May 14, 2014
Interviewed by: David Snow

How Secure Is Your Firm’s Data?

In an era of huge data breaches at top corporations, how carefully must private equity firms guard their portfolio and investor data? The answer: very carefully, according to experts from Gen II Fund Services, MatlinPatterson and Castle Harlan.

Transcript Download Transcript

How Secure Is Your Firm’s Data?

Building a Better PE Firm


David Snow, Privcap:

We’re joined today by Steve Millner of Gen II Fund Services, Howard Weiss of Castle Harlan, and Cameron Hillyer of Matlin Patterson. Gentlemen, welcome to Privcap. Thanks for being here.


We’re talking about the level of intensity with which LPs are now scrutinizing the back office. Obviously, LPs care very much about returns first, but they also care about the integrity of the infrastructure of the private equity firm. All of you are involved in this, either as principals at large private equity firms or as people who advise and provide support for private equity firms. Let’s start with a question for Steve Millner from Gen II about security.  LPs have all kinds of questions for their GPs. They could ask whether there is a cultural buy-in from the top and how accurate is the information, but today, with the headlines about data security breaches, maybe they should be asking GPs how secure the information is. Is that a question you’ve gotten?


Steven Millner, Gen II Fund Services:

It is a very topical question, given what’s happened with Target and credit card issues. Frankly, not many things keep me up at night, but this is one of them. When you think about the information we all have—Social Security and tax ID numbers, bank information, names and addresses—we control a lot of information that bad people want to get their hands on.


If you recall, David, about a year ago, somebody in the front office for the Yankees accidentally sent out a spreadsheet with all the season ticket holders’ names and addresses. It was an accident. They just sent the spreadsheet with the information to somebody incorrectly—nothing nefarious about it. But, I can assure you, if one of us took all our investor information and accidentally sent it to a buddy or to someone unwarranted, it would be a calamitous event.


When we saw what happened with the Yankees, we did a couple of things. No email goes out of our firm without a password. That’s it—keep it simple. The second thing is we have a data room that we’ve locked down because, frankly, email is not the safest means of communication. We encourage our clients to use portals and use our data room because they’re infinitely more secure.


Snow: Cameron, does it keep you up at night as well?


Cameron Hillyer, MatlinPatterson:

Yes, it does. It’s something we take very seriously and we’re very concerned about. It’s very common for hedge funds to outsource their operations in the back office and less so in the private equity side. But, as the required investment in infrastructure becomes so much larger for firms, the economies of scale that you get by serving multiple clients makes sense to outsource at some point. This is because, as a single firm, the investment you need to make to fully protect your investors’ data becomes a number that does not make sense relative to the ability to outsource that effectively.


Every firm, depending on their scale, needs to find the right balance between insourcing and outsourcing.


Snow: Howard, how does your firm, Castle Harlan, approach the mandate to secure the data you manage?


Howard Weiss, Castle Harlan:

My director of IT—that is his prime focus. We put in a new system 18 months ago, almost state-of-the-art. In this world, 18 months is a long time. But, he reports to me on a regular basis on the types of issues he faces. There are lots of attempted breaches on a regular basis and we’re all over it. The right systems can protect you, but as was pointed out, very large companies have been breached and you have to be on top of it all the time.


Hillyer: Also, on the regulatory side, there are considerations. The SEC requires each firm to have a privacy policy and document how they protect investors’ data. The SEC and the CFTC just released these red-flag rules at the end of last year. There are an increasing number of requirements from a regulatory perspective that we need to monitor and be thoughtful of. But, the critical piece is that you have the systems and the infrastructure to back that up.


Weiss: We were fortunate when the SEC came out with the new regulations. As we went through it, we were able to determine that we were compliant across the board. I was pleased that we were at least a bit ahead of the curve on that.


Millner: As an administrator, we have about 6,000 LPs in our world that we take care of, so we have to stay up on the rules and regulations. Even the state of Massachusetts has a rule that you can’t email something if it has someone’s tax ID or Social Security number. You are not allowed to send it without their consent. How many firms have consents from their investors in Massachusetts about being able to use these types of devices? Even the states have gotten into the act regarding regulation of dissemination of information through electronic means.


Snow: I have a question that is specific to Cameron because your firm, Matlin Patterson, runs both long-term illiquid strategies and hedge-fund strategies. Is there anything specific about the hedge-fund strategy that differs from private equity by way of needing to be aware of security and securing information?


Hillyer: Everyone requires a third-party administrator. There are no hedge funds in existence today that wouldn’t have a third-party administrator. I think Steve mentioned that only about 30% of private equity firms have an external administrator. To me, that is the biggest difference in the infrastructure setup of those different types of vehicles.


Millner: Believe it or not, we hire hackers to hack us just to make sure we’re buttoned down. We have something called an SSAE16, which is where we hire an audit firm to audit our process and our controls. We have things like “clean-desk” policies. Even at night, we can’t leave confidential information on our desktops. The cleaning crew’s coming in. The lengths we all have to go to now to safeguard information have really changed. It’s costly and it requires constant vigilance. It’s constant.