PE adapts to new generation of cyberattacks

Cyber-criminals see mid-market private equity firms and their funds as prime prey, and the hunt is on.

PFCFO Jun/July cover art 2

If you’re a mid-market private equity firm, you’re probably being targeted more than you realize.

It’s no secret cyberattacks surged in 2020 amid the pandemic and global enterprises’ transition to remote work. The discovery of the cataclysmic SolarWinds breach in December, the consequences of which are still unfolding, capped off the year. SolarWinds backers and tech-focused PE managers Thoma Bravo and Silver Lake raised eyebrows with their sale of $280 million in the company’s stock just days before the hack was disclosed.

But it isn’t the big players, with their chief technology officers and entire IT departments dedicated to cybersecurity, that have necessarily seen the biggest increase in attacks targeting their portfolio companies and firms. Last year, the average mid-market fund was facing up to 10,000 cyberattacks per day, according to a cybersecurity due diligence guide published by Performance Improvement Partners, a technology consultancy that works exclusively with PE firms.

Banks, large hedge funds and other financial institutions have largely strengthened their cybersecurity governance in recent years, and in particular during the pandemic. And larger PE firms, though relatively late to acknowledge the severity of the threat, are honing their defenses. But many smaller PE firms simply don’t have the firepower to fight this evolving, resource-sapping war. Many such firms don’t even have a chief operating officer, so cybersecurity strategy and oversight falls on the CFO’s shoulders.

“It is an enormous concern for every one of us, as CFOs,” says April Evans, CFO of Monitor Clipper Partners in Boston. “It’s just a black hole to us. None of us are deeply knowledgeable technologists.”

Many medium-sized and smaller firms like MCP outsource high-level cybersecurity platforms, running more basic IT operations in-house and often maintaining their own servers, says Evans. MCP uses an outside firm to work with them on architecture issues for its cybersecurity system, but until recently the firm ran its own servers, moving them to the cloud about a year-and-a-half ago.

April Evans

“It’s just a black hole to us. None of us are deeply knowledgeable technologists”

April Evans
Monitor Clipper Partners

“We had a server room and one IT guy, who is sort of a help-desk-plus-level guy. He’s the one you call when your laptop crashes, you can’t get into the network.”

Michael Asher, the president of RFA (Richard Fleischman & Associates), a global IT and cybersecurity consultancy that works with more than half of the top 10 biggest PE firms by assets, says: “Even prior to the pandemic, there was growing sentiment that on-premise data centers had increased costs, risks and complexity, in comparison to the public cloud – and this shift was already taking place.”

The pandemic merely served to “validate the cloud value proposition,” says Asher.

Ominous clouds

But firms aren’t assured safety in the cloud, either. According to a recent report by digital forensics firm Magnet Forensics, the shift to remote working required the rapid introduction of cloud services and remote-working applications by many enterprises, reshaping “the security perimeter.” Magnet said cyber-criminals were quick to adapt their tactics to exploit vulnerabilities in virtual private networks and remote desktop protocols.

As remote working becomes more prevalent, cloud services replace on-premise applications and new connected devices are introduced into enterprise and networks, businesses are now under constant threat from fifth-generation, or ‘Gen V’, cyberattacks.

For fund managers, nothing punctuates the emerging Gen V threat environment more than the insidious supply-chain attack that arose from the breach in IT monitoring company SolarWinds ‘Orion Platform.’ American cybersecurity firm FireEye was the first organization to notify the public about the breach in December, after discovering that its ‘Red Team’ penetration-testing toolkit had been exfiltrated by a sophisticated threat group.

Intel 471’s tips for cyber-risk mitigation

1) Invest in a vendor that monitors for mentions of a supplier or other third-partying by cyber-criminals

2) Monitor for compromised credentials

3) Scan and prioritize vulnerabilities that may exist in third-party software or systems

4) Beware of typo-squatted domains

5) Surveil for active breaches

6) Engage with vendors that monitor brokers that provide access to compromised credentials for corporate organizations

This sprawling exploit has affected at least 18,000 private and public sector customers and transformed the cyber-risk environment for enterprises worldwide, according to a joint statement issued by four federal agencies in January.

The incident is significant because one of the two “tactics, techniques and procedures,” or TTPs, leveraged by SolarWinds’ hackers managed to compromise authentication protocols in the cloud, according to a National Security Agency cybersecurity advisory published in December. Microsoft Office 365 email software was particularly affected in this attack, as deputy national security advisor Anne Neuberger noted in March.

With the first attack vector, according to the NSA, threat actors compromised on-premise components of single sign-on infrastructures in federated networks, or networks that are shared between enterprises.

From there, attackers stole credentials or private keys used to sign certain security assertion markup language tokens. SAML is an authentication protocol that enables users to log in to cloud-based services. After breaching SAML, attackers then used these private keys to forge authentication tokens, giving them access to victims’ cloud networks, said the NSA.

In the second attack, threat actors leveraged a global administrator account to assign credentials to cloud application service principals, according to the NSA. The agency defines these principals as “identities for cloud applications that allow the applications to be invoked to access other cloud resources.”

Invoking the application’s credentials then enabled attackers with automated access to cloud resources, particularly email, without raising any alarms, the NSA said.

Patrick Donegan

“Pre-covid, cyber was a nice-to-have in a diligence. What’s changed with covid is that every diligence that we’re a part of requires cyber”

Patrick Donegan
Performance Improvement Partners

Additionally, cybersecurity firm Secureworks recently linked a second identified SolarWinds exploit to China-based threat actors, who targeted Orion servers installed on customer premises. Dubbed ‘Supernova’ by threat researchers, this attack was reportedly independent from the suspected Russian-origin supply-chain compromise discovered by FireEye.

This suspected China-originated exploit instead compromised an authentication bypass vulnerability in the Orion application programming interface to install so-called ‘web shells’ on SolarWinds’ servers. According to infosec firm RSA Security, web shells are pieces of code or scripts running on a server that open ‘back doors’ into computing networks and can enable remote administration by threat actors.

Mitigation best practices

To mitigate supply-chain risks, Brandon Hoffman, the chief information security officer of cybersecurity firm Intel 471 recommends six best practices.

First, Hoffman advises companies to invest in a security vendor that “monitors for mentions of a supplier or other third-partying by cyber-criminals.”

This monitoring occurs on clandestine and overwhelmingly Russian darknet forums that are only available via specialized browser software and – for the most elite communities – only accessible via recommendations from multiple other forum members.

The second method cited by Hoffman is monitoring for compromised credentials. Third, Hoffman advises firms to continually scan and “prioritize vulnerabilities that may exist in a third-party’s software or systems.”

Fourth, Hoffman warns about typo-squatted domains impersonating a vendor. This way, an organization could be duped into downloading a malicious payload disguised as a legitimate file attachment, update or DocuSign request from a third party they believe to be trusted. Hoffman’s fifth recommendation is the most obvious: surveil for active breaches.

And sixth, Hoffman advises firms to engage with vendors that monitor brokers providing access to compromised credentials for corporate organizations. “The risk to an organization via a third party that has compromised access for sale in the cybercrime underground is also straightforward,” he says.

Cyber will raise IR burden, but help could be on the way

GPs are anticipating elevated cybersecurity reporting demands from LPs on incidents affecting portfolio companies

In the US, 70 percent of chief financial officers at private capital funds surveyed by third-party fund administrator Intertrust Group are anticipating investors will demand live or daily updates on cybersecurity this year.

Growing cyber-jitters are a driving force behind the $3 billion Intertrust projects private funds will spend to “meet investors’ increasing demands for transparency” in the US alone. Cyber-reporting has thus become integral to corporate governance and risk management for GPs.

Patrick Donegan, executive vice-president of growth and client services at Performance Improvement Partners, is not yet seeing market demand for daily reporting. “However, I think there’s a need for it,” he says. Donegan also cites the rise of emerging technology partnerships that PIP is exploring, and which involve artificial intelligence, predictive analytics and network anomaly detection.

But Michael Asher, chief information officer for cybersecurity consultancy RFA, says recent advancements in private data warehousing technology make Intertrust Group’s daily and real-time reporting projections actionable.

“A data warehouse is a system used to facilitate analysis and reporting on enterprise information. This system acts as a central repository of integrated data from one or more disparate sources and has become a “core component of a firm’s business intelligence,” says Asher.

Private data exchanges between PE firms and their portfolio companies that allow managers to create live reports are a relatively new concept in the industry. “Before, cybersecurity wasn’t a big part of it,” Asher says. “Originally, the focus was just on financial reporting. But now, cybersecurity has taken center stage.”

This technology is only available on a bespoke basis, and thus too expensive for most mid-market GPs, says Asher. But, he says, “the cost of building a private data warehouse is coming down significantly because they’re becoming SaaS solutions built in the cloud.”

As such, this will become standard in the mid-market “very soon.”

But couldn’t a central data repository present a single source of failure and, thus, expose fund structures to heightened systemic risk? “There’s always a risk,” says Asher. “But the benefits outweigh the risks if you design your SaaS solution properly.”

In the event of a breach, a “strong digital forensic solution is a critical element of response and reporting,” says Fred Purdue, PIP’s infrastructure practice manager. Purdue also notes that “trusted forensics partnerships can be critical in regulated or high-risk environments.”

“These tools are sometimes necessary to reconstruct the elements of a breach, especially in situations where limited or insufficient logging was in place,” says Purdue.

Most of the threats PE firms face do not come from the cloud, however. PIP’s cybersecurity guide notes that 94 percent of cyberattacks begin with social engineering lures, in which a cyber-criminal manipulates firm employees into handing over confidential and personal information, such as usernames, passwords and other data.

“When covid-19 hit, we saw the reports warning about the increase in cyberattacks and noticed an increase of phishing attempts ourselves, which we didn’t take lightly,” says Matt Hallgren, the CFO of advisory firm Erie Street, which acquired PIP last year.

Another common attack type is business email compromise, a form of social engineering that has hit investment firms particularly hard, according to a recent report by email security firm Agari. BEC is generally an attack vector that involves financially motivated threat actors impersonating trusted vendors, co-investors or senior internal employees to trick designated payers into authorizing fraudulent fund transfers.

Typo-squatted domains impersonating vendors can also be considered be a form of BEC, according to Intel 471’s Hoffman. But investment firms are being targeted by a specific type of BEC attack known as a “capital call” scam, “where fraud rings request funds from investors who’ve committed money toward a specific investment,” says Agari.

Highlighting this method is the scheme uncovered by cybersecurity firm Checkpoint in April last year. It found several targeted PE funds wired $1.3 million to a threat group dubbed “The Florentine Banker,” after the attacker led them to believe funds were being sent to some startups they had agreed to sponsor. Victims managed to recover some $600,000 of the Florentine Banker’s fraud.

Patrick Donegan, executive vice-president of growth and client services at PIP, notes that PE firms are particularly vulnerable to BEC attacks, because they are used to wiring large sums of money. “That was an important lesson for many private equity firms to learn from,” he says.

The average haul from capital call scams is $809,000, according to Agari, or seven times more than the $72,000 typically exfiltrated in wire-payment fraud schemes. MCP had its own brush with a capital call scammer not long ago, when a portfolio company received an email purporting to be from a MCP partner, demanding funds immediately to make a follow-on investment in another MCP-owned company. The email was seemingly timed to occur when the chief executive was on a sales call in China, many time zones away from the company.

Matt Hallgren

“When covid-19 hit, we saw the reports warning about the increase in cyberattacks and noticed an increase of phishing attempts ourselves, which we didn’t take lightly”

Matt Hallgren
Erie Street

This attempted scam also transpired while the CFO was on vacation. So, conveniently, the processing of the wire request fell to a recently hired accountant. Furthermore, the transfer notice arrived on MCP letterhead, with a signature from the “MCP partner” seeking the funding.

“It was an executive assistant to the CEO who stopped the train on that funding,” says Evans. “She had the wherewithal to say, ‘I’ve dealt with MCP for a long time and this isn’t the way they do things.’”

Asher notes that capital call attacks, like the one leveled at MCP, “combine context and familiarity (email from your boss) with a sense of urgency (‘I need this done now!’). This causes victims to lose their critical thinking capabilities.”

This may also imply that the attacker has previously penetrated the network and is privy to previous email interactions and general digital rapport between executives, their personnel and third-party vendors.

With BEC scams increasingly targeting PE firms, Erie Street’s Hallgren says his firm has become more vigilant. “We have implemented best practices across our companies and our firm, including multi-factor authentication and virtual private networks, among other measures,” he says.

To mitigate BEC risks, Asher advises his PE clients to be distrustful and always verify. “Never use the same channel to verify,” he says. If an employee receives a wire transfer request over email, they should insist on verifying the sender’s identity over the phone or video chat.

MFA approval is another strong process redundancy that adds an additional layer to the verification process. For the enterprise, MFA entails mandating approval from two or more signatories to authorize the payment of wire transfer requests.

Lastly, PE firms should also implement cybersecurity training to educate staff on how to spot BEC attacks. “[Cybersecurity company] Webroot testing shows that phishing simulations can improve users’ ability to spot BEC attacks,” says Asher.

Webroot is an endpoint protection and threat intelligence company that uses artificial intelligence and the cloud to secure enterprises. The platform also enables “administrators and security consultants to send customized simulated phishing messages to users,” to train organizations on how to better detect malicious emails.

PFCFO Jun/July cover chart
Click on image to view full screen

Year of the ransom

According to the blockchain intelligence firm Chainalysis’ 2021 Crypto Crime Report, 2020 was the “year ransomware took off.” Payouts from victims across the board increased by 311 percent last year “to reach nearly $350 million.” The company noted that no other category of crypto-enabled crime experienced a higher growth rate during the pandemic.

Some experts are skeptical of Chainalysis’ number, saying payouts are likely to be much higher, as many firms wish to avoid the reputational damage associated with ransomware attacks.

The PIP report also noted that the private equity industry, as a collective, “is hesitant to disclose breaches, fearing the loss of investors and portfolio revenue due to negative publicity.” In theory, reporting projections studied by Intertrust Group will enhance transparency around this delicate subject, at least between fund stakeholders.

The risks of paying ransom

If you find yourself considering paying a ransom, you should consider the risk it poses to sanctions compliance

The Federal Bureau of Investigation said in a recent advisory that it did “not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys.”

But ransomware threats also aggravate PE firms’ exposure to sanctions risk. In October, the US Department of the Treasury’s Office of Foreign Asset Control issued an advisory to “highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”

Citing OFAC-sanctioned ransomware operators including Russian hacker Evgeniy Bogachev, North Korea’s Lazarus Group and Russia’s Evil Corp, OFAC noted that victims facilitating ransomware payments “may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.”

As such, paying off a ransom to recover enterprise data could put a PE manager in violation of OFAC regulations, according to the advisory. OFAC considerations thus compound cyber-risk management and reporting burdens for CFOs and other stakeholders.

Like the FBI, EY also does not “suggest organizations pay ransoms.” But the consultancy does “acknowledge this option exists.” In a guide last summer, EY advised firms to “consider cybersecurity and business interruption insurance.”

EY also advised firms to “place a cybersecurity response team on retainer with expertise in responding to ransomware events” and “establish corporate policy (and legality) for payment of ransom as an option, in consultation with your internal or external counsel and cyber insurance carrier.”

But in the wake of the SolarWinds exploit and the more recent Microsoft Exchange server hack, it’s important for PE firms to understand the broader supply-chain risks that may be out of their control.

MCP also had a brush with ransomware. Evans says an employee’s laptop was once infected with ransomware, but because the firm had data backed up at three locations, it was able to disconnect the infected laptop from the network completely.

“We basically just said ‘kiss that laptop goodbye,’” says Evans. MCP has protocols in place to prevent hackers who access a laptop from getting further access to data held on it, she adds. “We do penetration testing periodically to determine areas of vulnerability and continually address them, but can I guarantee that those systems are going to be foolproof? No.”

Evans says MCP’s system-wide backups mean the firm wouldn’t need to pay a ransom, but that stakeholders may need to be contacted and urged to take precautions. For example, an LP may choose to close their bank account and open a new one if wiring information had been compromised.

Donegan also highlights ransomware operators’ extreme sophistication, with regards to how they craft their crypto-extortion demands. “Once they own your data, they have access to all of your agreements,” he notes.

“A lot of times the ransomware asks are in line with the deductibles are for the insurance policies covering the targets. They’re not going to always swing for the fences, but if there’s an opportunity to get a million dollars, they can do it.”

From threat to competitive edge

In today’s advanced persistent threat environment, cybersecurity isn’t just a preventative concern – it’s becoming part of the basic processes for the PE industry; even part of some firms’ value proposition in fundraising pitches.

Donegan says the “real desire for private equity firms is to have a very innovative approach to cyber, because they want to use that in their fundraising tactics. So, firms that are ahead of it and have a high level of sophistication are using cyber as a value-add.”

Not only are general partners investing more in enhancing their cyber-defenses internally, but they are also weighting this criterion more heavily when conducting due diligence on potential acquisitions. The reasoning here is that the weakest link in the portfolio can introduce systemic risk to the enterprise as a whole.

Do you know what’s in your portfolio?

The varied and evolving threat environment means firms are opting to take a ‘portfolio-wide’ approach to their investments

Many firms worry about cybersecurity weakness in their portfolio companies putting the firm itself at risk. But the industry is “all over the map” in terms how involved firms are in the IT issues of their portfolio companies, says Monitor Clipper Partners CFO April Evans.

“To the extent that a chief tech officer at firm can provide support for and education to the tech departments at portfolio companies, that is an incredible thing to be able to offer your company,” Evans says. “But we have no ability to do that. All we can do is have conversations about what they’re evaluating and testing.”

Based on his experience conducting cyber-diligence on acquisition targets, executive vice-president of growth and client services at Performance Improvement Partners, Patrick Donegan, says that
founder-led businesses typically possess the most technical debt, or antiquated IT systems, which makes them the most vulnerable to intrusion.

Donegan also cites manufacturing and healthcare-oriented businesses at having heightened cyber-risk exposures. Healthcare firms are particularly high-value targets because they safeguard sensitive patient data.

Safeguarding patient data also subjects custodians of those records to heightened compliance risks because they are regulated under the Health Insurance Portability and Accountability Act statute.

Tech and software firms are another sector that Donegan identified as vulnerable. “There are so many businesses that are a good core technology that you can continue to enhance via bolt-on acquisitions to create a better offering overall. But the chain is only as strong as the weakest link,” says Donegan.

As a result, he notes that PIP has seen an increase in “portfolio-wide cyber-programs.”

“Now, we’re seeing LPs becoming much more interested in seeing that management teams and their private equity investors are on the same page, relative to what they risks are and how they’re remediating them,” he says.

“What we’re seeing is that systematic vulnerability penetration tests that qualitatively measure discovery, response, and consistency are being more commonly employed to bring all of the portfolio companies in compliance with a baseline standard. It’s about making sure that detection is in place, while also conducting proactive penetration and vulnerability testing,” Donegan adds.

“The parent company could, for example, acquire a smaller company with larger amounts of technical debt or proprietary software that has flawed code,” says Donegan. “This is quite common in the M&A process and presents an attack vector that could enable an intruder to backdoor their way into the main IT architecture. That is a key concern.

“Pre-covid, cyber was a nice-to-have in a diligence. What’s changed with covid is that every diligence that we’re a part of requires cyber,” Donegan says. He notes that his firm conducts due diligence for hundreds of potential transactions every year. “This shows how important cyber has become not only to GPs managing the fund, but also operationally, with regards to how they’re actually managing their portfolio companies, as well,” Donegan says.

RFA’s Asher notes that LPs are also concentrating more heavily on cyber as part of their operational due diligence. “LPs want to make sure that cybersecurity gaps are identified before investment is made,” he says.

MCP’s Evans adds that while she hasn’t seen LP due diligence questionnaires include portfolio-level cybersecurity questions, they do typically have a handful of questions related to firm-level cybersecurity, requiring pages of responses.

“The keyword here is ‘alignment,’” says Donegan. “It’s about getting all stakeholders, from the C-suite to the board, to reach a consensus on cyber-governance.”

Michael Asher

“LPs want to make sure that cybersecurity gaps are identified before investment is made”

Michael Asher
RFA

The “real desire for private equity firms is to have a very innovative approach to cyber, because they want to use that in their fundraising tactics. So, firms that are ahead of it and have a high level of sophistication are using cyber as a value-add,” he says.

“What’s changed in private equity is that technology has become central to the investment thesis now. This has dramatic impact on the amount of value firms can add to their holdings in a short period of time. That’s the game. They buy something and in three to five years they have to sell it and they have to show that there is more value that can be extracted from it,” says Donegan.

“Part of that now is the technology investment story that has to show consistency, great discipline and great governance, and then convince the next buyer that cyber is a non-concern. If you can show annual assessments for the last five years, documenting how we’ve responded to cyberattacks and how we remediated risk, that’s powerful.”

The human firewall

While organizations undoubtedly need to invest in antivirus tools, endpoint protection software, VPNs, MFA, single sign-on gateways and cloud security applications, it’s important to remember that 90 percent of data breaches are the result of human error, according to the PIP report.

Igor Volovich, the chief information security officer of Washington, DC-based risk management consultants Cyber Strategy Partners, says: “Cybersecurity risk management efforts and investments tend to focus on tools, technologies and tradecraft to the neglect or outright exclusion of leadership and strategy as primary guiding principles.”

That is to say, PE firms can break the bank buying the latest AI-powered, zero-day detection kit on the market, but it might as well be the emperor’s new clothes without a human-centric approach to risk management and cyber-hygiene. As such, PIP advises its PE clients to build a “human firewall” rooted in cybersecurity education and training that empowers employees at every level of the organization. “Don’t underestimate the importance of people in protecting your portfolio,” cautions PIP.

“Refocusing cyber programs around human elements requires attention beyond task-level processes and incremental efficiency roadmaps,” says Volovich.

“Protection of investment value across the portfolio can be achieved by aligning cyber-strategy and leadership goals to a common standard and operating framework that informs technology and controls decisions, as opposed to the typical bottom-up technology-first approach observed across the industry.”