Cyber Security Risk Management for Private Equity Fund Managers

What action should private equity firms be taking to protect themselves from a portfolio cyber security breach?
There are three key stages to determining and addressing cyber security risk within portfolio companies. This three-part insight will look more closely into each of these areas and today we are tackling how to determine which of your portfolio may be at risk.

Determining companies at risk within a portfolio

The first step is to understand which companies are most likely to be under threat from cyber-attack. This is known as a threat analysis and consists of determining if there are sufficiently motivated threat actors (bad guys) who would have an interest in attacking the company. For example:

Threat - Actors

  • Cyber criminals wanting to commit fraud through stealing and selling identities (personal data)
  • Cyber criminals wanting to commit payment fraud through either stealing credit and debit card data or breaking into payment systems
  • Sovereign state actors wanting to steal valuable intellectual property
  • Competitors wanting to steal valuable intellectual property
  • Sovereign state actors who wish to massively disrupt the operations of a company as part of a cyber warfare operation
  • Hacktivists who have a strong ‘moral’ purpose and wish to make a statement
  • Insiders who are either unhappy with the company, or are working in alliance with another threat actor for financial reward

With these in mind, certain types of company are more under threat than others:

Target Organisations

  • Holders of large amounts of personal data, ranging from username / password pairs to financial information and addresses – e.g. retail, health, financial services
  • Businesses that operate transactional systems – e.g. payment systems processors, clearing houses, retail
  • Businesses that invest heavily in research and development – e.g. pharmaceutical, aerospace, defence etc
  • Businesses that could be considered part of the Critical National Infrastructure, or companies that have a supporting role – e.g. utilities, the utilities supply chain, parts of the financial system
  • Businesses that engage in activities that impact areas of popular activism – e.g. business that impact the environment in a manner that could be considered harmful
  • Businesses that have undergone, or are about to undergo, significant staffing or operational change which could result in disgruntled employees

Assessing your portfolio against this advice should yield a shortlist, although of course depending on your investment strategy this could still include your full portfolio.

Valuation Impacts

To further refine your shortlist you now need to determine whether a breach would impact valuation. Here there are two key considerations. Will the direct financial losses – clean-up costs, notification costs, regulatory fines and litigation costs – have a significant impact on P&L? And would a cyber breach, and respective impact on brand and reputation, inhibit the ability to deliver on value creation strategies?

These factors should also be considered:

  • The average cost of a data breach in 2018 in the UK was $3.68m, in France $4.27m and Germany $4.67m. Would a one-off loss of this size impact company valuation?
  • Companies that suffer an initial breach are statistically more likely to suffer a second breach. What impact would a second breach have on company valuation?
  • Would a cyber breach be likely to impact the core operations of a company? For instance, a loss of credit card details at a company which provides online payment solutions. Breaches impacting core business operations are likely to have a very large strategic impact, and so impact asset value profoundly.
  • What is the exit strategy for this company, and does the prospective market value proven cyber security investment?
  • Has a competitor recently suffered a cyber security breach, therefore creating an opportunity for enhancing market share and creating value by investing in cyber security?

Having assessed threat levels and valuation impacts, managers should have a shortlist of high-risk companies that require further scrutiny…

For more information and a full copy of the Whitepaper on Cyber Security Risk Management for Private Equity Fund Managers “ How to Keep your Portfolio Company out of the Headlines” click here or get in touch

Published on

Bob Nicolson | Head of Consultancy