By Jason Lawrence (pictured), IT Director and Group Information Security Officer, Augentius – Cybercrime is one of the most serious threats currently facing financial services firms. Yet, while the risk is also present for private equity and real estate funds, the level of recognition towards the threat is notably absent in this sector.
So why is this? It appears to be due to a prevailing misconception that cybercriminals do not have sufficient understanding of how funds operate and that many are too small to be of any appeal. However, a PFM report entitled Cyber Security in Private Equity: How Prepared is the Industry? demonstrates that this is clearly no longer the case – if indeed, it ever was.
The threat from within
According to the report’s findings, more than 53 per cent of PE firms have already experienced a cyber-attack. In addition, the portfolio companies which PE invests in are themselves a compelling target for cybercriminals. Despite their significant volumes of trade, mid-market companies are often among the most poorly protected businesses in the market.
The biggest threat for both PE firms and their portfolio companies actually stems from inside their business. Cybercriminals know that the fastest route into an internal system is by using an email link, or even simply guessing an employee’s password. Once they have gained access, they then proceed to extract investor lists along with their drawdown notices. The bank details in the notice are then amended to direct to the cybercriminals own bank account and a forged drawdown notice is then issued to the investors.
Practical solutions
This is why complex password protocols are now a necessity, as are rigorous procedures to deal with suspicious emails. All firms must now have procedures and protections in place to ensure this is the case. Firms should direct everyone in their business to create diverse passwords which combine numbers, symbols and other factors to ensure security. Not only should this be protocol for all systems, but employees should also be advised to change passwords every few months.
Coupled with this, regular training of all employees is essential. This should include guidance on how to deal with suspicious emails and how to protect all access points to the internal systems i.e. laptops, phones and tablets. Networks should also be regularly updated, paying particular attention to all notifications regarding updates to their operating systems, anti-virus software, web browsers and firewalls. Not recognising the importance of these updates can leave systems and otherwise secure defences vulnerable to attack.
Find the weak spots
Third-party providers, such as fund administrators or cloud service providers, should also be vigilant about the risks to their systems and ensure that adequate protections are in place. In addition, service providers must constantly update their security and manage penetration tests on the firm’s behalf. If a firm runs its own systems rather than using a third-party provider, then the onus is on them to carry out regular penetration tests. By successfully identifying and closing any “holes” in their systems, it makes it far more difficult for cybercriminals to gain access.
In terms of preventing the drawdown scam specifically, managers must review and check the robustness of the processes they have in place. Any change to payment details should be properly communicated to investors and acknowledged far in advance of a new drawdown notice being issued. Managers can also use a secure portal such as Investran Data Exchange or Pear Online for communicating with Limited Partners (LPs) on issues such as drawdowns. The use of such portals should now be insisted on by LPs as they can greatly reduce risks associated with the drawdown process.
Plan for the worst-case scenario
Firms must also plan their response in the event of an investor actually receiving a fraudulent drawdown notice and subsequently paying money into a hackers account. If this is not already covered in a current agreement, then it could be included in future Limited Partnership Agreements (LPAs). Investors should also evaluate what processes they currently have in place to ensure that the payment details on the drawdown are indeed correct. This may be as straightforward as comparing that the payment details are the same as the last drawdown notice and, if not, that they had received a verified notification of this change in advance.
Cybercrime is gaining momentum and no industry can consider themselves exempt. The PE sector must have the right protections in place to protect firms and their portfolio companies from this very real threat.
