Cybersecurity is a special concern for the financial industry, a lawyer who handles cybersecurity cases said recently. But its importance goes well beyond the integrity of clients’ and plan participants’ sensitive information — it pervades inter-corporate business functions as well.
It’s a big deal for financial vendors, W. Reese Hirsch, co-head of cybersecurity practice at Morgan, Lewis & Bockius LLP’s San Francisco office, told Rick Baert
of Pensions & Investments, because they handle a great deal of data and often retain the legal responsibility for the information.
Heightening the risk, NewOak Credit Services CEO Chad Burhance told Baert, is the increasingly widespread tendency of hedge funds and private equity firms to outsource functions that include financial management. The fund administrators to whom those funds and firms turn, as well as what information they have, are “well-known,” says Burhance. In addition, Baert says, hackers are increasingly members of crime rings or agents for countries that are involved in such crime.
Part of the answer, SS&C Technologies Holdings Inc. Vice President for Corporate Security and Data Integrity Vice President Lisa McLaughlin told Baert, is to perform a risk assessment. Her firm, which provides software for third-party administration and also serves as TPA itself, performs such assessments. And a part of that, she argued, is to be proactive and to pay attention to cyber breaches beyond just one’s own industry.
Linda Musthaler in a recent column in Network World takes risk assessments a step further
. She argues that a cybersecurity risk assessment is part of due diligence when a merger or acquisition is in the offing.
New York Stock Exchange (NYSE) Governance Services and Veracode, a company that secures web, mobile and third-party applications, bolster the notion that cybersecurity is of central importance
in a merger or acquisition in a recent report. In “Cybersecurity and the M&A Due Diligence Process” NYSE and Veracode argue that “Sound mergers and acquisitions fuel economic growth, but they also carry a certain level of risk and, therefore, entail a highly extensive due-diligence process.” Because of that, they say, “an acquiring company will want to authenticate what it is buying — assets, threats, vulnerabilities — and the process of doing so has been intensifying.”
It wasn’t always that way, say NYSE and Veracode, noting that “Twenty years ago, acquiring companies mainly focused on the evaluation of a target’s fundamentals, which primarily comprised financials, consumer sentiment and strategy. Cybersecurity and IT due diligence was carried out in less than 50% of deals.” But the times they are a’changin’, they note, arguing that “Buying a company translates to buying data. And buying data means you are buying past, present, and future data security problems. The economic impact of a transaction can shift dramatically if, after the deal is consummated, past or ongoing data breaches come to light.”