What action should private equity firms be taking to protect themselves against cyber security impacts to thier portfolio?
There are three key stages to determining and addressing cyber security risk within a portfolio and this three-part series will look at each of these in turn.
These stages can be summarised as follows:
This Insight will detail the steps for the first stage - identifying and shortlisting the companies in your portfolio which are both more likely to suffer a cyber security breach, and where that breach will impact its valuation.
The first step is to understand which companies are most likely to be under threat from cyber-attack. This is known as a threat analysis and consists of determining if there is sufficent motive for threat actors (bad guys) to attack portfolio companies. Long gone are the days of hackers causing malicious harm purely for fun - nowadays there is normallly a strong financial, criminal or military incentive.
Here is a list of typical threat actors and thier associated motives:
By assessing these threats and thier motives it is possible to create an initial list of target companies.
To further refine your shortlist you now need to determine whether a breach would impact valuation. Here there are two key considerations. Will the direct financial losses – clean-up costs, notification costs, regulatory fines and litigation costs – have a significant impact on P&L? And would a cyber breach, and respective impact on brand and reputation, inhibit the ability to deliver on value creation strategies?
These factors should also be considered:
Having assessed threat levels and valuation impacts, managers should have a shortlist of high-risk companies that require further scrutiny…