Here are three areas where PE firms need to direct their attention:
1. Avoiding value erosion in portfolio companies
While it can be hard to consistently measure comparative cyber risks across portfolio companies, a focus on the deal thesis and ROI provides funds a more uniform approach to handling cyber risk.
The ROI behind this thesis can be improved if GPs invest in the cybersecurity of portfolio companies, by reducing the risk of a major cyber incident. This is a risk to which a hard cost can be estimated, so ROI can be demonstrated relatively clearly. Concrete benefits of cybersecurity investment that can impact ROI also include:
- Addressing historical value erosion, such as unresolved cyberattacks in a target company’s past.
- Avoiding future value erosion in the form of penalties that could occur if action is not taken to prevent future security incidents, such as data breaches.
- Preventing deals from collapsing during due diligence. Effective cybersecurity diligence provides actionable intelligence and identifies weaknesses in the perimeter position. This creates an understanding of the portfolio asset’s risk profile so unplanned investments and expensive remediation programs throughout the hold period can be avoided.
Moreover, injecting capital into a business de facto requires consideration of cyber risk. The purpose of a PE investment is to change or evolve the way the business operates, which necessarily changes the threat landscape. In turn, an expanded threat landscape means that cybersecurity needs to be readdressed and threat modeled to understand the future risk position.
PE firms must be mindful that cyber threats to their portfolio companies are multifaceted and that many attacks are sector-specific. The nature and scope of threats facing a manufacturer may be very different from those facing an online retailer.
2. Avoiding direct attacks on the PE firm
PE firms are a prime target for increasingly sophisticated and bold cyber attacks because they have large quantities of capital at their disposal and regular involvement with third parties. Malicious adversaries have ample opportunities for attacks, such as targeted phishing, spoofing and digital impersonation, where large amounts of money could be siphoned during the course of a complex deal.
Alas, security fundamentals adapted to the business complexity and deal intensity are often seen as a blocker rather than an enabler in a deal context.
The volume and frequency of transactions themselves also provide an opportunity for attackers to steal money in a way that might go overlooked (i.e., fraud within the funds-flow process) or undetected for some time. In fact, PE firms might be doubly vulnerable, because when they do focus on managing cybersecurity and other operational issues, this focus tends to be within their portfolio companies, rather than within their own four walls.
3. Managing complications arising from COVID-19
Day-to-day operations for PE firms and their portfolio companies across every sector have been roiled by remote working practices – many of which may be here to stay. As in other sectors, remote work transforms cyber risk profiles.
IT assets such as laptops and smartphones are being used more frequently outside the office, where they can be lost or more easily accessed by malicious adversaries. A key risk arises from employees managing confidential intellectual property in environments such as their home or local café, where internet security is less stringent.
Security awareness is now becoming an important factor in security strategies as corporate employees are proving to be the easier target to breach rather than infrastructures. As such, risks to consider include:
- Phishing scams. In the age of COVID-19, these can often be in the form of fake public health emails containing malicious links.
- Attacks on high-level executives, who may have access to valuable assets and data, often with administrative IT clearance.
- Exploitation of home working environments, including unsecured networks, devices and applications in the hands of untrained individuals or employees’ children.
GPs should think seriously about how changes to operations and working locations prompted by the pandemic have affected the cybersecurity of each of their portfolio companies.
Assessing PE’s cybersecurity risk
To assess the risk, consider using a cybersecurity assessment framework that brings together a traditional risk-based cybersecurity assessment, a deal-focused cyber transaction assessment, and a cybersecurity due diligence review. This type of framework can help you understand and address these concerns throughout the M&A deal life cycle. Consider three lenses: investment thesis, business operations, and cyber risk and vulnerabilities– the outputs of which would be assessed against each security domain to identify the intrinsic risk for each portfolio company.
Summary
While the nature and scale of cyber risk varies by sector, these ever-present and evolving risks pose a threat to all businesses to some degree. PE firms are no exception, as they themselves are beginning to realize. They must be mindful of the cybersecurity of both their portfolio companies and their internal operations. Understanding both the nature of cyber threats and the opportunity to get in front of them is critical to both preserving and creating value.
