- Cyberattacks have been on the rise in 2020 due to the pandemic, with financial services being an industry targeted the most.
- Private equity, in particular, has been viewed as a viable new opportunity for cybercriminals.
- PE shops deep pockets and willingness to wire large sums of money make them a prime target for bad actors.
- While bigger PE firms have the resources to dedicate to cybersecurity, the process at small to mid-size shops remains a work in progress.
- Visit Business Insider's homepage for more stories.
Private equity has increasingly come into the public eye in recent years, thanks to big deals and the growing profiles of leading executives.
However, increased attention isn't always a good thing. Hackers, too, have noticed the rise of private equity and begun targeting the firms — and their portfolio companies — in hopes of tapping into their deep pockets.
"I think the reason hackers are identifying PE as a big issue is that, look they're vulnerable because they have lots of money and probably didn't invest previously. And for typical middle-market companies, that could be legacy businesses that also have older systems and insufficient staff," said Patrick Donegan, executive vice president of growth and client services at Performance Improvement Partners, which works with over 200 PE firms on IT solutions.
"They're just focused on much more important things like getting deals and delivering great returns to their LPs. The notion of being compromised from an attack to them seemed probably not like it was happening all the time," Donegan told Business Insider. "I think there was a false sense of security that they were in better shape than they are."
Cyberattacks are up everywhere, but PE is a prime target
Across all industries, cyberattacks are on the rise as corporations have been forced to adapt on the fly to work-from-home environments as a result of the coronavirus pandemic.
In April, The Hill reported an assistant director of FBI's Cyber Division said on a webinar its Internet Crime Complaint Center saw a 300% to 400% uptick in daily complaints. A survey of 411 security professionals by Check Point, a provider of IT security solutions, found 71% of respondents noticed an increase in security threats or attacks since the COVID-19 outbreak.
Law firm Reed Smith, meanwhile, called coronavirus "possibly the largest-ever security threat."
Read more: 40 insiders reveal the meteoric rise of Silver Lake's Egon Durban, the tech-focused PE firm's No. 1 dealmaker who strong-armed his way to the top and is about to get $18 billion more to invest
And while nearly every company has the potential to be attacked, financial services has been a particular hot spot. According to a May report from VMware Carbon Black, financial firms saw a 238% increase in attacks from February to April 2020.
Banks and hedge funds remain appealing targets for hackers, but private equity firms are increasingly coming into the crosshairs of bad actors, experts say. In many ways, the shift in focus is natural as banks, followed by hedge funds in recent years, have increased spending on cyber defense, making them tougher nuts to crack.
"As you move your way down the totem pole you still have large amounts of money that's being transferred. The shops aren't as big and then some of those [cyber defenses and training] break down," Mark Ostrowski, head of engineering for Eastern US for Check Point, told Business Insider.
"The reality is that as you move your way down the totem pole you're naturally going to get less and less of that because the budgets and the time that would be associated with that are becoming less," he added.
Portfolio companies represent a big risk for PE
There are plenty of reasons why PE firms are a great opportunity for hackers, experts said.
For one, the group has plenty of money to spend, is accustomed to wiring large amounts of money, and isn't shy about discussing deals, Fred Purdue, infrastructure practice manager the cyber lead at PIP, told Business Insider.
"They are extremely attractive targets because they have a high degree of access to large amounts of capital. It's not uncommon to see a significant transaction occur. And by the way, they tend to issue press releases when they're doing large transactions or when they're doing large deals," he said.
There's also the added complexity of portfolio companies. It's not good enough for private equity firms to make sure their own house is in order. Every company in their portfolio is essentially an extension of them, and thereby another entry point for hackers.
That's coupled with the fact that often times companies that receive investment from PE firms need help with their tech.
As a result, PE shops need to take a holistic view of their environment. At PIP there has been a 750% increase on cyber projects related to portfolio-wide initiatives in the first half of 2020 compared to the same time period last year.
"If you're a CEO, there might be a 5% chance that you're going to have a significant cybersecurity event this year. There's a 100% chance the head of sales is going to come in and complain about Salesforce tomorrow. So you might look at it and be like, 'You know what, I'm going to allocate resources based on my risk scenario,'" Purdue said. "If you're a private equity firm and you own 20 of those companies that has a 5% risk each, you have a certainty that you're going to have a significant type of attack. So the risk posture is different."
Increased attacks is drawing more attention to the issue
The response of increasing attacks against PE remains nuanced depending on the size of the firm and its portfolio companies. Most experts agree the largest shops have enough resources to dedicate towards sophisticated cyber programs that rival that of most traditional financial firms.
But for mid-size to smaller shops, no definitive playbooks exists on how best to protect against attacks.
See more: We talked to billionaires, business titans and an NBA star about the Apollo cofounder who wants to buy the New York Mets. Here's how he can apply his private equity turnaround playbook to a team that haven't won a World Series since 1986.
Liron Gitig, a partner for enterprise technology at New York-based FTV Capital, said cyber audits are one tool PE and portfolio companies are both leaning on to shore up defenses and find weaknesses. Prospective companies are also increasingly being proactive when it comes to discussing cyber at initial meetings, he added.
FTV has a specific person tasked with doing due diligence on companies technology and helping portfolio companies with their tech planning, roadmaps and initiatives.
Insurance companies are also stepping up to the plate. In late May, Alliant Insurance Services announced a cybersecurity offering in partnership with ACA Aponix targeted to private equity managers and their portfolio companies.
"We're seeing more and more that firms are starting to say we need to have a go-to vendor that does an assessment on every company that we've mapped out with them that meets our requirements so that we can check this box and make sure we're comfortable," Gitig said.
For companies that hold more sensitive data, Gitig said cyber is a topic raised at nearly every board meeting. Short- and long-term strategies are constantly discussed and audits are regular.
As a result of the additional complexities that come with holding personal identifiable information (PII), Gitig said companies often go to great lengths to not handle such data, lest they make themselves more of a target.
To be sure, Gitig stopped short of saying companies that hold PII would have a tougher time obtaining an investment from a PE firm. Instead, it would need to be more of a consideration earlier in the conversation.
"I do think that the scrutiny of: What does a company do? How does that raise the level of risk associated with their being targeted and potential breaches?" Gitig said. "When you are evaluating investments in companies that are engaged in those areas, that's something you spend time on pretty quickly with those companies."
- Big investors like Apollo and Carlyle are clamoring for a piece of the $30 trillion ESG space. We spoke to 15 insiders about how they're ramping up hires, raising money, and striking data-driven deals.
Silver Lake has been plowing money into bets like Airbnb, Twitter, and Waymo. Here's a look inside why it's being called the Warren Buffett of tech.
Private-equity hiring is getting upended. From senior execs jumping ship to new timelines for scouting junior talent, 6 recruiters lay out what to expect.
Source: Read Full Article