Private Equity and Cybersecurity – Gaining a Holistic View

A Growing and Costly Threat

Even before COVID-19, the cost of global data breaches, virus attacks, phishing and other cybercrimes was expected to reach $6 trillion in 2021, up from $3 trillion in 2015, according to cybercrime researcher Cybersecurity Ventures. Beyond direct losses in the form of funds, data or intellectual property, organizations that allow hackers to steal data or breach the privacy of their customers or employees also face the potential of fines, lawsuits, loss of revenue and damage to the brand. 

The pandemic and subsequent economic lockdowns that forced the vast majority of corporations to pivot to a work-from-home operating model have only increased cyber risk and emboldened malevolent actors to intensify their attacks on digital infrastructure. In a recent poll conducted by Threatpost, an IT and business security news organization, 40% of corporations reported a rise in cyberattacks as they shifted to remote working. 

The increasing emphasis on digital threats and IT security parallels a growing investor focus on environmental, social and governance (ESG) issues, which adds further pressure on private equity firms to consider the data and privacy strength of their portfolio companies. Following the lead of the European Union, which introduced the General Data Protection Regulation (GDPR) as law in 2018, California enacted the California Consumer Privacy Act in 2020. Currently, roughly 60 countries have data and privacy rules on the books and 14 states in the U.S. are mulling similar measures. In all likelihood, private equity firms have portfolio companies operating in many of these jurisdictions. 

Valuation Risk

Ultimately, portfolio companies that lack effective IT security or that have yet to reconcile a past cyberattack will be less attractive to potential buyers. That can not only erode the value of a private equity firm’s investment, but it also can tarnish the firm’s reputation and negatively impact future fundraising. Thus, resources invested today to enhance portfolio company cybersecurity will save money in the long run.

A strong commitment to IT security starts at the top, and while some private equity firms have been slow to adjust their focus beyond the traditional valuation metrics of companies within their portfolios, more are becoming cognizant of cybersecurity risk and the necessity to address it. That’s especially true when private equity firms are buying or making an initial investment in a company. 

Despite this growing recognition, however, the private equity industry has lacked a practical approach to address the cybersecurity issues and concerns of their portfolio companies. The reality is that assessing and formulating a tailored cybersecurity strategy for each company in a portfolio is an inefficient prospect that would saddle the companies as well as the private equity firm with undue investment in time and costs. What’s more, private equity teams may feel compelled to focus their cybersecurity efforts on their most highly valued investments when in reality  companies with lower valuations may be in greater danger.

Adopting a Holistic Approach

So what is the best way for private equity firms to tackle the cybersecurity needs of their investments? An ideal solution involves looking at portfolio investments holistically versus individually – that is, bringing the IT security of portfolio companies as a group to an acceptable minimum threshold, and then maintaining that threshold and/or tweaking it for specific company needs. The strategy provides private equity firms with a number of benefits, including the ability to:

• Leverage cybersecurity assessment and protection spend across the portfolio, creating greater efficiency compared with evaluating each company individually.
• Identify companies with higher risk to cyber threats, as well as those in specific industries that present unique IT security challenges, and formulate a game plan on how to address them.
• Establish the practice at the fund level as another foundational business function akin to financial reporting or investor relations, demonstrating a commitment to responsible governance in an era in which investors are focusing more on ESG concerns. 

Following is a high-level overview of a holistic security risk program for private equity firms. 

Maturity Self-Assessment and External Exposure Assessment

As a first step, private equity firms should assess the current state of cybersecurity within their portfolio companies. 

• Conduct a security benchmarking survey based on leading industry frameworks.
• Perform a maturity self-assessment survey for selected portfolio companies and related IT security programs.
• Develop profiles of company-specific threats for each company in a portfolio.
• Analyze survey and threat assessment results and how they compare with the risk appetite of the private equity firm, other portfolio companies and industry data.

Targeted Assessment Procedures

This step is focused on companies in a portfolio that rank below threshold maturity and/or that face an elevated risk. It also covers companies in which private equity management is considering investment decisions. Whatever the case, targeted procedures that are performed include:

• Cyber risk quantification
• Security program assessment
• Internal vulnerability scanning
• Social engineering and phishing testing
• Incident response and compromise assessments 
• Other industry-specific actions

Reporting and Analysis

Develop reports on overall IT security risk exposure based on self-assessment maturity benchmarks and targeted procedures, and create detailed summaries, observations and maturity scoring at the portfolio and individual company levels.