CFO 2.0: Battling the threat

As external cyberattacks become ever more sophisticated and aggressive, fund managers need to ensure their security keeps pace.

From data theft to unwarranted surveillance to denial of service attacks, external cybersecurity threats are constantly evolving and increasingly sophisticated. At the same time, the cybersecurity compliance load is becoming increasingly hefty for all businesses across all sectors from financial services to construction.

However, most fund managers – which carry the double burden of ensuring their internal IT systems are secure and, as responsible investors, those of their portfolio companies – are only “moderately prepared” to meet the plethora of external threats to cybersecurity, such as phishing and pharming and social engineering, according to the pfm/EisnerAmper CFO Survey.

The imperative to be adequately prepared is clear. “It goes without saying that it is critical to put in place an integrated approach that starts at the top and ensures cybersecurity becomes part of the culture of the firm, with staff being actively alert to the risks and avoiding exposing the firm to danger, using reminders, training and testing,” says Jeremy Westhead, finance director at UK mid-market business services and tech investor Lyceum Capital.

This encompasses putting in place good governance, including monitoring IT and security issues at the board level, he says, as well as identifying key assets, such as data storage and websites, the risks to them, and appropriate protections; ensuring ongoing prevention and detection, such as monitoring network traffic and physical infrastructure, and penetration testing; and devizing a recovery plan. Remember that national regulators expect disclosure of material breaches, Westhead adds.

HUMAN ERROR

“Managers are moderately prepared, but they are by no means in the top quartile,” says Iain Mackay, chief operating officer at Intuitus, a specialist technology and IT advisor to European GPs. Although the level of cybersecurity due diligence pre-deal is deepening, “everyone is going to have to up their game. We tend to think of teenage cyber hackers, but this is organized criminality. They are professionals,” he says.

While many businesses typically assign responsibility for their cybersecurity to the IT department, “it’s more to do with people and processes from a human resources perspective,” says Fleur Hicks, managing director at digital diligence and strategy consultants Onefourzero. This includes educating staff not to open unknown files and enforcing device testing.

There is growing awareness of the need to designate responsibility for implementing the security plan, for instance to a chief information security officer in large businesses, says Mackay. However, he too stresses the importance of training an entire organization to use information appropriately, which includes making staff alert to what they talk about, and enforcing access restrictions all the way up to top management. “A CEO should only have access to information that is useful to their job,” he says.

In terms of risk and business impact, data breaches are the number one issue companies face and the majority involve some human element, says Breen Liblong of IT consultant Crosslake Technologies. “Humans are the weakest link.”

UNDERSTANDING THE TYPES OF ATTACKS

Phishing Online fraud that entails sending emails purporting to be from a legitimate company demanding the receiver supply sensitive information, such as bank account details.

Pharming Perpetrator directs internet users to a false website that replicates a legitimate one to illicit personal information.

Theft of personal ID or confidential information Can include passwords, credit card details, customer addresses, dates of birth and PIN numbers.

Social engineering Psychologically manipulating individuals into divulging information, for example posing as a business’s legitimate helpdesk to obtain confidential staff details.

Denial of service An attack that temporarily or permanently disrupts access to a computer or network, typically achieved by flooding the target with false requests that overload the system.

Malware An umbrella term to describe malicious software encompassing computer viruses, worms, adware, spyware and ransomware.

Ransomware – Software that threatens to publish the victim business’s data or block access to it, for example by encrypting it, unless a ransom is paid.

In response to the increasing number of malware attacks, organizations are directing more resources at cybersecurity, he says. They must to keep up. “It is a cat and mouse game. Any time there is an attack or suspicious activity, once it’s resolved you have to go back and analyze the system and look at the root cause and modify the plan. Providing the right messaging when a breach has been identified and publicized is critically important to minimizing the harm to your brand.”

Once in place, systems need to be tested to ensure they are secure. “Businesses may think they are secure but they may not be,” says Crosslake partner James Waletsky. “In nine out of 10 deals we look at, businesses haven’t done a penetration vulnerability test or it was some time ago.”

DIRE CONSEQUENCES

Maintaining effective cybersecurity is critical to retaining value. While the results of due diligence will not stop a deal, based on the cost of any remediation plan, it could impact on the asset’s price, says Waletsky.

In the case of a breach, the ramifications can be far reaching, including loss of customers, reputational damage and regulatory sanctions. US retailer Target is a headline-grabbing case in point. In May, the superstore agreed to pay $18.5 million in claims to 47 states and the District of Columbia in relation to a massive security breach in 2013, when hackers stole data from up to 40 million customer debit and credit cards. In its last annual report, the business said the breach had cost it $202 million. The latest payout is a sign state regulators are not taking cybersecurity failings lightly.

“Standards are evolving all the time,” says Liblong, noting payment card industry security benchmarks are regularly reviewed.

In Europe, the General Data Protection Regulation, designed to better safeguard personal data within the European Union, comes into force in May 2018. It is expected to reshape the landscape. GDPR will ratchet up fines for non-compliance to up to 4 percent of global turnover or €20 million, whichever is greater.

“GDPR is going to put a clear figure [on the cost of not being prepared],” says Touchstone CRM’s Jon Archer, who is responsible for the consultant’s private equity clients. “At the moment, organizations don’t appreciate the risk until it happens.”

Almost two thirds of managers say they are already subject to regulatory obligations related to cybersecurity, according to the pfm survey. A further 14 percent expect to be by the next fiscal year. It is in their interests. Ultimately, the cost of investing in a robust cybersecurity system that keeps up with the evolving threat and regulatory standards will be significantly less than the impact of a calamitous security event and a weighty fine.