Cybersecurity and IT for Infrastructure Funds

Cybersecurity for infrastructure funds operates at two distinct levels: protecting the management company's systems and data, and addressing cyber risks at portfolio assets that may constitute critical infrastructure. The operational technology systems controlling power plants, water utilities, transportation networks, and telecommunications assets face threat profiles quite different from typical corporate IT environments. Fund managers must understand and oversee both dimensions while recognizing that asset-level cybersecurity often has national security implications.

Management Company Cybersecurity

Infrastructure fund managers face cybersecurity requirements similar to other investment advisers, with additional considerations given the sensitivity of infrastructure asset information and the institutional nature of the LP base.

• Data Protection: Investor personal information, capital account data, and fund performance information require protection. Infrastructure funds may also hold sensitive operational data about critical infrastructure assets that warrants additional safeguards.
• Email Security: Business email compromise targeting fund managers—particularly around capital calls and wire transfers—represents a significant threat. Multi-factor authentication, email filtering, and verification procedures for financial transactions help mitigate these risks.
• Access Controls: Managing access to fund systems, investor portals, and sensitive documents requires systematic controls. The long fund life means access management must accommodate personnel changes over extended periods.
• Vendor Management: Fund administrators, portfolio management systems, and other third-party services have access to fund data. Assessing vendor security practices and contractual protections forms part of the overall security program.
• Incident Response: Documented procedures for responding to security incidents, including notification requirements for investors and regulators, prepare the organization for potential events.

Regulatory Framework

SEC cybersecurity requirements for investment advisers continue to evolve. Current expectations include written policies and procedures addressing cybersecurity risks, with specific attention to areas including access controls, data protection, incident response, and vendor oversight. Infrastructure managers should monitor regulatory developments and ensure compliance programs reflect current requirements.

Asset-level cybersecurity faces additional regulatory frameworks depending on sector. Energy assets may fall under NERC Critical Infrastructure Protection standards. Water utilities face EPA and state regulatory requirements. Transportation and telecommunications infrastructure have sector-specific cybersecurity mandates. Understanding these frameworks helps assess portfolio company compliance status and risk exposure.

Asset-Level Cybersecurity Considerations

Infrastructure portfolio assets present cybersecurity challenges quite different from typical corporate environments. Operational technology (OT) systems controlling physical processes—generators, pumps, switches, and sensors—may have different vulnerability profiles and security requirements than information technology (IT) systems.

Key considerations include:

• OT/IT Convergence: Modern infrastructure increasingly connects operational systems to IT networks for monitoring and optimization. These connections create potential attack pathways from IT environments into operational systems.
• Legacy Systems: Infrastructure assets often include control systems installed decades ago, before cybersecurity was a design consideration. These systems may lack modern security features and require compensating controls.
• Physical-Cyber Interface: Cyber attacks on infrastructure can have physical consequences—power outages, water contamination, transportation disruptions. This physical impact elevates the stakes of cybersecurity failures.
• Supply Chain Risks: Equipment vendors, maintenance contractors, and remote monitoring services all create potential entry points for cyber threats. Managing supply chain cybersecurity requires attention across numerous relationships.

Due Diligence and Acquisition

Cybersecurity assessment should form part of acquisition due diligence for infrastructure assets. Key areas include:

• Current cybersecurity posture and recent security assessments
• Compliance status with applicable sector regulations
• History of security incidents and response effectiveness
• OT system architecture and security controls
• Vendor and contractor cybersecurity practices
• Cyber insurance coverage and claims history

Cybersecurity findings may identify risks requiring remediation investment or ongoing monitoring. Material cyber risks should be reflected in investment analysis and potentially addressed in transaction documentation.

Portfolio Cybersecurity Oversight

Fund managers should establish processes for ongoing cybersecurity oversight of portfolio assets, appropriate to the level of control and the criticality of assets held.

Oversight activities may include:

• Regular reporting from portfolio asset management on cybersecurity status
• Review of security assessment results and remediation progress
• Monitoring of regulatory compliance across applicable frameworks
• Incident reporting and response coordination
• Board-level cybersecurity governance at portfolio companies

The appropriate level of fund-manager involvement varies based on ownership stake, governance rights, and asset criticality. Managers with control positions typically have greater oversight capabilities and responsibilities.

Technology Infrastructure for Fund Operations

Beyond security, infrastructure fund operations require technology systems capable of supporting long fund lives and complex investment structures.

• Portfolio Management Systems: Tracking investments, valuations, and operational data across diverse infrastructure assets requires appropriate systems. Infrastructure-specific functionality around project tracking and asset management may be needed.
• Document Management: Fund documents, asset-level contracts, permits, and regulatory filings accumulate over 15-25 year fund lives. Systematic document management supports both operations and eventual fund wind-down.
• Data Integration: Operational data from portfolio assets feeds into fund-level reporting. Systems and processes for collecting, validating, and integrating this data require attention.
• Business Continuity: Technology systems supporting fund operations need backup and recovery capabilities. The extended fund life means systems must remain available or be successfully migrated over long periods.

Questions to Address for Cybersecurity Programs

• What management company cybersecurity policies and procedures address SEC expectations?
• How is asset-level cybersecurity assessed during acquisition due diligence?
• What ongoing oversight processes monitor portfolio asset cybersecurity?
• How are sector-specific regulatory requirements tracked and compliance verified?
• What cyber insurance coverage exists at both fund and asset levels?
• How do technology systems support fund operations over extended fund lives?

Cybersecurity for infrastructure funds requires attention to both management company operations and the critical infrastructure assets that may constitute the portfolio. The elevated threat environment for critical infrastructure, combined with regulatory requirements and institutional LP expectations, makes cybersecurity an essential element of infrastructure fund operations.