Portfolio Cyber Risk At The Private Equity (PE) Level
The cyber threat landscape is continuously evolving, and the severity of attacks is showing no signs of slowing down making managing cyber risk a difficult task for any organization, regardless of size or industry. However, for Private Equity (PE) firms and their Portfolio Companies (PortCos), understanding and managing cyber risk has proven to be even more complex. In fact, smaller businesses can even be at higher risk of more significant impacts that could decrease the overall valuation.
Furthermore, the Private Equity ecosystem continues to be highly targeted due to the volume of sensitive data, the public nature of ongoing deals, and the overall lack of resources committed to cybersecurity prevention, especially in the small and middle market sectors.
According to Accenture, 68% of clients see an uptick in incidents during the month of a deal closing1. Mid-sized companies are the sweet spot for many bad actors as they tend to operate with smaller budgets for their cybersecurity environment focusing heavily on growth and revenue goals.
Costly Consequences Of Cybersecurity Breach: Key Considerations For PEs
While most individuals focus on the financial impact of a cybersecurity breach, there are other important consequences that should be considered. Other common consequences of a breach include reputational impact, litigation, business valuation, and business downtime; however, new impacts are emerging for PEs in the aftermath of a breach event.
- The SolarWinds Example: Class Action Litigation
One such example is the case of SolarWinds and its PE partners, Silver Lake and Thoma Bravo Partners. After the SolarWinds breach, a Class Action lawsuit was brought against the PE firms. The lawsuit stated that the business strategy played a role in the security deficiencies resulting in the breach. The lawsuit further cited that the short-term strategies played a role by decreasing budget and investment in security to bolster profits. Additionally, the cybersecurity practices documented in filings and public comments did not exist. The lawsuit was eventually settled for $25M+ to a set of shareholders.2
Although these types of threats and consequences are not new to the cybersecurity industry, they are becoming increasingly prevalent and important to private equity firms that are invested in and are setting strategies and budgets for their PortCos.
Mitigating Cyber Risk: How You Can Build An Effective Program With Lean Resources
Outside of some large-cap PE firms, most do not have the resources to build an in-house cybersecurity team to work with their portfolio companies to manage and mitigate risk on a full-time basis. So, what is practical and effective for small to mid-sized firms to build robust cybersecurity programs while protecting the business and maximizing returns?
Here are 6 vital tips private equity business leaders should consider including in their risk mitigation strategies when building a program to support portfolio companies.
1. Identify a Cyber Partner & Advisor
Find a trusted partner to support you on your journey toward building a cybersecurity program. The right partner should be an experienced cybersecurity resource on the team and should guide the implementation and evolution of the program.
2. Know Your Portfolio Cyber Baseline
It is important to understand which assets pose the greatest risk. Conduct a portfolio-wide review to understand cyber risks across each company. Many of your PortCos may already be performing assessments and tests of their environment which can be utilized to further expedite and enhance the review process. The baseline should include context for each organization based on its industry, types of data, and overall inherent risk.
- Conduct a Regulatory Review
As part of establishing your portfolio cyber baseline, it is important to incorporate any regulatory requirements. The regulatory landscape is ever-changing with requirements by industry, geography, and other facets. Being compliant, while not the goal of cybersecurity, is an important component of building a robust cybersecurity and privacy program and a broader company roadmap to avoid any downstream regulatory impacts and maintain compliance.
3. Hold Educational Sessions
Many executives and board members often do not understand cybersecurity, the inherent risks, and the overall threat landscape; therefore, investing time to educate business leaders will enable them to make better-educated decisions about cybersecurity measures. Building a cyber risk-aware culture that flows through the organization can help deter some of the most basic attacks.
4. Establish a Governance Model
If not already, cybersecurity should be discussed at a Board level to highlight key deficiencies and to review the roadmap to a mature program. The PE team, along with the asset’s executives, should work jointly with the Board of Directors (BOD) in developing a cadence of reporting.
5. Consider a Cyber Insurance Policy
Every PE firm and its portfolio should evaluate the purchase of cyber insurance as part of their holistic approach to cyber risk management and mitigation strategies. PE firms can leverage their relationships and portfolios to gain competitive pricing and broad coverage.
6. Develop a Set of Minimum Cyber Requirements
Focus on establishing a set of minimum cybersecurity requirements for your portfolio. Depending on your relationship with each PortCo (e.g. majority ownership), you should require a set of “Cyber 101” type of requirements that will defend the organization from basic cybersecurity attacks.
In today’s rapidly evolving threat landscape, the stakes for PE firms and their portfolios have never been higher. PE operating partners and managing partners should view effective cybersecurity programs as a way to create value from acquisition to exit. Partnering with the Chief Information Security Officers (CISOs), risk managers, and management of the portfolio companies can help create a foundation for an effective cyber risk program despite lean resources. By making small investments and tackling these 6 practical strategies, you can make a big difference in reducing the threat of exposure and potential negative impacts of a cyber breach event.
PEs should identify and partner with an experienced cyber provider to support your team in building a cyber risk program. At a certain point, the PE firm will be able to offer a variety of cyber (and other services) through its trusted partners at discounted rates in a type of shared services model.
Ankura supports PE clients and their portfolios through the deal lifecycle from pre-acquisition diligence, and value creation to exit with experts specializing in working with small to medium-sized businesses (SMBs) to address their specific and unique challenges including cyber risk mitigation. For more information about how our expertise can strengthen your organization’s cybersecurity posture and risk management program check out our comprehensive solutions or contact us today at email@example.com
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.