Like other businesses today, private equity firms and their portfolio companies increasingly face serious data security threats – for example, from individual hackers, from organized criminal enterprises and even from their own employees or vendors.1 We all know from recent press reports that a data security breach can seriously harm the reputation and reduce the value of the affected business. Firms that fail to take cyber threats seriously face very real reputational risk and the potential loss in value of the private equity firm or one or more of its portfolio companies. Unremitting efforts by senior management and boards to combat these threats should be seen not only as good
business but also – with regulators (including the SEC), courts and the
plaintiffs’ bar increasingly bearing down on perceived lapses in data
protection – as a legal necessity. That reality was driven home by two recent SEC actions. First, in September 2015, the SEC announced that it would be focusing on cybersecurity practices of regulated entities during upcoming exams. Later the same month (and, some have speculated, not coincidentally) the SEC announced the settlement of a case in which it charged an investment adviser with failing to maintain adequate cybersecurity policies and procedures.
In the Spring 2015 issue of The Debevoise & Plimpton Private Equity Report, we discussed some of the steps that private equity firms should take pre-acquisition to assess cybersecurity risks presented by a potential portfolio investment.2 In this issue, we outline some of the steps that private equity firms can take to combat cyber threats to the firm itself, and to portfolio companies post-acquisition. One size does not fit all, of course. Cybersecurity protections must be tailored to the size of a private equity firm (including the funds it manages); the size and nature of the businesses of its portfolio companies; and the types and volume of data it and they maintain. Still, private equity firms of all types and sizes can look to a common set of basic measures to manage their cyber risks, both business and legal.
At the Firm (and Fund) Level
KYA2. We call the basic cybersecurity starting point “KYA2”: “Know Your Assets” and “Know Your Architecture.” Identifying what you have (assets) and where you keep those assets (architecture) are fundamental when it comes to cybersecurity.
Under the heading of “Know Your Assets,” the task is to catalog what sort of data the firm collects from all of its various constituents and counterparties, from limited partners (LPs) to employees to vendors to acquisition targets to portfolio companies. At the firm level, those assets can include sensitive personal and financial information of founders and other employees; data concerning LPs, such as data gathered to satisfy KYC/AML requirements; material non-public information about portfolio companies that is held by the firm, including those companies’ business plans and financial data; and confidential information about the firm’s own strategy, potential fund investments and portfolio company exit plans.
Under the heading of “Know Your Architecture,” the task is to document where exactly the firm stores this sensitive information (e.g., internally, off-site, with a third-party cloud provider or using an application services provider); what measures are taken to protect the data (e.g., encryption of particularly sensitive information); whether the network is “segmented” so that an intruder who gets in the front door does not have the run of the whole house; whether especially sensitive data is segregated in a particular storage location as opposed to (for instance) being combined for convenience with other data on a computer server that has unused storage space; who has access to different types of data and by what means; and whether stale files are periodically purged. This last point is simple but all-important: criminals can’t hack – and you can’t lose – what you don’t have.
Plan, Prepare, Test, Repeat. Once you know what assets you possess, and where they are maintained, you can develop a plan (working with cyberforensics consultants and experienced counsel) to protect those assets by implementing appropriate controls and by testing those controls to ensure they are working as expected. Well-recognized benchmarking standards, such as the Cybersecurity Framework promulgated by the National Institute of Standards and Technology (“NIST”), the SANS-20 Critical Security Controls or ISO 27001, can help guide that process. Once controls are in place, third-party verification techniques such as penetration testing (a/k/a “hire-a-hacker”) can identify security holes, assist in remediation and mitigate risk to bring the firm into line with evolving best practices.
Protect Against Human Error. Even the most secure network can be brought down if employees at all levels aren’t sensitized to risks such as “phishing” – that is, well-crafted emails designed to trick recipients into clicking on links, or opening attachments, that result in the installation of malware. Other potential vulnerabilities are less high-tech: the misplaced laptop or thumb drive that contains unencrypted, sensitive data, or the errant email that sends sensitive information to the wrong recipient. By ensuring that employees understand cybersecurity best practices, private equity firms can substantially reduce potential data loss – and avoid the disclosure obligations and other legal burdens that can flow from even an inadvertent, good-faith breach.
Consider Your Vendors. Some highly publicized breaches have involved a hacker accessing a company’s systems through an outside vendor. Just as the plumber you let into your office potentially can breach your physical security, so, too, can any vendor that has access to your computer systems, or stores information on your behalf, compromise your cybersecurity. That means being vigilant both about engaging vendors and managing them on an ongoing basis.
As part of the diligence you undertake when engaging a vendor that has access to your information, consider reviewing the vendor’s own security history and practices, including audits and descriptions of security protocols, and asking how the vendor’s cybersecurity protocols compare to benchmarks like NIST, SANS or ISO. Questionnaires can be a starting point for the discussions with vendors. At the contracting stage, consider obtaining: an express written commitment to maintain your information securely and to maintain baseline security practices; covenants to provide prompt notification in the event of a breach; indemnification; and a mandate that the vendor carry cyber risk insurance at specified levels. Day to day, consider reviewing the policies and procedures you have in place for issuing credentials (i.e., usernames and passwords) to third parties and your protocols for ongoing monitoring of vendor access to information and security practices. A February 2015 SEC report on cybersecurity at broker-dealers and investment advisers noted that just 24% of these firms imposed requirements relating to cybersecurity risk via their contracts with such parties.
Due Diligence Prospective Portfolio Investments. In this day and age, one important due diligence question is how well an acquisition target safeguards its information and systems from cyberattacks. Specific diligence steps could include, at a minimum, discussions with the company’s CIO and a review of critical agreements with vendors providing information technology services. Cybersecurity issues also are often addressed in the representations in acquisition agreements. Depending on the diligence findings and the nature of the company’s business, the company’s practices and approaches to cyber risks could be material to the transaction. As noted above, these and other transaction-specific issues were discussed in the Spring 2015 issues of this publication.
Prepare for a Breach. In addition to analyzing its assets and architecture and implementing control measures such as those discussed above, a private equity firm should develop a plan to respond to a breach incident, should it occur. We will be writing separately in more detail about how best to prepare for a breach. In general, regulatory guidance suggests that responsibilities for incident response should be well-defined by senior management of the firm and clear reporting requirements delineated. Answering the following questions can help the firm develop a well-functioning and robust incident response plan:
At the Portfolio Company Level
- What types of business continuity plans are in place in the event of a cyberattack?
- Who are the members of the incident response team, inside and outside the firm?
- Are reporting positions consolidated so that information about breaches can effectively be passed up the chain of command?
- How often does the firm conduct training and how effective is that training?
- What kinds of protections does the firm contractually require third-party vendors to employ to deter cyberattacks?
- What type of insurance coverage for cybersecurity-related events has the firm purchased?
Securing Portfolio Companies. Portfolio companies face most of the same cybersecurity risks discussed above, so private equity firms will want to ensure that their portfolio companies put in place protections of the sort identified above. In addition, portfolio companies also face, and must address, risks specific to their particular businesses. The risk profiles are different for retail businesses that possess credit card numbers and customer contact data; healthcare enterprises that maintain sensitive medical records; and industrial companies that employ business methods so valuable that competitors or even certain nation-states may want to steal them. Taking proactive measures to ensure that portfolio companies have robust and tailored cybersecurity protections in place makes good business and legal sense. The costs of preparation are orders of magnitude smaller than the costs of dealing with intrusions and, more importantly, the potential hit to the value of a portfolio company whose defenses are breached.
Questions for Directors. In the eyes of at least one high-ranking U.S. government official, staying on top of cybersecurity is now a director’s legal obligation. In a 2014 speech, outgoing SEC Commissioner Luis Aguilar said cybersecurity “needs to be a critical part of a board of directors’ risk oversight responsibilities,” and that boards that “ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Among the questions that private equity firm personnel who serve on the boards of portfolio companies might want to ask are the following:
- When was the board last briefed on cybersecurity? Is there a regular schedule for such briefings?
- Who on the board “owns” cybersecurity risk management? For larger boards, is the audit committee or another committee charged with oversight?
- Have there been any prior data security incidents? If so, how were they handled and what was done to learn from them?
- Does the company have an incident response team and plan? If so, does it involve external as well as internal stakeholders? When was the last time it was tested?
Thoughtful preparation can help mitigate cyber risk. Best practices for implementing IT security measures and corporate governance increasingly are converging with emerging legal standards and regulators’ expectations. The roadmap to compliance is increasingly clear – and can help both private equity firms and their portfolio companies to reduce their business and legal risk.
This article is the second in a series of articles in The Debevoise & Plimpton Private Equity Report concerning emerging cybersecurity concerns relevant to private equity firms and their portfolio companies.
1 In August 2015 Debevoise & Plimpton LLP published a compilation of articles and client updates covering the range of cybersecurity issues facing businesses today. Click here for a copy of the publication.
2 See “’Dealing’ with Cybersecurity: Evaluating Transactional Risk,” The Debevoise & Plimpton Private Equity Report, Spring 2015.