Combatting technology risk in private equity
Private equity firms are spending more budget and applying more focus on technology risk, especially cybersecurity risk, in order to maintain the highest operational standards both within their own businesses and those they invest in.
As George Ralph (pictured), Managing Director for RFA, a leading technology consulting group, explains, most PE firms tend to focus more on support service rather than the backend infrastructure, with risk management automation and compliance being two key aspects. Such is the level of diligence being applied by GPs to technology risk, hedge fund managers are increasingly turning to them for advice.
“Across our 830-odd clients, roughly 40 per cent are large PE houses,” confirms Ralph. “They are very focused on cybersecurity; more so than infrastructure. By contrast, hedge funds tend to focus more on infrastructure with less concern for cybersecurity. We look after the top three PE firms, globally, and as you can imagine a lot of managers speak to them for advice.”
RFA visits its private equity clients regularly to brief them on the latest technology developments.
“Our private equity clients genuinely treat us as a trusted partner. They involve us in their risk committee meetings, which allow us to learn a lot about their business model to properly plan and strategise their technology,” comments Ralph.
Regarding cyber risk, RFA has developed a sophisticated AI-based intrusion prevention monitoring tool, called MDR (Managed Detection and Response), as well as its own GDPR compliant data tools.
“Under GDPR, PE firms are now data processors for all of their portfolio companies so cybersecurity and data governance are hot topics. If one of the portfolio companies has a serious data breach, the GP’s reputation is on the line because people will be expecting them to educate the companies they are investing in,” says Ralph.
He says that having comprehensive systems such as MDR in place is important within the private equity community and that GPs want to know how they measure up in the cybersecurity stakes against their competitors.
“We use a security scoring system so that they know whether they are top-tier or bottom-tier and need to allocate more budget. They like to know where they sit relative to their peers. We are often being asked by hedge funds whether they should hire their own CISO or use an outsourced CISO, but in the private equity world, most large firms have their own CISOs. In the hedge fund world, many don’t have a CISO at all, not even in an outsourced capacity. The CTO tends to do it, or they lean on one of their IT vendors to do it,” says Ralph.
By using leading-edge technology, GPs can improve the level of transparency they provide to LPs, where they can report, line by line, on their technology framework. RFA is increasingly producing compliance reports for its PE clients and has developed a number of different templates “because we are getting asked for this more and more,” confirms Ralph.
“These compliance reports list all the products they use, who is responsible for managing the different vendor relationships, breach response processes, security policies, etc. It’s basically an overview of the client’s technology.”
Ralph believes that a good technology partner to PE managers is one who has the experience and the expertise to confidently tell a client, ‘Your security posture is at 52 per cent compared to your peers, but if you do X or Y you will increase it to 99 per cent.’
“We can only do this by drawing on the experience of having worked with a large number of private equity firms,” he concludes.