While cybersecurity remains a serious consideration for hedge funds, family offices and other asset managers, cyber threats present a unique challenge to today’s private equity firms. As the risk of cyber attacks rises worldwide, the private equity firms that pay the closest attention to how seriously they take such risk stand to gain the most.
As for risk management in general, your potential investors are becoming more and more demanding. By taking a proactive approach to cybersecurity, you’ll ultimately strengthen your investors’ confidence and trust.
In addition to protecting your firm from increasing cyber threats, demonstrating robust cybersecurity can also provide a competitive advantage when attracting investors and help maximize the value of your firm’s portfolio.
Following is some practical advice on how effective cybersecurity can unlock greater funding potential for your firm.
Use a dual strategy when assessing your cybersecurity risk
In order to fully prepare for a mounting cyber threat environment, private equity firms need to employ a dual strategy approach to their cybersecurity measures. First, you need to protect your firm and your investors’ assets. Second, you need to carefully assess the cyber risk at your target portfolio companies.
Protecting your firm and your investors
CSO reported earlier this year that damages from cyber crime are estimated to hit $6 trillion annually by 2021. And according to the Institute of Risk Management, all types and sizes of organizations are vulnerable to cyber risks, not just high profile names that make daily news headlines.
Be especially aware that the threat level extends to your LPs as well. Gone are the days when your LPs only asked general questions about cyber risk. Now, not only do they know the right questions to ask, they also have a better understanding of the answers they’re looking for.
In fact, results from a 2017 Coller Capital survey of 110 private equity investors worldwide indicate that 55% of the LPs surveyed said they expect a serious cyber attack on their firm in the next five years.
There are three primary types of direct cybersecurity threats to private equity firms as stated in the Guide to Cyber Security (British Private Equity & Venture Capital Association):
- Mergers and acquisitions – risk increases as soon as the idea of an M&A is discussed, even privately before any public announcement
- Financial information – targets can be both individuals and businesses
- Dilution of portfolio value – impairments due to an attack can be so bad that they call for an alternative or exit strategy
As you can see, the threats are very real and they’re not going away. Because threats are constantly evolving, you need to be properly prepared on how to challenge them on a regular basis. It’s also important to have an IT partner working with you who understands the changing landscape of what a threat vector is.
Here are some basic steps you can take to protect your firm and your investors:
- First, determine how much cybersecurity really matters to your firm and how your investors are interpreting your level of concern.
- Develop a framework for how you evaluate the basic risks to your business (e.g., strong vs. weak passwords, who has admin rights, etc.) based in part on proven best practices already being used in the industry.
- Clearly identify where you have any existing cyber vulnerabilities (i.e., don’t assume anything; what you believe is secure in your firm—such as login procedures—may actually no longer be as secure as you thought).
- Invest the time to educate and train all of your employees regularly about cyber threats and the importance of taking stringent proactive measures to protect your firm and your investors. Make your employees feel that they’re an integral part of the solution.
- Implement a social media policy that governs what can and can’t be said in various forums. Even seemingly innocent comments can be used against you in both phishing and spear phishing attacks.
- Conduct regular ongoing evaluations of your cybersecurity policies and hold tabletop exercises with employees to simulate potential threats and how to respond correctly.
Bottom line, you need to have the right cybersecurity team in place that constantly evolves, regularly monitors and guides your private equity firm through the ever-changing cyber threat landscape.
Protecting your portfolio company targets
Now that you’re more aware of how to protect your firm and your LPs from cyber threats, what about your portfolio company targets? You certainly don’t want to add a company to your portfolio only to find out several months later that it contains a cyber risk you weren’t aware of, with the end result being a diminished investment. Not only that, you can potentially suffer a loss of reputation as well as legal repercussions.
It’s actually smart to assume from the start that all companies are at risk of a cyber attack, regardless of the type of data they contain. Threats include anything from data theft and destruction to target fraud and everything in between.
According to the Guide to Cyber Security (British Private Equity & Venture Capital Association), there are three key types of information that are known to increase the likelihood of a company being the target of an attack:
- Trade secrets – including intellectual property, business intelligence, and confidential communications
- Consumer data – including financial information and any personally identifiable information, especially data connected to retail organizations
- Government assets or critical national infrastructure – organizations involved in the government and defense sectors
What can you do to help mitigate risk when evaluating portfolio company targets for your private equity firm? Following are three basic recommendations:
- Embed a deep level of cybersecurity into your M&A due diligence process to discover potential issues prior to deal closings.
- Create visibility into the risks facing your portfolio so that you’re prepared to maximize your investment when it comes time to sell your stake.
- Take a systematic look at the cyber risk involved in any potential investments just as you evaluate other key areas of a portfolio company target, such as sales, purchasing, management, and other concerns.
As you can see, it will take some hard work to properly protect your firm and become better aware of cyber threats in your portfolio companies. However, the payoffs from increased investor confidence, and thereby funding, will make all of the effort well worth it.
Need help with cybersecurity? Contact us to learn more about our full-service cybersecurity solutions.