Cybersecurity: The new front line
Cyber attacks are expected to rise, as global political tensions amplify. Kathryn Gaw asks if private credit managers are ready to take on this emerging threat…
Private credit fund managers are growing increasingly concerned about cyber security, and with good reason. Geo-political tensions are rising, and recent history has shown us that malicious cyber activities are now seen as a very modern form of warfare.
In 2022, following the Russian invasion of Ukraine, there was a notable spike in the number of state-backed cyber attacks on Western businesses, with Russia widely viewed as the main culprit. Trump’s incoming trade tariffs and controversial foreign policies have now raised the alert level for many asset managers.
“The private credit sector, like all financial markets, is very susceptible to cyber-attacks,” says Harry West, chief information and security officer at Pepper Advantage.
“New and emerging technologies are being used to create better products and experiences for borrowers, but they also expand the attack surface for threat actors to target.”
For private credit fund managers, the key risk is that investor data could be compromised in a data breach. Investors value the discretion that private market investments offer, and they are increasingly aware of the risk posed by hackers and bad actors in the asset management space. According to the latest Core Alternative Managers’ Mood Index (CAMMI) by Gen II, 27 per cent of investors said that cyber security was a key topic during fundraising due diligence, ranking it as their number two concern, just behind liquidity.
Read more: Technology special report: To automation and beyond
Over the past year, a number of high profile cyber attacks have emphasised the importance of having a strong defence. Last year’s global Microsoft outage was caused by a distributed denial of service (DDoS) cyberattack, and affected 8.5 million users, including many financial services firms. In August 2024, Fidelity Investments told 77,099 of their clients that their personal information had been stolen in a data breach, but said that it was “not aware of any misuse” of customers’ personal information. The affected customers were offered two years of free credit monitoring.
Meanwhile, there are some indications that regulators are taking a dim view of fund managers who fail to adequately prepare for cyber attacks.
Earlier this year, Bayview Asset Management paid a $20m (£15.8m) settlement over cyber security weaknesses which led to a serious data breach in 2021.
Read more: Private credit market set for significant growth in 2025
The Conference of State Bank Supervisors – an organisation that represents financial regulators in US states and territories – found that the Florida-based credit manager had deficient information technology practices in place, and ordered the company to take specified corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to state regulators.
For private credit firms, cyber attacks represent a major financial, regulatory, and reputational risk. So how can they effectively protect themselves, and their clients?
“Cybersecurity should permeate every level of an organisation, from leadership to frontline teams,” says West.
“It’s a high barrier to entry in the private credit space and needs to be part of a company’s identity and culture.
“Education, awareness, and empowerment through training are essential to making cybersecurity second nature for all employees.”
West believes that traditional defences such as firewalls and endpoint security are no longer sufficient to protect against modern threats. Instead, he suggests that companies look at advanced tools like eXtended Detection & Response (XDR) and Cloud Native Application Protection Platforms (CNAPP).
There are also some recognised global standards which fund managers can follow to ensure the safety of their operations without making heavy investments in bespoke IT plans.
The ISO 27001 certification is recognised worldwide as proof that an organisation’s information security management is aligned with best practice. In the US, the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 is a set of voluntary guidelines which aims to help organisations assess and improve their ability to prevent, detect, and respond to cybersecurity risks.
Sachin Anandikar, chief technology officer at Pemberton Asset Management, says that all firms should invest in cyber hygiene, no matter their size. As a starting point, he believes that platforms should have multifactor authentication, password policies, and endpoint protection. Where possible, these firms should outsource their cyber security protocols to ensure that they are not missing any blind spots.
“What we have observed is that we as a private credit firm will not have the expertise to do all these things at a state of the art level because that takes a PhD in computer science and cybersecurity,” says Anandikar. “So we employ specialist companies, generally called Security Operation Centres who are the conduit for us to give us that expertise. So a lot of that sits within them, and we monitor them.”
These solutions are effective in managing the risk of traditional phishing, malware, ransomware, or DDoS attacks. But new cyber threats are emerging every day, forcing technology officers such as Anandikar to be more proactive in their approach.
The rapid expansion of generative AI has made it extremely easy for bad actors to create deep fake audio and video. Anandikar’s own family was recently targeted by a deep fake scam, which was only identified because of his own awareness of this risk.
“My daughter got a brief phone call from my dad recently asking for her bank account because he wanted to send some money for her birthday,” he says. “And because we’ve been talking about cybersecurity in my family, she came to me and said, I think I got a fake call. Since then, we have instituted a safe word between us within the family to say, if ever something like that happens, you need to use this safe word to make sure that it is me.”
This sort of human stop-gap has become a useful tool in the fight against cyber fraud. Alex Di Santo, head of private equity Europe at Gen II, says that his company has avoided similar deep fake email and phone scams due to its policy of manually confirming sensitive information such as invoices. Gen II no longer sends emails with attachments to clients, and will only share client information within secure portals.
“There has been a significant shift to investor portals,” says Di Santo. “We also insist that our clients use investor portals to exchange links securely to access the portal rather than PDFs.”
These solutions have proven effective to date, and private credit is generally viewed as being one of the more cyber-savvy and robust sectors in the financial services market due to the lack of consumer-specific data. Every time a new investor is onboarded, a new cyber risk analysis has to be conducted. For private credit firms who work with a small clutch of high-value institutional investors, this is a manageable task. However, as private credit opens up to more high-net-worth individuals and wholesale investors, the cost of safely onboarding and protecting these individuals can quickly balloon.
Some industry insiders have even suggested that the risk and cost of cyber security has already discouraged some managers from expanding into the wealth market. Other fund managers have chosen to work exclusively with third party distribution channels to minimise these security risks.
“Anybody in financial services who has consumer-specific data, that becomes an important target for hackers and cybersecurity criminals,” says Anandikar.
“In private credit, that doesn’t exist. Having said that, it is an important area for us as there’s a lot of data around investors and investments. So I think that in that sense, we are vulnerable.”
More than 90 per cent of data breaches target identity, so protecting the identity of their institutional and wealth market investors has become a growing priority for private credit firms. This usually means adopting ‘zero trust’ principles including explicit verification, least privilege, and breach assumption.
“Working in the private credit sector requires a dynamic cybersecurity strategy that keeps ahead of the constantly evolving threat landscape,” says West. “Cybersecurity needs to be embedded into every aspect of a company’s operations, including its culture.”
Read more: Insurers remain bullish on private credit
West adds that cyber security is about preparation, not perfection. While larger managers have the resources to either outsource or develop in-house protections and hire cyber security experts, there are plenty of things that smaller managers can to do ensure that they are meeting the highest standards of cyber security.
“Start with understanding your assets and the threats they face,” says West. “Prioritise patching, secure access, data backups and training your people. This helps you reduce your exposure, protect your assets, heighten your senses and it enables you to recover.”
In a political climate where cyber attacks are used as a tool of war, alternative asset managers may inadvertently find themselves on the front lines. The industry consensus seems to be that the entire sector should be prepared for an imminent rise in the use of virtual attacks which simply aim to cause chaos and instability in key Western markets.
More cyber attacks are inevitable, and the availability of new AI tools makes the barrier to entry that much lower for potential hackers.
Private credit managers are well placed to meet this threat, but amid increasing investor scrutiny and the proliferation of new forms of online fraud, this is no time for complacency. In a competitive space where privacy is prioritised, just one major breach can have a catastrophic impact on a fund manager’s business.
“Having cyber security permeate every aspect of a company’s culture and organisation is so important,” says West. “Your first line of defence is your people.”
