ike other critical economic sectors, Private Equity Firms and their portfolio companies are increasingly facing digital threats. Whether this threat originates from organized criminal enterprises, disgruntled employees, or even careless vendor protections, digital risk stands to significantly impact business operations. Firms that fail to proactively prepare for these cyber threats of today, face profound reputational risks and financial losses, whether internally or through its’ portfolio companies.
With regulatory bodies such as the SEC, now requiring enhanced cybersecurity protections, proactive efforts by senior leadership and boards to combat these threats should not only be seen as good business practices, but a legal necessity.
With all this in mind, you are probably asking yourself, what are the real threats to my business and should I be more selective in the vendors I’m doing business with? With budget on the mind you’re also likely wondering how do I effectively prepare without breaking the bank?
We will explore the answers to your burning questions in this ValorrInsight.
What are the real business threats to Private Equity and Venture Capital Firms?
Beyond direct losses in the form of funds, data, or intellectual property, firms that fail to protect their trusted investments and customers best interest, face potential lawsuits, fines, and damage to their brand. In addition, impacted firms may be the focus of follow-on attacks, if bad actors can determine that their actions are profitable enough.
Combine this with the pandemic and ongoing economic lockdowns, many corporations have been forced to pivot to a work-from-home operating model; One is which has significantly increased cyber risk and associated attacks on valued data, and digital infrastructure. In a recent poll conducted by security news organization, Threatpost1, a reported 40% of corporations saw a rise in cyber incidents as they shifted to a remote workforce. These cyber incidents typically fall into the following business risk categories:
- Ransomware: The attacker steals and holds data or systems, until a payment is received.
- Third Party / Vendor Risk: The attacker typically targets lax vendor security measures, thus being able to access an organizations critical system and data.
- Insider Threat: A company insider, typically an employer or contractor, steals valuable company information and monetizes this for their own benefit.
- Business Email Compromise: The attackers leverage existing employee email accounts to attempt to intrude on the trust within an organization’s operations. These attacks typically result in moderate to significant losses resulting from unauthorized financial transactions.
- Failed Compliance Fines: Fees associated with non-compliance which could negatively impact the company’s financial position.
Portfolio companies must consider that ineffective or lacking Information Security or that have will make them less attractive to potential buyers or investors. This impact can not only decrease the value of a private equity firm’s investment but can also tarnish the firm’s reputation and negatively impact future fundraising efforts. Ultimately, the proactive resources invested today, to enhance company cybersecurity, will pay dividends in the long run.
A strong commitment to data and digital security starts at the top and requires significant buy in from key stakeholders. While some private equity firms have been slow to adjust their focus beyond the traditional valuation metrics of companies within their portfolios, there is a shifting awareness of the need to understand and address cybersecurity risk across their organization.
Despite this growing recognition, the private equity industry has lacked a practical approach to address the cybersecurity issues and concerns of their portfolio companies. The reality is that formulating a tailored cybersecurity strategy for each company in a portfolio is an inefficient prospect; one that would saddle the companies as well as the private equity firm with undue investment in time and costs. While the typical firm’s approach to focus cybersecurity efforts on their most highly valued investments, lower valuation companies may pose the greatest risk.
With constrained resources and focus on building the business, portfolio companies may not consider vendor risk as a priority. As such, it is in a firm’s best interest to quantify the third-party risk profile of investing in portfolio companies. Portfolio risk management and vendor due diligence must continuously be considered as top priority for leaders in the private equity space, going forward.
So, what vendors should a firm be worried about? We take a deeper dive into vendor selection and associates risks in the section below:
“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”
What vendors should PE/VC firms be concerned about and why?
The best approach for managing vendor risk is to identify critical and non-critical vendors. While all vendors may play a meaningful role, prioritized focus should be given to those critical to business operations. Firm should routinely assess critical vendors to ensure that they remain a good steward of your data and to understand how they will respond in the event of an outage or cyber-attack. Below, we have identified key vendor dependencies that we are consistently seeing in the private equity space, as well as how these are utilized to execute targeted attacks.
Email and Productivity Tools
No other tools expose organizations to as much opportunity risk as productivity platforms such as Microsoft 365, Google Suite (GSuite) and others. Firms rely on toolkits like spreadsheets (Excel / Google Sheets), PowerPoint Presentations, and Word Processing Software to collaborate, innovate and close deals.
Attackers are commonly using phishing campaigns to get users to login to fake Microsoft Websites. This may be in the form of ‘password reset’ emails or text messages to smartphones. The ultimate goal is for compromise the user account and gain unauthorized access. With hundred if not thousands of emails flowing through account boxes, the opportunity for stealing information and extending phishing campaigns become endless.
Another common attack we are seeing are ‘Malicious Macros’ whereby a user is sent what appears to be a benign Microsoft File (i.e., Word Document). The user opens the file, and it runs a series of malicious commands, all hidden from the user’s screen. What typically results in the installation of malware, which can steal your computer files, monitor your web browsing history, or even worse record your keystrokes. There’s good news however, Microsoft typically enables Macro Protections against attacks such as these, so make sure to keep your office software up to date!
Finance/accounting + portfolio management
As with all companies, PE firms use software tools, such as AllVue, to track their finances and accounting. Because their finances are very tied with those of their portfolio companies, firms will often use a package that combines portfolio management and reporting with its own finance/accounting.
Typically, we see more focused phishing attacks against these platforms, targeted as business executives, commonly known as ‘Spear Fishing’. The primary goal is to gain access to user accounts, such as senior accounting leads, who have higher level access to financial documents.
Most PE firms will have an online portal set up for their LPs / investors to send secure messages, access important investment information and get timely notifications.
Investor portals are commonly used for Business Email Compromise Attempts, with the goal to disrupt the integrity of communications, so that unauthorized financial transactions may be made. Access may be obtained through several measures, but is commonly sourced through Phishing Campaigns.
3rd party databases
Most PE firms lean heavily on data from subscription databases. Sites like CapIQ and PitchBook provide data on recent financial transactions and funding, which helps the firms establish comps and get a sense for movement in the market.
These 3rd party databases are targeted through a variety of methods. To stay out of the technical weeds, attackers typically target vulnerable code to gain access and steal data. Once the integrity of this data is ‘broken’, firms can no longer rely upon the information to make informed business decisions.
Deal & Relationship Management
Most PE firms also use a system to keep track of the opportunities for investment that they’re evaluating. Common solutions include a custom Excel sheet or a more traditional Customer Relationship Manager (CRM) like Salesforce.
Because many of these operate on complex databases, Deal and Relationship Management systems are targeted like other subscription software. These platforms are ripe for stealing internal firm, as well as customer data. Personal contact information taken from these platforms can be instantly sold on Dark Web forums or given to competitors for gaining a competitive edge.
How PE/VC firms can effectively protect themselves and their investment portfolio?
At a time when cybercrime is growing at an unprecedented rate, private equity firms need to illustrate that they are proactively governing their portfolio companies to meet the evolving risk landscape. This requires a holistic approach, whereby people, processes, and technologies are assessed to determine existing cybersecurity proficiency. Gaps in cybersecurity knowledge and protections of critical data should be addressed with an action-based and prioritized strategy to reduce risk to investments.
Firm executives must lead the charge on building and fostering a strong security culture, starting from the top down. A culture that promotes consistent conversations across leadership, on how the organization is tackling business and connected technology risk. By firms taking steps to drive these initiatives forward, they will demonstrate to investors and partners that they are committed to securing trusted relationships now and into the future. Thus positioning
In the section below, we have highlighted actions, that firms of all sizes can implement to better secure their connected ecosystem and business.
- Establish an Information Security Policy: Outlining how the organization is addressing digital and IT-related risks.
- Identify critical systems: Document those systems, vendors, and data which are critical to the core of your business operations. Typically, these systems are productivity tools, Customer Relationship Manager (CRM) Tools, and Financial/Accounting platforms.
- Control access to critical systems and software: Individuals’ access to critical systems, should be continuously reviewed to ensure that it aligns with the business role within the organization. Commonly known as the ‘Principle of Least Privilege’, individuals should only be given access to the data, systems, and files necessary to successfully perform their role within the organization. We have typically seen individuals change roles within an organization, however, access to files and folders related to their previous role(s) remain in place.
- Security Awareness Training: To address how bad actors continue to evolve their attacks, security training should be completed monthly. As an industry best practice, training should be aligned to threats targeting the specific industry vertical. For example,
- Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested. Your business depends heavily on real-time data and system access, when a crisis hits these relationships will propel you through.
- Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption; this proactive planning will literally save you millions.
- Back up your data: Back up your data within resilient infrastructure and test those backups frequently.
Firms should consider their individual needs, size, and business locations when comparing backup options. It is valuable to know that data storage facilities/services are not typically one size fits all, and costs may vary.
The Valor Team looks forward to providing continual insights relevant to your industry. For other tips and tricks in staying cyber informed, please visit our Expert Cybersecurity Valor Insights page at Insights – Valor Cybersecurity