Private equity firms hold a wealth of customer and market-sensitive data, making them a magnet for cyber attacks. Not only are they privy to sensitive investment documents, strategies, trade secrets and other proprietary information, they also hold data from limited partners, counterparties and others. In short, all of this data is a cyber criminal’s dream.
If the data gets into the wrong hands, the results can be catastrophic for the clients of private equity firms, and may even spell the demise of the firm itself due to reputational damage. In addition to this, under the European Union’s General Data Protection Regulation (GDPR) reforms, fines for breaches of personal information could be as high as 4% of their global annual turnover.
The race to cloud – and the security risks
According to research by Accenture, financial services firms across the globe are currently investing heavily in innovative new technologies - particularly big data and predictive analytics. The use of cloud enables financial firms to access these technologies in a simple and convenient way, and scale up their requirements as needed – all for a fixed monthly fee per user.
Correspondingly, Mergers and Acquisitions reports that private equity firms are racing to invest in subscription-based software and other cloud technologies. The question remains, however: is cloud secure enough for the financial services market, and are there risks that private equity firms in particular should be wary of?
What the FCA looks for in effective management of cyber risk
The Financial Conduct Authority (FCA) Handbook requires effective management of cyber risk, and therefore sets out various rules and principles to cover the use of cloud and other forms of outsourcing.
In a speech delivered by Nausicaa Delfas, Director of Specialist Supervision at the FCA, at the FT Cyber Security Summit last September, the regulator provided a useful insight into how it expects firms to address cyber risk:
- They expect a “‘security culture’, driven from the top down – from the Board, to senior management, down to every employee”.
- Good governance around cyber security, with senior management engagement, responsibility and effective challenge at Board level.
- Firms should have identified their key assets and what the appropriate protections are for them. These may include security screening of staff, effective training against cyber risks and an appropriate level of defence testing.
- Adequate detection capabilities must be in place so that firms can determine if they have been attacked. They should look also at how effective their threat intelligence DDoS website rescripting is the most important tool to look for but there are developing technologies like artificial intelligence systems which automatically search sites for vulnerabilities and patch them.
- Recovery and response. Systems and controls should enable firms to carry on in the event of unforeseen business interruptions, enabling data to be preserved. Consumers and markets should also be communicated with in a timely manner.
When outsourcing data storage to cloud providers (and other partners), the FCA adds it is “critical” that a strong relationship is in place in order to manage the change in their threat profile, and firms need to understand how their data is protected: “Whilst you can outsource a service, and realise the benefits that the cloud undeniably brings, you cannot outsource the associated responsibility for the risks. These are yours to manage, whether you’re a start-up or an established multi-national.”
The rise of ransomware threats to firms was also highlighted, and the FCA outlined how the key to protecting against these threats is “user education and awareness – and identification and blocking of potentially harmful programs, and regularly tested backup and recovery processes, are essential.”
Most cyber failures caused by “basic failings”
Although cyber risks are constantly evolving, Nausicaa Delfas also pointed out: “Most attacks you have read about were caused by basic failings – you can trace the majority back to: poor perimeter defences, unpatched, or end-of-life systems, or just a plain lack of security awareness within an organisation. So we strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too.”
Reducing the risk factors
When deployed correctly, cloud solutions such as Microsoft Azure and Office 365 can provide solutions to many of the risks identified by the FCA, and an overview of how they can meet regulatory requirements is often outlined.
One of the most commonly cited benefits of cloud are that it can be implemented out-of-the-box without significant IT expertise or resources. Whilst this is true to some degree, in order to reduce risks to a suitable level, private equity firms may need to include additional security measures, such as email document encryption and a remote mobile device wipe in the event that phones or laptops are lost.
This is where a Microsoft partner, or IT support company with a proven track record in the private equity market, is needed. Not only can they assist with these additional security measures, they can also be on hand with a 24/7 service desk and deliver proactive monitoring of the firm’s cloud against malware and other risks – as well as a business continuity plan in the event that risks do materialise. Lastly, they can assist with the all-important aspect of end-user training, which is perhaps one of the biggest risks your firm faces in using the cloud.
Find out how technology can help, not hinder, your data protection and regulatory compliance issues – and keep your private equity firm ahead in a rapidly changing marketplace – with our guide: Modern workforce, modern security.