensive cyber programs. For example, the National Institute of Standards in Technology (“NIST”) focuses on building layers of security across an organization. Their primary layers – Identify, Protect, Detect, Respond and Recover – assist firms in mapping specific strategies and safeguards to ensure a comprehensive security program is designed to mitigate risk. Following are a few examples of strategies and protections firms can employ to thwart cyber attacks:
• IDENTIFY: Risk assessments, network inventory audits
• PROTECT: Access control, security awareness training, email and endpoint security, patch management, phishing simulations, encryption
• DETECT: Intrusion detection/prevention, vulnerability assessments
• RESPOND: Incident response, remediation
• RECOVER: Backup services, disaster recovery