Cybersecurity breaches and threats are pervasive concerns for any entity storing valuable data or managing large sums of money: private investment funds are no exception. Recently three private equity firms suffered breaches that compromised their email accounts and wire transfers, resulting in $1.3 million in losses.
We have seen the SEC follow through on its 2019 priority of examining investment advisers about their cyber-security measures, as well as inquiring if they have suffered from a cyber-security breach. We expect that trend to continue. Fund sponsors should be aware of (1) the key cyber threats they face, (2) the consequences of a breach, and (3) the statutory and regulatory framework governing cybersecurity.
Fortunately, there are precautionary measures that fund sponsors can implement to help prevent a breach and to mitigate the scope and damage from a breach if one were to occur. We will elaborate on both the steps to take to guard against a breach and how to effectively respond to a breach in a forthcoming post.
Key Threats
In the United States alone in 2019, there were 467,361 complaints to the FBI of cybercrime, resulting in $3.5 million in losses. Globally, there were far more. In 2018, it is reported that there were 378 million victims of cybercrimes resulting in financial losses of $113 billion. There are many reasons for cyberattacks, including terrorism, hacktivism, and warfare; however, general crime is the most common reason that businesses suffer breaches. Attackers primarily utilize ransomware or a business email compromise scheme (“BEC scheme”) to improperly gain access to money or valuable personal information. Both methods can result in serious damage to the breached entity.
In a ransomware attack, the hacker will lock and encrypt a client’s computer data, then demand a ransom to restore access. In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing access forever. However, as this is a criminal attack, paying the ransom does not ensure access will be restored. The risk to clients cannot be overstated: critical data can be forever damaged and lost.
BEC schemes are executed through phishing emails and also pose a material threat. An attacker will create an email that appears to be sent by a reliable and safe source such as a commonly used website like Netflix or Amazon, a government agency like the IRS or FBI, or even a high ranking person within the company like the CEO. Through this phishing email, the email account of the target can be compromised resulting in the unauthorized transfer of funds, client or contact lists being stolen, or personal identifying information (“PII”) being stolen. This stolen information is then typically sold on the Dark Web and is highly lucrative for these attackers.