PE firms need to protect against data breaches

  • “Petya” cyber attack creates havoc in Europe
  • 60 pct of small firms that suffer data breach go out of business
  • PE firms have duty of care to protect sensitive portfolio-company data

All companies, including private equity firms, should do a better job of protecting their data, according to panelists at PartnerConnect Midwest.

PE firms are at increased risk for cyber attacks because of the information they store, said Christopher Calicott, a managing director with Trammel Venture Partners. PE firms and hedge funds aggregate “all sorts of information about their investors, portfolio companies and their IP,” said Calicott, who spoke on the panel “Cybersecurity: Are Your Portfolio Companies at Risk, and Steps You Can Take Now to Address It.”

Because they hold board positions, PE firms have a duty of care to protect “all sensitive portfolio-company data,” he said.

The importance of data protection emerged this week as the latest cyber attack wreaked havoc in Europe. Dubbed “Petya,” the attack used a ransomware worm to target Ukrainian banks and airports, along with Rosnet, the Russian state-owned oil giant, the British advertising company WPP, and Merck, the U.S. pharmaceutical giant, Business Insider reported.

Consequences of a data breach can be dire for companies, panelists said. Some 60 percent of small companies that suffer data breaches go out of business, said Adam Levin, chairman and founder of Cyberscout. Loss of data could lead to class-action lawsuits, regulatory scrutiny, loss of key clients and the destruction of a company/firm brand, Levin said.

PE firms must have plans to help stave off attacks, Levin said. But they also should think beyond checklists. “Today, it’s impossible to prevent the problem [of hackers]. All you need is one person who clicks on one link,” Levin said.

Calicott said PE firms should understand “what is their source of strength, what is the high likelihood [that their] crown jewels will be attacked and how to protect them,” he said. “They have to be self-aware and do a self-analysis.”

Asked whether password managers were effective, Chad Allan Neale, managing director of cybersecurity and compliance at ACA Aponix, said “some are very good. Some have been breached.” Both Neale and Levin spoke on the cybersecurity panel.

Trammel’s Calicott said transferring sensitive information in an unencrypted email is a mistake. “You should never use email to transfer sensitive information, be it from a portfolio company or your firm, unless it’s encrypted,” he said.

Action Item: Contact Christopher Calicott at

Photo courtesy Yuri_Arcurs/Digital Vision/Getty Images