There has never been more sensitive data proliferating between private credit firms, limited partners and fund administrators than today. Investors and firms are sharing more and more information, and this is being enabled by the increasing sophistication of technological platforms.
The ability of fund administrators to manage operational infrastructure, financial reporting and investor communications electronically is not without its risks. In fact, the more data access technology enables, the greater the risk that data will fall into the wrong hands.
Private Debt Investor sought the views of third party fund administrator Gen II Fund Services and private equity and private debt fund manager Partners Group – which uses an in-house data-sharing platform about the balancing act between the demands of investors and firms to share data and cybersecurity.
Jeff Gendel, managing director at Gen II Fund Services, says the most important aspect for the GP and LP clients of his fund administration technology is the knowledge that the platform offering is secure.
This is why the Statement on Standards for Attestation Engagements (SSAE) 16 certification, run by the American Institute of Certified Public Accountants, is seen as essential to fund administrators, says Gendel. The thorough SSAE audit process independently measures a firm’s ability to control and secure sensitive information like financial reporting.
“The SSAE 16 is a must-have today,” he says. “Every request for proposal we receive from GPs and LPs asks about the SSAE 16; and in fact it is usually the first question. Investors will think twice about committing to a GP where the GP’s fund administrator cannot demonstrate an SSAE 16 for a protracted period of time.”
Of course, the entire industry is concerned about the protection of confidential information, including customer details like social security numbers, bank details, names, addresses and capital account balances. Gendel notes that this is why Gen II Fund Services has installed processes like penetration tests, where individuals intentionally try to hack into the data servers to find weak spots, to protect its clients and their investors from unwarranted and illegal hacking.
On top of penetration testing, compliance with the Securities and Exchange Commission’s cybersecurity protocols is another data safeguard that engenders trust with GPs and LPs and fund administrators (at least for firms focused on the US).
According to the SEC, the agency’s guidelines for cybersecurity compliance require a firm to conduct an annual review, appoint a chief compliance officer and implement policies that address how the firm will prevent the sharing of its non-public info like transactions and portfolio data.
Though Gen II Funds is compliant with the SEC guidelines – and many fund administrators consider compliance with the agency’s cybersecurity rules important – many platforms are letting their cybersecurity protections lag.
PDI’s sister publication private funds management and eSentire conducted a recent survey, asking over 100 private equity and debt funds across infrastructure, corporate finance and real estate about their cybersecurity protections.
The survey found that 23 percent of respondents were only partially compliant with the SEC guidelines on cybersecurity, even though the same survey found that 53 percent cited regulatory compliance on cybersecurity as most important to their firm.
Additionally, only a small percentage rated awareness training and continuous monitoring and reporting to be most important. Even for those respondents with operational cybersecurity programmes, it is a relatively recent addition to the business – 43 percent have had it in place for between one and two years and only 23 percent for more than two years.
Generally speaking, these programmes are not expected to be a permanent fix, with one-third of respondents expecting them to be obsolete within a year and a further 49 percent expecting to replace them within two years.
Firms are also failing to review their cybersecurity processes regularly. Only 7 percent review on a monthly basis, with the majority (57 percent) doing so annually. Despite the range of risks facing the industry, almost 79 percent do not possess cybersecurity insurance. But some firms, at least with a European focus, will have to strengthen their cybersecurity measures, as new restrictions for electronic fund administration platforms are set to come into play in 2018.
For all EU member states, the General Data Protection Regulation (GDPR) regime, which will come into force in 2018, will bring stricter regulations. This includes the requirement to inform clients immediately if their data has been compromised – a rule already in force in places such as California.
“The launch of GDPR in Europe means that cybersecurity will become even more important to firms like ours,” says Raymond Schnidrig, partner and CTO at Partners Group, who spearheads the firm’s proprietary electronic data sharing platform app.
Before launching the app, Partners Group performed a penetration test with the help of an external specialist company, like Gen II. “At the end of the day, it’s our clients’ data that’s at risk, and it’s in our best interests to protect it,” says Schnidrig.
Though the SEC certification and SSAE 16 audits are tried and true ways to establish trust with clients, the internal fund administrator staff are ultimately responsible for securing their data security and quality.
To ensure the accuracy of data shared, Gendel says his firm established its internal quality control department as an integral part of its service offering at Gen II’s inception. The quality control team is separate from the firm’s dedicated client service teams and has responsibility for reviewing all client-facing deliverables.
“It is a second, and sometimes third, set of eyes to ensure documents are sent to our clients in investor-ready condition,” he says. “We see our quality control team as unique and a key differentiator for Gen II in the eyes of the investor community.”
Partners Group also conducted a significant internal control process to ensure that data would be correct before it was published. “That’s why we haven’t had a single hiccup yet,” says Schnidrig.
Though its security and quality control mechanisms are standard, Partners Group is rare in that the firm is an investment manager that facilitates its own fund administration technology platform.
The Switzerland-based firm decided three years ago to create an app for its internal staff, enabling them to access all of the firm’s pertinent data in one place. But based on client feedback, the firm decided a year and a half ago to leverage that internal platform to build an external platform for clients.
Management introduced the app to select clients at its annual general meeting in March 2016, but the official launch was last June when the firm placed the app in Apple’s App Store. The reason Partners Group developed its own app was to ensure quality, explains Schnidrig.
“We have the ambition to impress and delight our clients with our reporting and to give them something that really feels good to use,” he says. “After looking at a couple of external platforms, we decided that we could get the best out of the technology by creating our own app.”
So far, he says, people like the app, which allows clients to receive their reporting quite early, compared to the private market’s standard of quarterly reporting with about a quarter’s time lag. The firm can now publish a client’s latest numbers within 45 days after a reporting period ends.
“We haven’t done a formal feedback survey yet, but we know people like it,” he says. “We also know what people have accessed on the app and use data analytics to investigate where clients’ interests are.”