How you should protect data from cyberattack

As asset managers become increasingly exposed to cybercrime, one not-for-profit is developing interoperability standards that would prevent private equity firms from becoming the target of cyber-criminals.

Sensitive financial and personal data held by the private equity industry is now an identifiable prime target for cyber-criminals.

As private equity firms become more dependent on outsourcing and adopt new technologies to support operations, asset managers will become more exposed to the threat of cyber-crime.

Without question, there are significant risks to multimedia communication technologies used by fund managers for both internal and external interactions. These include one-to-one voice calls, group voice calls, voicemail and instant messaging. But this potential risk can be reduced by adopting appropriate cybersecurity solutions that are interoperable, secure and regulatory compliant. Interoperability is when two or more computer systems can exchange information.

If data security is compromised, it can lead to strategic, regulatory, financial, operational and reputational damage.

Today, private equity firms hold, outsource and otherwise process a wealth of sensitive personal and financial data. It is also exchanged between various parties, including limited partners, investment targets, counterparties, advisors, suppliers, portfolio companies and the firm’s own employees. This has the potential to create a big problem. If data security is compromised, it can lead to strategic, regulatory, financial, operational and reputational damage.

Loss of financial data or other sensitive information during an acquisition or disposal could have a negative impact on deal valuation, with ultimately the potential for deal breakdown. Equally important, cyber-breaches at a portfolio company could have a significant impact on its valuation. Also, under the recently introduced EU General Data Protection Regulation, data breaches can result in fines of up to 2 percent of an organization’s annual turnover if the data relates to personal data of EU citizens.

Since the introduction of VoIP – the transmission of voice, text, video and other multimedia content over internet protocol networks – it is has become critically important to ensure that data is adequately protected against cyberattack. Ideally, private equity firms, and the business ecosystems they interact with, should be able to process data securely, by employing interoperable, secure and regulatory compliant multimedia communication solutions (which will be discussed further on).

There are also risks associated with voice calls to private equity firms in the areas of caller ID and unauthorized network access. We can never really be sure who is calling us, or even who we are calling. Nor can we be sure that those accessing our networks are who they say they are. Voice calls can be placed to, or received from, an attacker without the user realizing, resulting in a compromise of sensitive communications. An attacker with privileged network access can also access content and metadata for a user on that network, or compromise a cellular base station or use a false base station, while gaining access to content and metadata for all users on that base station. An attacker could cause calls to be routed via infrastructure they control, enabling interception.

At Secure Chorus, we want to stress the importance of ensuring that, during any processing activity via multimedia communication technologies, data is secure. While security is vital, there are other considerations to take into account when specifying a multimedia communication solution. Solutions need to be regulatory compliant. This is because a major requirement under the EU GDPR is the ability for private equity forms to access personal data for auditing purposes. Given that the financial services industry is regulated, this is of paramount importance. This increases the need for interoperable secure multimedia communication. This need exists in the private equity market as much anywhere else.

Many private equity firms rely on mixed technology systems for their internal and external multimedia communication. Security gaps created by non-interoperable systems present a substantial potential exposure in terms of data security. Which means that in the future, fund managers need to avoid multimedia communication products that fail to offer that vital combination of security, regulatory compliance and interoperability.

These three requirements are central to the philosophy of our organization Secure Chorus. To effectively address data security requirements in enterprise, vendors need to offer multimedia communication solutions that are secure, regulatory compliant and interoperable. Secure Chorus’ members are able to meet such requirements, as their products contain an innovative cryptography approach, namely ‘identity based public key cryptography’ that provides the following benefits:

• Data security. This is achieved with end-to-end encryption to ensure that any data processing activity can be undertaken without compromising data security.
• Data ownership. This type of cryptography includes a Key Management Server (KMS), giving the user full control of system security. As regulators increasingly require access to an enterprise’s data, this will become more and more important. For example, subject access requests under the EU GDPR.
• Scale. Identity based public key cryptography does not require expensive and complex supporting infrastructure for distributing credentials, allowing for at-scale implementation.

This represents substantial innovation in the field of cryptography.

Based on its members’ collaboration, Secure Chorus has also defined a range of interoperability standards that ensures products can work with other products and systems implementing this technology.

Secure Chorus is also encouraging collaboration between industry experts and user communities through its Thought Leadership Platform initiative. The Thought Leadership Platform is a round-table knowledge-sharing environment that brings together industry voices from both user and vendor communities in the cybersecurity space. We recognize that cybersecurity is a complicated world to navigate. Through our Thought Leadership Platform we help users across sectors to rise above the ‘noise’ and understand what are the key matters to consider.

Elisabetta Zaccaria is Chairman of Secure Chorus, a not-for-profit membership organisation serving the cybersecurity sector. Its mission is to provide thought leadership, common standards and tangible capabilities for the cybersecurity industry, and we take our message of protecting data out across all sectors. Current members include the National Cyber Security Centre, as well as major global telecommunication players, system integrators and technology companies of all sizes.