Less than a decade ago, “cyber security” was a lightly-used catchphrase in science fiction movies. In 2020 and 2021, not only has the phrase, but also its application, become front and center to every business person in the world. The Private Markets in particular are an unusually attractive, yet highly vulnerable target for cyber criminals due to the ownership connection to virtually every industry in the world, making it imperative for executives to be informed and have mitigation plans against potential threats.
First on the agenda, the SolarWinds cybersecurity attack, a well-known, yet unprecedented breach that is estimated to have cost cyber insurance firms roughly $90 million to cover clients1 that were impacted. This was one of the largest, most sophisticated cyber assaults ever observed that has dramatically changed the cyber risk landscape. The attack was believed to have started in December 2019, with the software released for download to SolarWinds clients in March 2020. This malicious code then sat in those environments, undetected, from March to December 2020.
This breach has governments, public and private companies, and private capital firms questioning their approach to cybersecurity. Private Market firms are especially susceptible to cyber-attacks because of the virtually constant flow of capital. While it’s common for cyber criminals to try and steal personal information to gain access to financial accounts, James pointed out that the most efficient method for an attacker to orchestrate a theft, is to simply have the money wired directly to them.
In the Private Markets, there is a high volume of wire transactions both in and out of the funds. To make things worse, these firms, and more likely their portfolio companies, have limited IT and infrastructure budgets, making them even easier targets. With the increased amount of deal flow happening during the pandemic, the frequency and sophistication of these attacks have also been escalating.
For example, there were numerous high profile “WannaCry” ransomware attacks reported some years ago2. Of more concern however, given how dependent the private market industry is on call backs for payments, the risk of attackers using “deep-fake” technology is growing. As James pointed out, there have been documented deep-fake call backs for payment information that resulted in significant amounts of money being stolen3.
James went on to describe the typical “playbook” that cyber attackers follow when mounting a Payment Fraud attempt, giving us a rare view into the level of sophistication and organization that exists within these criminal enterprises.
While there doesn’t appear to be a “silver bullet” to prevent these sorts of attacks, James provided effective strategies that can best prepare and protect GPs and their portfolio companies in the event of a cyber-attack, because it is no longer science fiction or a matter of “if” – rather a matter of “when” a breach is attempted.