PRIVATE EQUITY: 10 cybersecurity best practices for private equity firms in a COVID-19 world

    10 cybersecurity best practices private equity covid-19

    For private equity firms reacting to the disruptions created by the COVID-19 pandemic, one of the most immediate priorities at both the enterprise and portfolio level will no doubt be ensuring adequate cash flow through the crisis and maintaining critical operations with a remote workforce. 

    While attending to these concerns, private equity firms should be aware that cybercriminals have been actively taking advantage of this disruption, creating a dramatically increased cyber risk landscape.

    Security firms, law enforcement, and the FBI have issued warnings about a growing number of scams that target people working from home, such as fraudulent emails like phishing. Similarly, the Department of Defense has said it is planning to issue renewed guidelines for its military and civilian workforce due to the increased cyber threats. 

    Private equity firms and their portfolio companies will not be immune to these risks. In fact, with their high-value data and large cash movements, private equity firms are an attractive target for cybercriminals. Less developed cybersecurity programs also make them a much easier target than banks and sophisticated FinTech players with similar assets. During the COVID-19 crisis, as private equity firms and their portfolio companies are forced to rapidly shift to a remote workplan without time to perfect security controls, and their workers are distracted with health and financial concerns, the risk of a cyberattack has increased dramatically, whether it be wire transfer fraud, ransomware, phishing, distributed denial-of-service (DDoS) attacks, or other means of infiltration.

    We recommend the following 10 items as a starting point to ensure that firms’ efforts to stabilize the enterprise are not undercut by a cyberattack.

    1. Authentication. Consider how to secure and verify credentials in a remote environment, such as enabling multi-factor authentication.

    2. Monitoring. Pay attention to user activity with frequent network monitoring and logging.

    3. Training. Many of the coronavirus-related malware incidents begin with phishing. Continue to train and test your workforce to increase sensitivity to cyber risk.

    4. Incident response plan. Procedures that may have worked on site may now be dated. Incident response plans should be reviewed to reflect the current communications structure.

    5. Encryption. Encrypt sensitive information before storage or transmission over a network.

    6. Active patching. Patch all software in a timely manner.

    7. Current anti-virus software. Make sure remote users are using up-to-date anti-virus software.

    8. Segmentation. Limit scope of access to sensitive information to necessary users, and review user privileges frequently.

    9. Vendor review. If third-party vendors were onboarded quickly, take the time now to review contracts and security procedures to ensure that risk is reduced and properly allocated.

    10. Disaster recovery plan. Ensure that you are ready for a cyber event with an up-to-date disaster recovery plan that works with your current environment.

    While revisiting these ten best practices will not resolve all the challenges of managing a PE firm and its portfolio companies during this crisis, doing so can at least reduce one of the enterprise risks, leaving the company better able to focus on core operations and safely weather the pandemic as it unfolds.

    Contact

    Claudine Cohen, Principal, Financial Sponsors Industry Co-Leader

    646.625.5717

    Bhavesh Vadhani,Principal, National Director, Cybersecurity, Technology Risk, and Privacy

    703.847.4418

    Subject matter expertise

    • Contact Claudine Claudine+Cohen Claudine.Cohen@cohnreznick.com
      Claudine Cohen

      Managing Principal, Value360 Practice

    • Bhavesh Vadhani
      Contact Bhavesh Bhavesh+Vadhani bhavesh.vadhani@cohnreznick.com
      Bhavesh Vadhani

      CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

    • Close

      Contact

      Let’s start a conversation about your company’s strategic goals and vision for the future.

      Please fill all required fields*

      Please verify your information and check to see if all require fields have been filled in.

      Please select job function
      Please select job level
      Please select country
      Please select state
      Please select industry
      Please select topic
    REMOTE WORK ENVIRONMENT CYBER PRIVACY

    On-Demand Webinar: You Transitioned to a Remote-Work Environment. Have Your Cyber & Privacy Policies & Practices Moved With You?

    CoronaVirus

    Coronavirus Resource Center

    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.