The U.S. Securities and Exchange Commission (SEC) has made clear that it is important for investment advisers, including private equity (PE) firms, to effectively manage cybersecurity risks. This is especially true as PE firms implement greater amounts of technology into their activities and cyber risks multiply, impacting not only information technology, but also business, regulatory and operational aspects of a company. PE firms should be mindful of this regulatory climate and take cybersecurity issues into account as part of their overall exposure to the federal securities laws.
The SEC launched a cybersecurity initiative in 2014 and has made clear that it will continue to examine cybersecurity compliance by PE firms. Last month, the SEC’s Division of Investment Management issued a Guidance Update which identifies a series of protections it expects advisers to take to address cybersecurity – the Guidance Update likely will be the framework within which SEC scrutiny will occur.
The SEC’s Guidance
As the SEC explained in its Guidance Update, cyberattacks have been launched against a variety of financial services firms. While not every PE firm is the same, with funds varying greatly depending on the industries in which they operate and the nature of their control over portfolio companies, as a general matter, advisers should:
- Conduct periodic assessments of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and technology systems; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk;
- Create a strategy to prevent, detect and respond to cybersecurity threats; and
- Implement the strategy through written policies and procedures and training that provide guidance to the firm’s officers and employees.
The SEC also recommended that PE firms identify their respective compliance obligations under the federal securities laws and take into account such obligations when assessing their ability to prevent, detect and respond to cyberattacks. PE firms can mitigate exposure to risks associated with cyber threats through adoption of compliance policies designed to prevent violations of the federal securities laws such as developing programs that address cyber threats as they relate to identity theft and data protection, fraud and any other disruptions in service that could affect a firm’s ability to process transactions.
The SEC highlighted that cybersecurity threats do not necessarily come from the PE firm itself, but may arise through service providers; accordingly, PE firms should make sure that their service providers have appropriate cybersecurity protections. In particular, it may be prudent to meet with third-party fund administrators and compliance firms to understand the protections that are in place and ensure information about fund investors is sufficiently protected. Ultimately, the SEC warned there is no “one size fits all” approach, and each firm should tailor its compliance programs based on the nature of its specific business.
Identifying and Managing Cybersecurity Risks
For PE firms to effectively manage cybersecurity risks, it is important to take a thorough approach and understand where risks can arise. Firms regularly collect data from numerous sources, including portfolio companies (especially consumer-facing portfolio companies), LPs, counterparties, acquisition targets, vendors, and employees.
- Third-Party Risks: Many of the risks that PE firms face arise from the third parties with whom they work – e.g., placement agents, vendors. Several highly publicized breaches including Target and Home Depot have resulted from a system being accessed through an outside vendor. To minimize the likelihood of a hacker getting into your system by way of a third party, it is important to conduct due diligence on protections used by third parties. Such diligence could include: reviewing the third parties’ cybersecurity policies; obtaining an express written commitment from the third party stating that they will maintain your firm’s information securely; implementing indemnification provisions in the event of a cyberattack and mandating that the third party utilize specific safeguards.
- Portfolio Companies: PE firms must continue to balance providing portfolio companies with sufficient autonomy to operate, while maintaining sufficient oversight with respect to various risks, including cyber risks. Portfolio companies also face risks inherent to the industries in which they operate. Because risk profiles for each business are different, portfolio companies should tailor their protections accordingly.
- PE-designated Directors: As part of their general oversight responsibilities, PE firms should ensure that board designees are appropriately conversant in managing cyber risks before joining portfolio company boards (e.g., at each portfolio company, learning about the process by which the board is briefed regarding cyber risk and the nature of the portfolio company’s plan in the event of a breach). Directors already have a lot on their plates and cyber risks likely will be outside of their areas of expertise; however, PE-designated board members should ensure that portfolio companies have designed, implemented and updated adequate policies and procedures.
- Prospective Portfolio Investments: It is important to conduct due diligence on how well an acquisition or investment target protects its information and systems from cyberattacks. This can often be addressed through discussions with the company’s CIO about the cyber safeguards used – e.g., encryption and firewalls, the company’s history of cyberattacks, and review of the critical agreements the target has with vendors who provide it with information technology services. Security standards also can be incorporated into representations in acquisition agreements.
Overall, the SEC will likely continue to focus on cybersecurity issues, especially as threats continue to expand and breaches inevitably occur. It is important for advisers to be prepared for a cybersecurity incident because the fallout can be wide-ranging: from required notifications in the event of a breach to concerned LPs and portfolio companies. Advisers should ensure that they have appropriate policies in place to protect against attacks, taking a multi-disciplinary approach to dealing with cybersecurity and considering both the legal and technical aspects.