Cybersecurity and IT for Secondaries Funds

Technology and cybersecurity infrastructure for secondaries funds must address the data-intensive nature of the strategy while protecting sensitive information from multiple sources. Evaluating potential acquisitions requires accessing confidential data about underlying funds and their portfolios, creating information security obligations that extend beyond typical private fund operations. Building appropriate technology capabilities supports both deal execution and operational security.

Data Management Requirements

Secondaries funds handle substantial data volumes throughout their operations:

During transaction evaluation, deal teams analyze detailed information about underlying fund positions, including NAV reports, portfolio company financials, capital account statements, and cash flow projections. This data often arrives in varied formats from multiple sources and must be organized for analysis.

Post-acquisition, the fund tracks ongoing reporting from potentially hundreds of underlying positions, each with different reporting formats, frequencies, and delivery methods.

Portfolio monitoring requires aggregating look-through data to understand exposure across underlying portfolio companies, sectors, and geographies.

Effective data management systems help organize this information, support analysis, and enable reporting without creating security vulnerabilities.

Core Technology Infrastructure

Technology infrastructure for secondaries operations typically includes:

• Deal Management Systems: Tracking potential acquisitions through the evaluation pipeline, storing due diligence materials, and managing transaction workflows
• Portfolio Monitoring Tools: Aggregating underlying fund data, tracking NAVs, and monitoring cash flows across the portfolio
• Document Management: Storing and organizing the substantial documentation generated by secondary transactions including transfer agreements, consent letters, and underlying fund reports
• Financial Systems: Accounting software, reporting tools, and integration with fund administrators
• Communication Platforms: Email, collaboration tools, and secure file sharing for internal and external communications

Cybersecurity Framework

Given the sensitive data handled, cybersecurity programs for secondaries funds should address multiple risk categories:

Access Controls

Managing who can access what information represents a foundational security element. Considerations include:

• Role-based access ensuring personnel can reach information needed for their responsibilities without unnecessary access to other data
• Multi-factor authentication for system access, particularly for remote access and sensitive applications
• Privileged access management for administrative accounts with elevated permissions
• Access review procedures to ensure permissions remain appropriate as roles change

Data Protection

Protecting data throughout its lifecycle involves:

Encryption for data at rest and in transit, ensuring intercepted data remains unusable to attackers.

Data classification to identify and appropriately protect the most sensitive information.

Secure destruction procedures for data that is no longer needed, particularly confidential deal information for transactions that did not proceed.

Endpoint Security

Protecting devices used by personnel includes:

• Endpoint detection and response tools to identify and respond to threats
• Device encryption for laptops and mobile devices
• Mobile device management for firm-owned and BYOD devices accessing firm systems
• Patch management ensuring software remains current

Network Security

Protecting the network environment involves:

Firewalls and intrusion detection systems monitoring network traffic.

Network segmentation separating sensitive systems from general access areas.

Secure remote access solutions for personnel working outside the office.

Monitoring for anomalous activity that might indicate compromise.

Vendor and Third-Party Risk

Secondaries funds rely on various service providers with access to sensitive information. Managing third-party risk includes:

Due diligence on vendor security practices before engagement, particularly for fund administrators, data providers, and cloud services.

Contractual provisions addressing data protection, breach notification, and vendor security obligations.

Ongoing monitoring of vendor security posture, including review of SOC reports where available.

Confidentiality Obligations

Secondary transactions typically involve non-disclosure agreements governing the use and protection of confidential information. Technology and security practices should support compliance with these obligations, including:

Tracking which personnel have access to information covered by specific NDAs.

Ensuring confidential information is not retained beyond permitted timeframes.

Preventing unauthorized disclosure through technical controls and monitoring.

Regulatory Considerations

SEC rules and guidance increasingly emphasize cybersecurity for registered investment advisers. Relevant requirements include:

Written information security policies and procedures reasonably designed to protect client information.

Incident response planning and breach notification procedures.

Vendor oversight and due diligence on service provider security.

LPs also increasingly request detailed cybersecurity information during due diligence.

Key Technology and Security Responsibilities

• Infrastructure Management: Maintaining and securing technology systems supporting operations
• Access Administration: Managing user access and permissions across systems
• Security Monitoring: Monitoring for threats and responding to security events
• Vendor Management: Overseeing technology and service provider security
• Policy Maintenance: Developing and updating security policies and procedures
• Training: Ensuring personnel understand security responsibilities and recognize threats

Incident Response Planning

Despite preventive measures, incidents may occur. Incident response plans should address:

• Detection and initial assessment procedures
• Containment steps to limit damage
• Investigation and remediation processes
• Notification procedures for affected parties and regulators as required
• Documentation and post-incident review

Questions to Address for Cybersecurity and IT

• What systems support our deal evaluation and portfolio monitoring data needs?
• How do we manage access to confidential transaction information across deal teams?
• What security assessments have we performed on critical service providers?
• How do we track and enforce NDA obligations through technology controls?
• What incident response procedures are documented and tested?
• How do we address LP due diligence questions about cybersecurity?