PERE CFO: How to safeguard firms from cyber attacks

Cybersecurity is more paramount than ever after last week’s global round of attacks, panelists at PERE’s CFO and COO conference said.

Private equity real estate firms are becoming more aware of cybersecurity risks after hackers brought down computer systems across the world last week, panelists at PERE’s CFO and COO conference in New York said Wednesday.

Last week, more than 200,000 computers globally were hit with malicious software, with targets that ranged from the British National Health Service to international companies, according to the New York Times.

“This [recent round of attacks] has brought us back to the forefront of asking the right questions,” one panelist said Wednesday. “Do we have the right firewalls in place? I’m not sure it’s related to real estate firms [specifically]; it’s related to any firms, period.”

There are some private equity real estate-specific security considerations, however. One IT executive described the need for due diligence of potential security problems at the individual property and portfolio company level, because any asset-specific problems could quickly affect the firm’s larger computer systems. One private equity firm, for example, had technology frozen for eight days after one of its portfolio companies suffered a malware attack that then moved to the larger parent company.

To lessen the chance of human error, IT-focused executives should pay careful attention not just to what firm-wide software updates are being pushed out, but to individual employees’ level of compliance, since the failure of a single employee to make an update could still leave the firm vulnerable to an attack. One panelist said his firm uses software to ascertain which employees have not updated their software, then follows up with phone calls or visits to ensure the individual downloads the latest program.

Across business platforms, companies should also pay for the latest software and security programs. A panelist warned that about 40 percent of all malware attacks come from known, defensible viruses, and in the most recent round of cyberattacks, computers with pirated and out-of-date software were most likely to be hacked.

For private equity real estate companies that outsource any service, security due diligence is also critical for third-party providers, one panelist cautioned.

“If you’re trusting your vendor with anything, whether that’s a fund administrator with investor information or property management, what are those vendors doing to protect your data? If something happens to their operations, what does that mean?”

One executive recommended a standard technology due diligence form that all third parties, from human resources providers to law firms, should complete.

“If they want to work with my firm, you better be able to answer my questionnaire,” he said.