Cybersecurity: A Growing Concern for CFOs in the Private Funds Sector

Cybersecurity has long been a source of anxiety for Chief Financial Officers (CFOs) managing private funds. The nature of cybersecurity threats is such that much of the risk feels beyond their control. A single employee clicking on a malicious link can compromise an entire organization, and the rapid evolution of hacking techniques often outpaces even the most sophisticated defenses. Recent events, such as the worldwide outage caused by a faulty antivirus update from CrowdStrike at Microsoft, serve as stark reminders of how vulnerable even the most technologically advanced enterprises can be.

The Rising Tide of Regulatory Scrutiny

In light of these vulnerabilities, regulatory scrutiny has intensified, particularly as concerns grow that artificial intelligence could facilitate more damaging cyberattacks. As a result, CFOs are increasingly prioritizing cybersecurity across their organizations. The responsibility for cybersecurity is no longer confined to the IT department or third-party vendors; it has become a firm-wide initiative. Even smaller firms that cannot afford an in-house IT team are encouraged to engage consultants to adopt a comprehensive approach to cybersecurity.

Jessica Lipson, a partner at Morrison Cohen, highlights the complexity of the current regulatory landscape. “There are so many different requirements, from so many regulatory bodies,” she notes, referencing the SEC, state attorneys-general, and international regulations like the GDPR. The recent proposals from Homeland Security to establish new cybersecurity regulations further complicate matters, potentially impacting numerous firms and their portfolio companies.

The Shift in Due Diligence

Limited Partners (LPs) are also increasingly concerned about cybersecurity. Joshua Cherry-Seto, CFO at StartUp Health, observes that operational due diligence (ODD) has evolved significantly over the past decade. “Ten, 15 years ago, due diligence was dominated by track record and returns, with little to no focus on a firm’s operational processes,” he explains. Today, LPs are demanding detailed reviews of cybersecurity policies and procedures, reflecting a broader recognition of the risks involved.

CFOs: The New Guardians of Cybersecurity

Despite the rise of expanded internal IT teams and chief technology officers (CTOs), the responsibility for cybersecurity remains firmly in the hands of CFOs. Cherry-Seto asserts that the increased focus on data security has strengthened the line of responsibility to the CFO. “We’re increasingly tech CFOs, responsible for building a secure, single source of truth in our data across portfolio management, the CRM, investors’ docs, and the applications,” he states.

CFOs are taking this responsibility seriously. According to the latest Private Funds CFO Insights survey, more than half of respondents reported increased spending on both human and technological resources to safeguard their data. This two-pronged approach underscores the understanding that cyber threats cannot be addressed by technology alone.

The Importance of Governance

Jon Schwartz, president and COO of NewSpring Capital, emphasizes the importance of governance in cybersecurity. “It’s not merely about guarding against hackers,” he explains. “There’s also the governance piece in terms of who does what, when.” This highlights the need to integrate technology and compliance efforts to protect firms from both cyberattacks and regulatory repercussions.

Ensemble Security: A Collaborative Approach

Best practices in cybersecurity now involve close collaboration among IT staff, cybersecurity vendors, compliance personnel, and senior management. Michael Ferris, CEO of cybersecurity firm Abacode, stresses the importance of creating checks and balances across departments. “You’d rather not have the internal IT staff do all the heavy lifting here, since cyber and compliance are different in many critical areas,” he advises.

Some firms are proactively fostering this collaborative approach by expanding their in-house tech talent and restructuring their organizations. For instance, Thoma Bravo has grown its IT team significantly and brought the role of Chief Information Security Officer (CISO) in-house. Managing Director and CFO Amy Coleman Redenbaugh explains that this decision was made to ensure better alignment with legal and compliance issues related to cybersecurity.

Continuous Improvement and Vigilance

Regardless of organizational structure, the overarching goal remains the same: continuous improvement to keep pace with evolving threats and regulatory changes. Mark Maier, Thoma Bravo’s CTO, emphasizes the importance of proactive measures. “We’re continually evaluating our solutions,” he says, noting that the firm recently switched managed security providers due to a lack of transparency and proactivity.

Testing is another critical aspect of cybersecurity. NewSpring Capital regularly conducts phishing tests to educate employees about potential threats, recognizing that human error is often the weakest link in cybersecurity. The firm also employs multiple vendors to ensure comprehensive protection and testing from various angles.

Strategies for Smaller Firms

For smaller and emerging managers, the principles of cybersecurity remain applicable, albeit with a focus on selecting the right third-party vendors. Ferris points out that many cybersecurity providers offer point solutions rather than comprehensive programs. It’s crucial for firms to find vendors capable of addressing the entire cybersecurity ecosystem.

When vetting potential consultants, Lipson advises looking for robust case studies and understanding how vendors have responded to past breaches. “Find out what happened when that breach was discovered at 2 am, and what the vendor did,” she suggests. Engaging senior management and compliance staff in the decision-making process is essential, given the high stakes involved in cybersecurity.

The Challenge of Disclosure

New cybersecurity rules mandate that material breaches be reported to the federal government within 72 hours. However, many firms may struggle to determine the nature of a breach within that timeframe. The proposed rules from Homeland Security could impose significant reporting burdens on private equity firms, raising concerns about the feasibility of compliance.

As firms navigate these challenges, they must balance the need for timely reporting with the complexities of understanding and addressing breaches. The potential for increased attacks following a breach disclosure adds another layer of complexity to the cybersecurity landscape.

Conclusion

In an era where cyber threats are omnipresent and regulatory scrutiny is intensifying, CFOs in the private funds sector must prioritize cybersecurity as a firm-wide initiative. By fostering collaboration among various departments, investing in technology and human resources, and maintaining a focus on continuous improvement, CFOs can better protect their organizations from the evolving landscape of cyber threats. As the stakes continue to rise, a proactive and holistic approach to cybersecurity will be essential for safeguarding sensitive data and maintaining the trust of investors and stakeholders alike.