Private equity must improve cyber security
Private equity managers need to up their ante on mitigating the risk of cyber-attacks following a number of high-profile cases and regulatory interest.
“The private equity industry is a cottage industry but a huge number of businesses have suffered cyber-breaches and private equity managers need to build in protections to prevent any vulnerabilities in their systems being targeted,” said Pamela Hendrickson, chief operating officer at The Riverside Company, speaking at the SuperReturn CFO/COO Forum in Amsterdam.
The growing attention across fund management groups to cyber-threats is also being driven by regulators, who have been forced to act following a series of high-profile cyber incidents. The Securities and Exchange Commission (SEC) in the United States announced in February 2014 that it would conduct a review on the policies and safeguards asset managers have in place to mitigate the risks of cyber-attacks as part of its investment adviser examination program.
The review will scrutinise whether managers are adequately protecting themselves against potential security breaches as well as the risks associated with other vendors who have access to their data and systems. The SEC also confirmed it would be looking at firms’ policies on IT training, vendor access and due diligence, while the agency also said it was considering a requirement that would force asset managers to report significant cyber events to regulators.
“Regulators are taking interest in cyber-security, and it is only a matter of time before rules are imposed on fund managers,” highlighted Stephen Hoey, partner, administration, chief financial officer and chief compliance officer at KPS Capital Partners.
Disruptive cyber-attacks are becoming more effective at breaching security defences yet only 8% of IT managers said they had sufficient resources to handle such a crisis, according to a study by BT, published in July 2014. The research found that 41% of organisations globally have been subjected to a Distributed Denial of Service (DDoS) attack over the past year. DDoS attacks can cause major disruption for organisations. They can take down organisations' websites, overwhelm data centres or cause networks to grind to a halt and become unusable. They are also increasingly complex and difficult for organisations to fend off.
A report –“Cyber-crime, Securities Markets and Systemic Risk” – produced jointly in 2013 by CPSS-IOSCO and the World Federation of Exchanges (WFE) found 53% of 46 exchanges surveyed had been subject to a cyber-attack over the preceding 12 months. Eighty-nine per-cent of those exchanges said cyber-threats presented a potential systemic risk to capital markets.
A paper – “Beyond the Horizon: A White Paper to the Industry on Systemic risk” – published in August 2013 by the Depository Trust & Clearing Corporation (DTCC) identified cyber-crime as the biggest threat to market stability, even putting it ahead of counterparty risk and concentration risk at central counterparty clearing houses (CCPs).
A survey of broker-dealers, banks, mutual funds, insurers and hedge funds conducted in March 2014, again by the DTCC, revealed that cyber-crime was still their top concern. Twenty-four per-cent of respondents said it was the biggest risk to capital markets while 23% acknowledged it was a threat to their firms.
Several financial institutions including The CME Group, the New York Stock Exchange, Citigroup and J.P. Morgan Chase have all been targeted by sophisticated cyber-criminals. In the case of CME Group, its ClearPort clearing system was breached and some customer information was compromised although no transactions on its electronic trading system or clearing house were adversely affected.
