Private Equity Cyber Security Challenges and Opportunities

Private equity firms are increasingly investing in companies with significant cyber security risks, yet many struggle to manage these risks effectively.

The average cost of a data breach for private equity firms is around $5 million, according to a recent study.

Private equity firms often have limited cyber security expertise, which can make it difficult to identify and mitigate risks.

In contrast, private equity firms can leverage their investment portfolio to share cyber security best practices and resources.

Mid-sized companies, the sweet spot of PE, tend to operate with lower budgets for their cybersecurity systems.

PE firms look to achieve growth and are keen to move at a fast clip, which can lead to a temptation to undervalue or completely overlook cybersecurity.

Most of these portfolio companies may fall into a category deemed “Cyber Risk Takers”.

Cyber Champions achieve lower costs per attack, which means they can stop more attacks and face less disruption. This is especially true for mid-sized companies, the sweet spot of private equity, which often operate with lower budgets for their cybersecurity systems.

To improve a portfolio company's cybersecurity capabilities, consider the five steps recommended by Accenture: improve cybersecurity, increase resilience with ease and at speed, set expectations on cybersecurity liabilities and costs, and more. This helps firms prepare for the expected spike in incidents and build cyber resilience as part of a strong digital core.

Interventions can be catalyzed quickly and painlessly, and can be done before deals are closed, to prepare for a surge in cyberattacks, manage the risk, and ensure speed to value. Accenture ranks first in cybersecurity service providers, employing more than 16,000 professionals globally.

Fund leaders can set clear expectations that cybersecurity risk be assessed, discussed, and monitored like any other risk or regulatory requirement. This approach helps avoid overly prescriptive mandates that could be counterproductive.

Here are some ways funds can fund their cybersecurity programs without incurring additional expense:

By taking these steps, private equity firms can improve the cyber security of their portfolio companies and reduce their cybersecurity insurance expense.

As a private equity firm, having a robust incident response plan in place is crucial to minimize the damage from a cyber attack. This plan should be tested regularly to ensure it's effective.

A quick review of access controls can prevent overly open access, which can reduce the blast radius of a potential attack. This means not everyone should have access to everything.

A tested response plan is essential to prevent misguided communication and uncoordinated action, which can multiply the damage of an attack. This is often the difference between a contained issue and a full-blown crisis.

Regular testing of the incident response plan can help identify areas for improvement and ensure that everyone knows their role in the event of an attack. This can save valuable time and resources in the long run.

Private equity firms need to understand cyber risk before purchasing a company. This is becoming table stakes in pre-acquisition diligence, with 65% of companies experiencing regret in making an M&A deal due to cybersecurity concerns.

Robust cyber diligence includes understanding technical and regulatory risk for each specific company's business model, history of incidents, resources required to address known security gaps, and the likely cost of these improvements. This involves gathering key performance indicators of an acquired company's cyber program, which can then be tracked and improved throughout the ownership lifecycle.

A simple set of written check-the-box diligence questions is often not enough anymore. Technical testing during diligence can refine and improve insights, and driving diligence findings into the company's onboarding process can spur short-term action for both the fund and the portfolio company.

Due Diligence is a crucial step in the M&A process, and it's becoming increasingly important to consider cybersecurity risks in this phase. 65% of companies experience regret in making an M&A deal due to cybersecurity concerns, according to Forbes.

Understanding cyber risk is essential before purchasing a company, as acquirers may be found negligent for failure to conduct proper diligence of their acquisition's security posture and data privacy compliance. Litigation in US federal courts and regulatory investigations in Europe have made this clear.

A robust cyber diligence process includes understanding technical and regulatory risk for each specific company's business model, history of incidents, resources required to address known security gaps, and the likely cost of improvements.

Here are some key aspects of cyber diligence:

Technical testing during diligence can refine and improve insights, and driving diligence findings into the company's onboarding process can spur short-term action for both the fund and the portfolio company.

Managing a private equity cybersecurity strategy throughout the transaction lifecycle is crucial to mitigate risks and protect investments. Cybersecurity is relevant in four distinct phases: due diligence, announcement and onboarding, value creation, and exit.

During due diligence, it's essential to conduct robust cyber diligence, including understanding technical and regulatory risk for each company's business model, history of incidents, and resources required to address known security gaps. This involves gathering key performance indicators of an acquired company's cyber program, which can be tracked and improved throughout the ownership lifecycle.

In the announcement and onboarding phase, there is a heightened cyber risk, and swift action is required to mitigate threats. Funds can conduct short-term technical risk mitigation measures, such as deploying advanced endpoint protection and verifying backups.

The value creation period, typically three to five years, requires fund-level efforts to address cybersecurity. This includes designating a single point of contact, using available data to identify security weaknesses, and building information-sharing communities among portfolio companies.

Here are some key takeaways for managing a private equity cybersecurity strategy throughout the transaction lifecycle:

By following these strategies, private equity firms can effectively manage their cybersecurity throughout the transaction lifecycle and protect their investments.

During the value creation period, private equity investors need to think strategically about cybersecurity to maximize returns and minimize risks. Designating a single point of contact at the fund to oversee cybersecurity is a common practice, often filled by a cyber-specialist with experience in the field.

Fund-level efforts to address cybersecurity include using available data to identify security weaknesses and vulnerabilities, and following up to ensure portfolio companies address these issues. This proactive approach helps prevent cyber attacks and protects investments.

Private equity investors can also build information-sharing communities among portfolio companies to share threats and best practices, and provide threat intelligence to portfolio companies to stay ahead of cyber threats.

Private equity firms are prime targets for cyber attackers, and it's not hard to see why. 68% of our clients see an uptick in cyber incidents during the month of a deal closure.

The average ransom paid for mid-sized companies is $1m+, which can be a devastating blow to a company's finances.

Many private equity firms lack cyber insurance, which can leave them vulnerable to financial losses. In fact, 1 in 2 companies lack cyber insurance.

The consequences of a cyber attack can be severe, affecting not only the portfolio company but also the private equity firm itself. The reputations of both the portfolio company and the private equity firm are at risk.

Here are some potential consequences of a cyber attack:

During the value creation period, private equity investors face a critical challenge: balancing their traditional hands-off approach with the growing threat of cyber attacks.

Designating a single point of contact for cybersecurity at the fund level is becoming more common, often filled by a cyber-specialist like a former chief information security officer or another experienced professional.

To identify security weaknesses and vulnerabilities, funds use available data to pinpoint issues and follow up to ensure portfolio companies address them.

Building information-sharing communities among portfolio companies is another strategy funds use to share threats and best practices.

Providing threat intelligence to portfolio companies is also a key effort.

Here are some key fund-level efforts in the value creation period: