Despite the growing data security threats facing private equity firms, many firms remain underprepared to respond to evidence of a data breach. In a recent survey of almost 100 U.S. private equity firms, 66% reported they have only a “partially implemented” cybersecurity program and 10% said they have no plan in place or have not implemented the plan in any way. It appears U.S. firms are reacting slowly to the growing threat of cyber attacks, despite the very real business risks and despite guidance from the SEC that failure to mitigate these threats through policies and procedures could be deemed a violation of the U.S. Investment Advisers Act of 1940 and the U.S. Investment Company Act of 1940.1
In the Fall 2015 issue of The Debevoise & Plimpton Private Equity Report, we provided guidance on steps private equity firms can take to protect themselves and their portfolio companies from cyber threats.2 Among those steps are identifying and locating where the firm has vulnerable assets, making careful consideration of third-party vendors granted access to firm systems, and developing written procedures to prepare for a potential incident. In this issue, we discuss how firms can develop an incident response plan (“IRP”) for responding to a cyber-incident, including the structure of the plan, how to test the plan, and the importance of regularly updating the plan based on emerging threats.
Structure of the IRP
No “one size fits all” plan can be used as a private equity firm’s IRP, though characteristics similar to all IRPs can help guide the development of the plan. What are those characteristics? How do you develop an IRP that is appropriate for your firm?
Identify Potential Incidents. Different kinds of incidents require different responses. In beginning to develop your IRP, you should consider the types of incidents that could affect your firm and its funds in order to ensure that appropriate responses are formulated. Cybersecurity incidents that disrupt business operations may well merit very different responses than data breaches in which personal health or financial information is exposed.
Create an Incident Response Team. An IRP sets out who will respond to an incident. For many firms, it will make sense to assemble a small, standing group that constitutes a core incident response team (“IRT”). Depending on the nature of the incident, employees from various different functions might be included in the response to that incident, and can be added to the core IRT on an as-needed basis. For example, you may consider adding particular subject matter experts within the firm whose inclusion on the IRT is logical given the nature of the breach, e.g., someone from investor relations to respond to a phony communication to investors; someone from accounting to help resolve a funds transfer incident; a human resources professional for an insider breach; a deal team member when material nonpublic information on a pending transaction has been exposed; or the employee responsible for a vendor relationship, should a breach occur involving such a vendor (e.g., a vendor with access to the firm’s network or that stores critical firm data).
Identifying your outside service providers in advance of an incident also can help round out the appropriate membership of an IRT. We recommend that you consider adding to the IRT three outside service providers: an external cyber-forensics expert who will assist in the technical aspects of the investigation; outside counsel to advise on a range of issues from consulting with law enforcement and regulators to breach notification laws; and a PR firm that can help message the response to an incident. By establishing these relationships in advance of an incident (and getting the engagement paperwork in order), you will have the time to select advisors that are the best fit for your firm and you will almost certainly increase your ability to respond more quickly to a cybersecurity event when it occurs. An added benefit to engaging service providers early, in times of peace, may be that they will come on-site to meet your core IRT and become familiar with your systems before an event. This advanced knowledge can help pave the way for a smooth breach response.
Specify Incident Response Tasks and Responsibilities. A firm should use the IRP to define the relevant tasks to be completed by the IRT and those persons who are responsible for each of those tasks. Many of the tasks likely will center on the investigation of the cyber-incident itself and setting the schedule for updates to be delivered to senior management at the firm. Other tasks include breach notification to potentially affected individuals and to law enforcement; these are among the tasks that, if handled properly, are more likely to insure that your firm responds successfully to a breach.
Testing the IRP
Even the best IRP may prove less useful if not pressure-tested before an actual incident occurs. Rather than waiting for a potential incident to test whether and how efficiently the IRP works, firms should consider running “tabletop” simulations of an incident response. These simulations typically present several scenarios to members of the core IRT (and, if feasible, extended members of the team, including outside service providers) and ask the team members how they would respond to each scenario. Participants in the tests may be asked to consider not just the facts potentially signaling a breach, but how they would react upon learning of the breach at different times and places. For example, a team member might be asked how the plan should be executed if news of a potential incident breaks when IRT members are away on business or on vacation, on the eve of a deal or fund closing, or just prior to an advisory committee or annual investor meeting.
Keeping the IRP Current
An IRP is not a static document. Any response to an incident will provide lessons on the strength of the IRP. As you begin to execute the plan, whether in response to testing or actual incidents, the plan can be modified in light of the lessons learned. Responsibility for particular tasks may need to change, new tasks may be found necessary to respond effectively to a breach, and adjustments to IRT membership may be needed in light of your assessment of tests and past incidents.
A periodic schedule for updating the IRP should be put in place. Further, firms should consider empowering key personnel to drive updates to the plan outside the normal update schedule when justified by new threat information or material changes in the firm’s business, assets or architecture. Firms may also reconsider the plan and retest it after a risk assessment of cybersecurity defenses (e.g., the results of an annual penetration test).
The Importance of Having an IRP
Increasing threats of cyber attacks and increased regulatory scrutiny make it unwise for firms to go without a carefully developed IRP. The same survey mentioned at the beginning of this article, in which most respondents saw themselves as lacking a fully implemented cybersecurity program, also revealed that more than 60% of the respondents felt they would be the target of hackers in 2016. Further, the SEC’s public statements and last year’s SEC enforcement action against an investment adviser for failing to maintain adequate cybersecurity policies and procedures show that the SEC expects more from private equity firms and other investment advisers than merely having an IRP in place. The questions today are: How robust is the IRP? How well has it been tailored to the firm’s specific business, assets and architecture? Has the plan been tested? Is the firm organized to periodically update the plan based on emerging threats?
This article is the third in a series of articles in The Debevoise & Plimpton Private Equity Report concerning emerging cybersecurity concerns relevant to private equity firms and their portfolio companies.
1 See “SEC Issues Cybersecurity Guidance for Registered Investment Advisers and Funds,” Debevoise & Plimpton Client Update, May 7, 2015, http://www.debevoise.com/insights/publications/2015/05/sec-issues-cybersecurity-guidance.
2 See “Mitigating Cyber Threats to Private Equity Firms and Their Portfolio Companies,” The Debevoise & Plimpton Private Equity Report, Fall 2015, http://privateequityreport.debevoise.com/the-private-equity-report-fall-2015-vol-15-no-2/mitigating-cyber-threats-to-private-equity-firms.