How Private Equity Managers are Grappling with Data Management and Security Concerns
Private equity managers are turning towards technology and outsourced models to address compliance challenges, improve operational efficiency, and reduce risk of cyber-attacks.
17 May 2016
By Kylie Horner and Aiko Suyemoto
As private equity (PE) continues to gain popularity as an alternative asset class, investors and regulators are strengthening their due diligence efforts with on-site audits. PE managers are turning towards technology and outsourced models to address compliance challenges and improve operational efficiency related to data management, but with new technology comes the ever present threat of cyber-attacks.
Maintaining a Secure Cyber Program
PE groups must maintain a secure cyber program not only for their own business operations, but also to proactively monitor the security of underlying portfolio companies. With the slew of sensitive information that PE firms hold, it is imperative that a PE manager knows precisely where the fund data resides to avoid loss of proprietary strategy or client information. If not, countless attacks could take place without the manager even knowing about it.
Managers who adopt security savvy practices are well positioned to attract institutional dollars compared to those who do not take a logical, well balanced approach. On Private Equity Wire, James Hadfield, Managing Director of Technology at Gen II Fund Service LLC, a Private Equity fund administrator, compares cybersecurity governance to personal hygiene: “It’s a balance, and the analogy I tend to use is personal hygiene. There are lots of things you need to do to maintain personal hygiene. It’s not just one aspect like brushing your teeth or using hand sanitizers. It’s a combination of methods, and the same concept applies to cybersecurity governance. It needs to become a habit and core to the business and not an afterthought.”
Improving Transparency and Staying Secure
PE managers are under a lot of pressure to improve transparency which often motivates them to embrace an outsourced model.
Based upon the latest SEC examination, the OCIE will want to see governance, access rights and controls, and incident response. As regulation pushes PE managers towards the outsourced model, administrators are going to play a bigger compliance role, according to Hadfield. “Based on published studies, about 30% of PE managers outsource their administration. What they get when they outsource is the benefit of scale on a robust operating infrastructure with more sophisticated disaster recovery plans, guaranteed up times, incidence response plans, etc.,” Hadfield explains.
So while PE managers need to develop top security practices, they must also maintain diligence when reviewing their vendors and hold them accountable. If the manager fails to demonstrate adherence to an annual or bi-annual assessment, he or she could be open to litigation.