PRIVATE EQUITY: 10 cybersecurity best practices for private equity firms in a COVID-19 world
For private equity firms reacting to the disruptions created by the COVID-19 pandemic, one of the most immediate priorities at both the enterprise and portfolio level will no doubt be ensuring adequate cash flow through the crisis and maintaining critical operations with a remote workforce.
While attending to these concerns, private equity firms should be aware that cybercriminals have been actively taking advantage of this disruption, creating a dramatically increased cyber risk landscape.
Security firms, law enforcement, and the FBI have issued warnings about a growing number of scams that target people working from home, such as fraudulent emails like phishing. Similarly, the Department of Defense has said it is planning to issue renewed guidelines for its military and civilian workforce due to the increased cyber threats.
Private equity firms and their portfolio companies will not be immune to these risks. In fact, with their high-value data and large cash movements, private equity firms are an attractive target for cybercriminals. Less developed cybersecurity programs also make them a much easier target than banks and sophisticated FinTech players with similar assets. During the COVID-19 crisis, as private equity firms and their portfolio companies are forced to rapidly shift to a remote workplan without time to perfect security controls, and their workers are distracted with health and financial concerns, the risk of a cyberattack has increased dramatically, whether it be wire transfer fraud, ransomware, phishing, distributed denial-of-service (DDoS) attacks, or other means of infiltration.
We recommend the following 10 items as a starting point to ensure that firms’ efforts to stabilize the enterprise are not undercut by a cyberattack.
1. Authentication. Consider how to secure and verify credentials in a remote environment, such as enabling multi-factor authentication.
2. Monitoring. Pay attention to user activity with frequent network monitoring and logging.
3. Training. Many of the coronavirus-related malware incidents begin with phishing. Continue to train and test your workforce to increase sensitivity to cyber risk.
4. Incident response plan. Procedures that may have worked on site may now be dated. Incident response plans should be reviewed to reflect the current communications structure.
5. Encryption. Encrypt sensitive information before storage or transmission over a network.
6. Active patching. Patch all software in a timely manner.
7. Current anti-virus software. Make sure remote users are using up-to-date anti-virus software.
8. Segmentation. Limit scope of access to sensitive information to necessary users, and review user privileges frequently.
9. Vendor review. If third-party vendors were onboarded quickly, take the time now to review contracts and security procedures to ensure that risk is reduced and properly allocated.
10. Disaster recovery plan. Ensure that you are ready for a cyber event with an up-to-date disaster recovery plan that works with your current environment.
While revisiting these ten best practices will not resolve all the challenges of managing a PE firm and its portfolio companies during this crisis, doing so can at least reduce one of the enterprise risks, leaving the company better able to focus on core operations and safely weather the pandemic as it unfolds.
Claudine Cohen, Principal, Financial Sponsors Industry Co-Leader
Bhavesh Vadhani,Principal, National Director, Cybersecurity, Technology Risk, and Privacy
Coronavirus Resource Center