Debevoise & Plimpton LLP on Cybersecurity: Developing Incident Response Plans for Private Equity Firms
By: James J. Pastore and David Sarratt
Private equity firms, like all businesses, are racing to defend against increasing attempts by organized criminal enterprises, individual hackers and state actors to steal confidential firm, investor and portfolio company data. Continuously improving cybersecurity is a challenging business necessity today; it also raises serious legal concerns. Regulators are watching. The Securities and Exchange Commission has made clear that the failure to mitigate these cyberthreats through policies and procedures could be deemed a violation of the U.S. federal securities laws.
In the March 2015 issue of the “PEGCC Private Equity Update” we provided guidance on steps that private equity firms can take to improve their cybersecurity. Among those steps are identifying and locating where the firm has vulnerable assets, reviewing arrangements with third-party vendors that have been granted access to firm systems, and developing written policies and procedures to prepare for a potential cyber-attack. In this article, we discuss how firms can develop an incident response plan (“IRP”) for responding to a cyber-incident.
No “one size fits all” plan can be used as a private equity firm’s IRP, though characteristics similar to all IRPs can help guide the development of the plan. What are those characteristics? How do you develop an IRP that is appropriate for your firm?
Structuring The IRP
Identify Potential Incidents. Different kinds of incidents require different responses. In beginning to develop your IRP, you should consider the types of incidents that could affect your firm and its funds in order to ensure that appropriate responses are formulated. Cybersecurity incidents that disrupt business operations may well merit very different responses than data breaches in which personal health or financial information is exposed.
Create an Incident Response Team. An IRP sets out who will respond to an incident. For many firms, it will make sense to assemble a small, standing group that constitutes a core incident response team (“IRT”). Depending on the nature of the incident, employees from various different functions might be included in the response to that incident, and can be added to the core IRT on an as-needed basis. For example, you may consider adding particular subject matter experts within the firm whose inclusion on the IRT is logical given the nature of the breach, e.g., someone from investor relations to respond to a phony communication to investors; someone from accounting to help resolve a funds transfer incident; a human resources professional for an insider breach; a deal team member when material nonpublic information on a pending transaction has been exposed; or the employee responsible for a vendor relationship, should a breach occur involving such a vendor (e.g., a vendor with access to the firm’s network or that stores critical firm data).
Identifying your outside service providers in advance of an incident also can help round out the appropriate membership of an IRT. We recommend that you consider adding to the IRT three outside service providers: an external cyber-forensics expert who will assist in the technical aspects of the investigation; outside counsel to serve as advisors on a range of issues from consulting with law enforcement and regulators to breach notification laws; and a communications/PR firm that can help message the response to an incident. By establishing these relationships in advance of an incident (and getting the engagement paperwork in order), you will have the time to select advisors that are the best fit for your firm and you should be positioned to respond more quickly to a cybersecurity event when it occurs.
Specify Incident Response Tasks and Responsibilities. Firms should use the IRP to define the relevant tasks to be completed by the IRT and those persons who are responsible for each of those tasks. Many of the tasks likely will center on the investigation of the cyber-incident itself and setting the schedule for updates to be delivered to senior management at the firm. Other tasks include breach notification to potentially affected individuals and to law enforcement; these are among the tasks that, if handled properly, are more likely to ensure that your firm responds successfully to a breach.
Testing The IRP
Even the best IRP may prove less useful if not pressure-tested before an actual incident occurs. Rather than waiting for an incident to learn how efficiently the IRP works (or does not work), firms should consider running “tabletop” simulations of an incident response. These simulations typically present several scenarios to members of the core IRT (and, if feasible, extended members of the team, including outside service providers). Participants in the tests may be asked to consider not just the facts potentially signaling a breach, but how they would react upon learning of the breach at different times and places.
Keeping The IRP Current
An IRP is not a static document. Any response to an incident will provide lessons on the strength of the IRP. As you begin to execute the plan – whether in response to testing or actual incidents – the plan can be modified in light of the lessons learned. Responsibility for particular tasks may need to change, new tasks may be found necessary to respond effectively to a breach, and adjustments to IRT membership may be needed.
A periodic schedule for updating the IRP should be put in place. Further, firms should consider empowering key personnel to drive updates to the plan outside the normal update schedule when justified by new threat information or material changes in the firm’s business, assets or architecture. Firms may also reconsider the plan and retest it after a risk assessment of cybersecurity defenses (e.g., the results of an annual penetration test).
Beyond Having An IRP In Place
In a recent survey of private equity firms, more than 60% of the respondents felt they would be the target of hackers in 2016. Increasing threats of cyber-attacks make it unwise as a business matter for firms to go without a carefully developed IRP. Further, the SEC’s public statements – as well as last year’s SEC enforcement action against an investment adviser for failing to maintain adequate cybersecurity policies and procedures — show that the SEC expects more from private equity firms and other investment advisers than merely having an IRP in place. The relevant questions today are: How robust is the IRP? How well has it been tailored to the firm’s specific business, assets and architecture? Has the plan been tested? Is the firm organized to periodically update the plan based on emerging threats?
Debevoise & Plimpton is a Tier 1 Associate Member of the PEGCC