NES Financial EVP and General Manager Dan Yoder discusses the multiple threats PE funds face today — and why picking the right partner is a key business priority.
Let’s start with the 30,000-feet viewpoint:
What are the security issues that are — or should be — keeping general partners up at night?
Broadly speaking, you can break down the malicious threats financial institutions face into 3 high-level areas:
1) bad guys hacking your computer system … and either infiltrating it or damaging it
2) bad guys hacking humans
3) bad guys hacking other devices, such as smartphones, routers, or Internet of Things (IoT) connected devices
But those aren’t the only threats that can harm a fund. Natural disasters, accidental loss of data, or enforcement actions based on security lapses are also very real dangers. And all must be guarded against 24/7/365.
What exactly does “hacking humans” mean?
In security parlance, it’s called “social engineering” — and it may be the most dangerous threat of all. That’s because it involves every organization’s weakest link: its people. Simply put, it is easier to fool a human being (even a highly experienced, highly intelligent one) than it is lines of code. And many, if not most, companies are badly neglecting this threat — with maybe, at best, annual training or rudimentary onboarding training that is never seriously audited or put to the test.
The most dangerous attacks usually come in not through a smashed window, but through the front door. And generally, once a bad actor is inside, it’s very hard to detect what they are doing until serious damage is done.
We’re all familiar by now with phishing attacks that can hijack email, ransomware attacks that can hijack entire systems, or fabulous tales of strangers in faraway lands wanting to send you millions of dollars. Social engineering today has gotten infinitely more sophisticated in its ability to psychologically manipulate employees to voluntarily give up confidential information, or otherwise perform actions that could invite great harm to their systems.
Social engineering accomplishes this by playing on the individual’s sense of trust: once you have managed to convince a person that you are trustworthy (which can involve elaborate research, preparation and roleplaying), the person you’re targeting may open up the vault doors. Ironically, senior executives are among the most vulnerable because they may have received the least training — and because they have the power to override controls.
Fortunately, we take special precautions against social engineering attacks, which I’ll elaborate on later.
Do these kinds of threats pose special risks for PE funds?
Fund administrators hold more than their investors’ cash. They also hold extremely sensitive information about their limited partners. If a fund gets hacked and suffers a significant loss — be it of personally identifiable information or money — it could face a serious crisis, up to and including extinction.
But the risks don’t end there. Regulatory actions, legal entanglements, reputational damage, employee morale — these are some of the potential secondary and tertiary effects of a security breach. Even a small issue can create a kind of reputational stress fracture: maybe not a material issue on its face, but the beginning of a wariness around trust — which, should there be another incident, could start to morph into a narrative of carelessness around other people’s money. And if you lose trust in one area, why should your investors trust you in others?
That’s why security must be central to every aspect of a fund’s operations.
You mentioned regulatory actions. What kinds of measures are you talking about?
The SEC and FINRA have both made cybersecurity and cyber-readiness a top enforcement priority, and both agencies are stepping up scrutiny of funds’ cybersecurity programs, procedures and controls. The scrutiny is extensive — it runs the gamut from assessing governance and risk management; to access rights and controls; to the measures a fund has in place to prevent data loss; to training, vendor management and incident responses.
How does NES protect its clients’ data and reputation?
First of all, by being agile and staying one step ahead of what is now a fast-evolving threat ecosystem.
But it’s also about understanding the true scope of the risk. Protecting our clients’ data and reputation is about much more than defending against hackers, scammers and other cyber threats. It’s also about having information governance that’s state-of-the-art. Keeping your data (including your investors’ data) secure means protecting it against accidental loss; creating backups of your systems; knowing how to house, duplicate, and encrypt those backups. Data can as easily fall into the wrong hands by accident, as by malicious intent.
You also have to have plans for business continuity and disaster recovery. While the data may not be permanently lost, if it is suddenly unavailable when you really need it — it’s as good as lost.
Finally, and most fundamentally, we protect our clients by wrapping their data, and our entire infrastructure, in a secure, compliant, cloud-based hosting environment that’s continuously on — no matter what else may happen.
Security, preparedness and compliance: these are bedrock areas for our company, something we are passionate (to the point of paranoid) about. And that’s a good thing, because we know it’s also the bedrock of our clients’ success.
So how do you do it, exactly? What’s your approach to security?
I can fairly describe our stance toward security with two adjectives: comprehensive and obsessive.
For instance, on social engineering: we’ve gone from conducting rigorous annual audits to continuous training, continuous auditing and continuous improvement. We use a third-party provider to conduct ongoing, unannounced simulated attacks — from phishing attempts to sophisticated human interactions meant to fool our people, top to bottom. After each campaign we assess any areas needing reinforcement or additional training, further strengthen our defenses, and then test again. And again.
And then there’s our agility in adjusting to threats. Most financial services companies make huge investments in cybersecurity technology, and are understandably reluctant to change. (After all, it’s hard to turn around a huge ship.) But here’s the problem: having spent heavily on those concrete walls, they adopt a fortress mentality. Unfortunately, that “fortress” is also a point of vulnerability. Because they assume those walls are impenetrable, they don’t pay enough attention to what’s going on inside them — which makes the potential damage of a social engineering attack all the greater. Once bad actors have penetrated the fortress, they can lay low, take their time looking around, and prepare a devastating attack.
Not many companies actually scan the inside of their networks to see if there’s suspicious activity. But we do.
Another practice that we believe sets us apart is that, even though we are not a bank, when it comes to security, we basically act like one. (In fact, we act as a vendor to the large bulge bracket banks.) Also, every year, we voluntarily submit to an audit of our System and Organization Controls (SOC) — and every year we pass with flying colors.
So, as a general partner, what’s my takeaway? What are the 4 main points I need to remember?
- First: Every firm, every fund, is in an arms race with bad actors. In a tech-saturated environment where new threats are constantly emerging, the battle is often won by the most fleet-footed party — not the one carrying the most armature. You have to be able to act quickly, without convening endless meetings, making proposals, debating scheduling, or redoing budgets.
- Second: It’s not enough for any organization to have an “IT person.” You have to have adequate resources to cover the whole risk space — network security, computer security, social engineering, business continuity and compliance — in real time.