Today’s private equity funds are increasingly being compared to their hedge fund counterparts and, as a result, are also facing more scrutiny. When it comes to managing and mitigating risk, PE fund managers are wrestling with growing threats on the security front and beyond along with mounting pressures from the likes of the SEC and other industry best practice standards.
Security and Business Threats for Private Equity
Security threats abound for financial services firms, and private equity firms are not immune. From the inside out, the risks to PE firms grow daily, with savvy and experienced hackers looking to target financial firms – and perhaps more concerning – untrained and unaware employees blindly putting their firm’s operational standing in danger.
Beyond cybersecurity, however, there are also business threats to consider. Non-security incidents – everything from minor, incidental business disruptions to large-scale, regional impact events – can also wreak havoc for private equity firms otherwise unprepared to resume business functions. Downtime may prove to be less concerning for a PE manager than his hedge fund counterpart, but that does little to calm uneasy clients and investors who expect operations to run smoothly at all times.
PE Firms Feeling the Regulatory Pressure
The above security and business threats pose a serious challenge for private equity firms today. But beyond managing those risks to satisfy a fund manager’s own inherent desire to protect his/her firm, private equity firms also face significant and growing pressure from external bodies to meet operational excellence standards that continue to develop and evolve.
The Securities and Exchange Commission (SEC) has made it clear to advisers, with the release of several technology and operations-centric guidance recommendations, that business resiliency is and should be a priority. In 2014, the SEC began its cybersecurity initiative and began to advise that private equity firms adopt and employ technical and administrative safeguards to ward against increasing cyber threats. Even more recently, in June 2016, the SEC sent a risk alert to registered firms recommending comprehensive business continuity policies, again highlighting the importance of operational risk management. Also important to note, within both topical areas, the SEC has called attention to third party oversight and has made it clear that firms should conduct thorough due diligence of critical service providers as well as ensure said parties have employed their own comprehensive policies and protocols to mitigate risk.
Private Equity Risk Management Strategies
How then, with all of the aforementioned security threats, resiliency concerns and regulatory pressures, do private equity firms manage and mitigate the risks they face? A clear strategy is needed, one that combines infrastructure and business resiliency protocols designed to protect the firm’s equity assets while also demonstrating a commitment to operational excellence now viewed as a necessity by industry parties. This strategy must include:
- Contingency Planning: A comprehensive strategy company wide for disaster recovery (DR), business continuity planning (BCP) and scenario-based planning, such as in the event of a pandemic. It’s imperative for private equity firms to identify the potential impacts of a business disruption and employ practices ahead of a disaster to prevent undue harm to the firm – whether it manifests itself in operational, financial or reputational form.
- Security Preparedness & Protections: There are layers upon layers of protections to employ to keep your private equity firm safe from cyber threats, but a few focus areas include: a comprehensive written information security plan (WISP) as recommended by the SEC, infrastructure security controls and monitoring tools such as active threat protection services and intrusion detection systems, and ongoing employee education, awareness and training tools to cultivate a culture of security that will protect against insider threats.
- Third Party Oversight: As mentioned, the SEC has now highlighted third party oversight in two of its recent guidance recommendations (related to cybersecurity and business continuity planning), and as PE firms look to broaden their outsourcing efforts and leverage critical third parties such as cloud providers, administrators and accountants, it becomes more clear with each passing day how imperative it is to maintain strict oversight of these providers. As private equity firms gain great benefits from these outsourced functions, they should continue to take ownership of those relationships and evaluate on an ongoing basis how successfully each provider is managing risk.