Three things you should know about cyber-risk management

Protecting your firm’s information and data from thieves is important, and being prepared means having a plan in place.

Due to a technical problem, our Asia-Pacific readers did not originally receive this letter. They will be able to read it on Friday, 18 January instead. We apologise for the inconvenience.

Advances in technology may bring with them greater advantages and benefits for users, but they also tend to be accompanied by an increasing threat to cyber security. We often talk about how technological change is disrupting the infrastructure sector, but we also need to keep talking about technology from a cyber-risk perspective.

With that in mind, we bring you the highlights from a roundtable discussion between experts and CFOs that sister publication pfm hosted late last year, so you can start 2019 with your best cyber-practices in place.

Call it cyber “risk”, not cyber security

Cyber-risk management is a discipline similar to financial risk or credit risk management in that resources are put in place to minimise the likelihood of an incident and to protect against it. Should a security breach occur, a firm should be able to detect it and implement the proper response. Management and board hear cyber security and think it’s a technology issue, argued one participant. “The reality is, it’s managing risk in the same way that you do anywhere else.”

Preparation, preparation, preparation

Incident preparedness is essential and “is something that is constantly changing”, as one of the participants noted. Firms need to understand their data: where is it stored, which data can you get rid of and which data do you want to protect? Firms should do more than just simply go through a list of procedures and check the box when going through an incident response plan. “If you’re sitting there in a crisis without a planned approach not knowing who’s going to do what and trying to figure things out on the fly, that is the worst situation to be in,” said one of our experts. Firms also need to know what their objectives are in the event of an incident. Is it to recover quickly or to retain forensic evidence for future reference? “Either of those approaches would take you in a different direction.”

Phishing: a popular pastime among cyber criminals

One way in which criminals circumvent a firm’s security defences and acquire sensitive information is phishing, and criminals are getting more creative at it. In one typical playbook, thieves retrieve the personal and work information of a firm’s chief executive from social media accounts or even the company’s website. They then send messages to the chief executive’s email account, with the goal of taking over the email address and having messages forwarded to another account where they gain access to confidential information.

The Securities and Exchange Commission has been making pronouncements about cyber risk for several years now, making sure it is on managers’ radars. The agency has now begun asking executives about their firms’ incident response plans as part of the examination process. And if there has been an incident, be prepared for a barrage of follow-up questions. “The minute you have a breach, then [the SEC] will come down on you. That’s why it’s so critical to be prepared on the cyber side,” one advisor said.

It is also increasingly becoming an investor issue. While only one in five investors said they require GPs to undertake cybersecurity risk assessments for their management companies, according to a survey last year by secondaries firm Coller Capital, more than half of LPs said they will do so within three to five years.

Cyber-risk management should be treated like any other area of risk, such as finance and credit or regulation. Except this particular risk should be the responsibility of all workers at a private markets firm — from the chief executive down to the most junior employee.

So, as you start the year, be sure you have the tools in place to protect your firm… and keep an eye out for any emails that don’t look quite right.