Protecting the private equity industry from cyber attack
SECURE CHORUS, 11TH JULY 2018
Speaking at a recent British Private Equity and Venture Capital Association (BVCA) breakfast in London, Secure Chorus Chairman Elisabetta Zaccaria stated that sensitive financial and personal data held by the private equity industry is now an identifiable prime target for cyber criminals. Ms Zaccaria explained that as private equity firms become more dependent on outsourcing and adopt new technologies to support operations, “asset managers will become more exposed to the threat of cyber crime.”
During the breakfast, Ms Zaccaria discussed the risks related to multimedia communication technologies used by fund managers for both internal and external interactions. These include one-to-one voice calls, group voice calls, voicemail and instant messaging. She said this is an area of potential risk that can be rectified by adopting cyber security solutions that are “interoperable, secure and regulatory compliant”. Interoperability is when two or more computer systems can exchange information.
Ms Zaccaria went on to say: “Private equity firms hold, outsource and otherwise process a wealth of sensitive personal and financial data. It is also exchanged between various parties, including limited partners (LPs), investment targets, counterparties, advisors, suppliers, portfolio companies and the firm’s own employees. If data security is compromised, this can lead to strategic, regulatory, financial, operational and reputational risks.”
Loss of financial data or other sensitive information during an acquisition or disposal could have a negative impact on deal valuation, with ultimately the potential for deal breakdown. Equally important, cyber breaches at portfolio company level could have a significant impact on its valuation. Also, under the recently introduced EU General Data Protection Regulation (GDPR), data breaches can result in fines of up to 4 per cent of an organisation’s annual global turnover if the data relates to personal data of EU citizens.
Since the introduction of VoIP – the transmission of voice, text, video and other multimedia content over internet protocol (IP) networks – It is critically important to ensure that data is adequately protected against cyber-attack. Ideally, private equity firms, and the business ecosystems they interact with, should be able to process data securely, by employing “interoperable, secure and regulatory compliant multimedia communication solutions.”
During her discussion with the fund managers, Ms Zaccaria gave examples of risks associated with voice calls to private equity firms. These covered caller ID and unauthorised network access. “Do you really know who is calling you?” she asked. “Do you really know who you are calling? Do you really know who is accessing your networks?”
She explained that calls can be placed to, or received from, an attacker without the user realising, resulting in compromise of sensitive communications. An attacker with privileged network access can also access content and metadata for a user on that network, or compromise a cellular base station, or use a false base station, while gaining access to content and metadata for all users on that base station. An attacker could cause calls to be routed via infrastructure they control, enabling interception.
Ms Zaccaria went on to stress the importance of ensuring that, during any processing activity via multimedia communication technologies, data is secure. While security is vital, there are other considerations to take into account when choosing a multimedia communication solution. “Such solutions need to be regulatory complainant. A major requirement under the EU GDPR is the ability for enterprise to access personal data for auditing purposes. Given that financial services is a regulated industry, this is of paramount importance.”
Many private equity firms rely on mixed systems for their internal and external multimedia communication. Security gaps created by non-interoperable systems present a substantial potential exposure in terms of data security. Ms Zaccaria concluded: “in future, fund managers need to avoid multimedia communication products that fail to offer a combination of security, regulatory compliance and interoperability.”
The British Private Equity and Venture Capital Association is the industry body and public policy advocate for the private equity and venture capital industry in the UK. Its membership comprises more than 700 influential firms, including more than 300 private equity and venture capital houses, as well as institutional investors, professional advisers, service providers and international associations.
For more details on the BVCA visit www.bvca.co.uk
About Secure Chorus
Secure Chorus is a not-for-profit, membership organisation, serving as a platform for private-public collaboration and development of forward looking strategies, common standards and tangible capabilities to provide a security baseline in the field of data security for the global digital economy.
For further information please contact:
Secure Chorus Ltd via PRPR
Elisabetta Zaccaria, Chairman
Roderick Hodgson, Director
Phone number: +44 (0) 7831 208109