Every industry has reason to concern itself with cybersecurity, and that includes private equity. Reducing the risk of a data breach means acknowledging that as new technologies are implemented globally, they carry the potential for more types of cyber-attacks than we've ever seen before – and some are more sophisticated than we ever imagined. Everything you need to know about safeguarding your financial info is below.
Cyber Security Financial Info Threats Specific to Private Equity
There are certainly common threats that every industry and organization should plan for just by dint of being in business in the age of the internet. Where there's money involved, there are bad actors. But where retail giants like Target and Walmart have to focus on point-of-sale (POS) system hacks and credit card skimmers, private equity firms have to center their risk-reduction strategy elsewhere when safeguarding financial info.
Besides contending with data security at a fund level, there are also portfolio company risk points to contend with, as well as the steep fines associated with evolving data privacy laws and regulation all over the globe. Deploying the latest technology requires financial institutions to run a risk assessment to see if they are vulnerable to attacks, so naturally knowing what these specific risks are will help fund administrators and portfolio-side leadership proactively protect sensitive data at all levels.
Data Theft and Record Leaks
Firms are charged with keeping personal information secure and the safekeeping of other company's data as a matter of course. Failing to sufficiently secure that data can be disastrous for all parties and have disastrous consequences. Identity theft, reputations and contracts are all on the line and protecting against leaks will protect the interest of firms and the portfolio companies they manage.
Phishing and Spoofing
Socially engineered cyberattacks are usually frustratingly simple, if only because they rely on human nature. The more people involved in organizational operations, the more chances there are for bad actors to exploit the simple mistakes humans can make. Private equity is especially vulnerable because of the sheer amount of employees to coordinate – and therefore weak links – in the chain. A spoofed email address from the internal IT help desk, a CFO or vendor can easily trick employees into handing over information that allows entry points into data systems or even into handing over cash for fake invoices.
Alternative investments make money. A lot of it. In 2018, the combined managed assets of private equity funds topped $680 billion, and aggressive growth strategies in the industry will only bring in more. Hackers know that there's money to be had if they can deploy a successful attack – by simply holding company data hostage, they can demand a steep ransom to release it back to a firm that doesn't want to risk the dissemination of confidential company data or the damage to their reputation that dissemination would incur.
Is Your Financial Data Safe?
There are a number of ways to limit the liability general partners have at multiple points of potential risk but ensuring financial data security really begins by drilling down into what you're already working with. It isn't enough anymore to assume that a general partner liability insurance policy or even cyber liability insurance policies will protect against every kind of attack listed above. Instead, begin by zooming out to examine fund-level cybersecurity first:
What does your existing protective protocol look like?
What monitoring or auditing tools are in place to prevent breach or fraud?
Which security certifications and training initiatives do you already have in place?
Have you had a third-party evaluate potential weak points and advise you on how to prevent a financial data breach?
Do you know how to respond to a financial data breach should the worst happen?
From there, you'll want to zoom in to examine the cybersecurity needs that may exist at the portfolio company level to ensure that sensitive information doesn't fall into the wrong hands:
How much of your portfolio company's financial information do you already have on hand, from what you collected at the due-diligence phase onward?
Does your portfolio company have multiple business units that use disparate accounting software?
Are the portfolio company's records or ERP cloud-based or are they using internal, potentially unsecured systems?
Get the Report: F&A BPaaS: A Game Changer For SMB & Mid-Market Companies
Protect Portfolio Company Data and Decrease Costs With a Reputable Outsourcing Partner
Outsourcing has a slew of benefits for private equity firms hoping to universalize and streamline the management of finance and accounting processes within their portfolio. Besides decreasing headcount, consolidating desktop procedures and preventing margin erosion, outsourcing done right can add an extra layer of security to sensitive portfolio company information.
It all comes down to the technology. A tech-agnostic business process outsourcing (BPO) provider will work within your asset's existing technology using the same procedures and protocol that's been implemented stateside, which avoids the potential risk points of migrating portfolio company data onto a proprietary tech stack.
Practices like desktopping will keep financial leadership in control of cash flow while reaping the cost benefits of offshore talent, while 1:1 resource allocation keeps information access limited only to the remote full-time employee (FTE) or employees that need it. This contains data flow and eliminates weak security points.
Watch: Desktopping Defined
Any PE firm looking to pass finance and accounting within portfolio companies to a remote team will also want to find a partner that has the proper, current security certifications expected of a world-class firm. Personiv, for example, adheres to the International Organization for Standardization (ISO)'s data security standards with 9001:2015 and 27001 certifications that outline the gold standard for data handling and documentation within organizations. This is only a first line of defense, however – just one key component in a holistic cybersecurity plan.
A full cybersecurity tactical plan requires implementations at all levels: training employees to follow protocol; making sure offshore facilities have multiple points of authentication to ensure only the people accessing customer information who are permitted to access your data can do so; setting up virtual private networks (VPNs) for remote work and managerial certifications in leadership programs like Six Sigma to get out in front of inefficiencies and detect potential fraud.
Safeguarding your portfolio company's sensitive financial info -- and therefore your own -- does not mean that you have to sacrifice the important cost-saving measures that outsourced talent can provide. You just need to find a partner who is as invested in keeping your data locked down as you are.
Learn more about Personiv's procedures at three levels: PEOPLE, PROCESS and TECHNOLOGY over on our cybersecurity page, or speak to one of our team members about our information security program and our unique approach to private equity solutions.