We know: cyber-risk isn’t a topic we discuss often on Agri Investor, nor the first thing many of you have in mind when you think about the asset class.
But cyber-risk management should be treated like any other area of risk, such as finance and credit or drought. Except this particular risk should be the responsibility of all workers at a private markets firm — from the chief executive down to the lowest employee.
With that in mind, we bring you the highlights from a roundtable discussion between experts and CFOs that sister publication pfm hosted late last year, so you can start 2019 with your best cyber-practices in place.
Call it cyber “risk”, not cybersecurity
Cyber-risk management is a discipline similar to financial risk or credit risk management in that resources are put in place to minimize the likelihood of an incident and to protect against it. Should a security breach occur, a firm should be able to detect it and implement the proper response. Management and board hear cybersecurity and think it’s a technology issue, argued one participant. “The reality is it’s managing risk in the same way that you do anywhere else.”
Preparation, preparation, preparation
Incident preparedness is essential and “is something that is constantly changing,” as one of the participants noted. Firms need to understand their data: where is it stored, which data can you get rid of and which data do you want to protect? Firms should do more than just simply go through a list of procedures and check the box when going through an incident response plan. “If you’re sitting there in a crisis without a planned approach not knowing who’s going to do what and trying to figure things out on the fly, that is the worst situation to be in,” said one of our experts. Firms also need to know what their objectives are in the event of an incident. Is it to recover quickly or to retain forensic evidence for future reference? “Either of those approaches would take you in a different direction.”
Phishing: a popular pastime among cyber-criminals
One way in which criminals circumvent a firm’s security defenses and acquire sensitive information is phishing, and criminals are getting more creative at it. In one typical playbook, thieves retrieve the personal and work information of a firm’s chief executive from social media accounts or even the company’s website. They then send messages to the chief executive’s email account, with the goal of taking over the email address and having messages forwarded to another account where they gain access to confidential information.
The Securities and Exchange Commission has been making pronouncements about cyber-risk for several years now, making sure it is on managers’ radar. The agency has now begun asking executives about their firms’ incident response plans as part of the examination process. And if there has been an incident, be prepared for a barrage of follow-up questions. “The minute you have a breach, then [the SEC] will come down on you. That’s why it’s so critical to be prepared on the cyber side,” one advisor said.
It is also increasingly becoming an investor issue. While only one in five investors said they require GPs to undertake cybersecurity risk assessments for their management companies, according to a survey last year by secondaries firm Coller Capital, over half of LPs said they will do so within three to five years.
So as you start the year, be sure you have the tools in place to protect your firm… and keep an eye out for any emails that don’t look quite right.