Nearly one-third of portfolio companies hacked: survey

  • 31% of GPs said their portfolio companies had been hacked
  • 25% of GPs admit to knowingly breaching their firm’s data security policies
  • 50% of LPs/GPs emailed sensitive data to wrong person

Nearly one-third, or 31 percent, of GPs admitted their portfolio companies had been hacked in the last three years, according to a report from IAG UK.

Roughly two-thirds, or 69 percent, of private equity executives said their companies had not suffered a data breach during the time period. Fifteen percent of GPs said at least one of their LPs had been hacked in the last three years, the survey said. When asked the same question, only 18 percent of LPs said one of their GPs had experienced a data breach.

Alan Ross, commercial director at IAG, said he was “shocked” that one-third of GPs said their companies were hacked. Some firms might not have known about hacking attempts. The portfolio companies might have had the security systems in place to rebuff any hacks, Ross said. “Not sure if in every case it would’ve been flagged,” he said.

Pivot Partners questioned 122 LPs and 52 GPs between August to September for the second annual, “The Reputational Risk in Private Equity Report”, which looked at cyber security and fee transparency. (The first RRiPE focused on how GPs think LPs are liars.) The biggest chunk of GPs, 38 percent, was located in North America while 35 percent were in the United Kingdom. More than one-fifth, or 23 percent, hailed from Continental Europe. Of the LPs, more than half, or 58 percent, were located in continental Europe. Nearly one-fifth, or 19 percent, came from North America. IAG UK is a joint venture between IAG and Thompson Taraz. Read RRiPE here.

The study found that more than two-thirds of LPs, or 80 percent, and most of GPs, or 88 percent, believe the risks posed by hackers, and the frequency of data breaches, present an increasing threat to private equity, RRIP said.

“It’s only a matter of time before a major cyber security incident hits the private equity industry,” said Afshin Taraz, a Thompson Taraz MD. “With billions of pension fund money invested in private equity funds, fund managers and their investors must ensure that they have robust systems and early warning measures in place against a cyber-attack.”

More than half of GPs (58.3 percent) and LPs (62.1 percent) admitted to entering into a contractual arrangement with a third-party without checking their cyber security policies, the study said.

Interesting, most LPs, or 74 percent, are confident GPs have sufficient safeguards in place to protect sensitive data. Many GPs aren’t as certain about investors. Less than half, or 46 percent, of private equity executives think LPs have appropriate safeguard in place to protect data. Fifty-four percent think LPs are lacking in safeguards. GPs, Ross said, may have the impression that LPs aren’t that sophisticated when it comes to technology.

The survey noted the role human error played in protecting sensitive material. One in five LPs, and one in four GPs, admitted they knowingly breached their firm’s data security policies. This could be as trivial as giving a colleague their password or allowing someone to use their computer, Ross said. “You absolutely should not do that,” he said.

More than half of both GPs and LPs also revealed they accidentally emailed sensitive data to the wrong person. “It’s difficult to find anyone who has not done something like this in the past,” Ross said.

Action Item: You can contact IAG UK at 44 1481 723450

Photo of man with hoodie courtesy of Shutterstock