Cyber Security Risk Management for Private Equity Firms

15 Jun 2020

Cyber Security Risk Management for Private Equity Firms

printing press

Cyber Security Risk Management for Private Equity Firms

What action should private equity firms be taking to protect themselves against cyber security impacts to thier portfolio?

There are three key stages to determining and addressing cyber security risk within a portfolio and this three-part series will look at each of these in turn.

These stages can be summarised as follows:

  • Creating a shortlist of cyber vulnerable companies
  • Carrying out company risk assessments
  • Managing identified cyber risk

This Insight will detail the steps for the first stage - identifying and shortlisting the companies in your portfolio which are both more likely to suffer a cyber security breach, and where that breach will impact its valuation.

Threat analysis

The first step is to understand which companies are most likely to be under threat from cyber-attack.  This is known as a threat analysis and consists of determining if there is sufficent motive for threat actors (bad guys) to attack portfolio companies.  Long gone are the days of hackers causing malicious harm purely for fun - nowadays there is normallly a strong financial, criminal or military incentive.

Here is a list of typical threat actors and thier associated motives:

  • Cyber criminals wanting to commit fraud through stealing and selling identities (personal data)
  • Cyber criminals wanting to commit payment fraud through either stealing credit and debit card data or breaking into payment systems
  • Sovereign state actors wanting to steal valuable intellectual property
  • Sovereign state actors who wish to massively disrupt the operations of a company as part of a cyber warfare operation
  • Competitors wanting to steal valuable intellectual property
  • Hacktivists who have a strong ‘moral’ purpose and wish to make a statement
  • Insiders who are either unhappy with the company, or are working in alliance with another threat actor for financial reward

By assessing these threats and thier motives it is possible to create an initial list of target companies.

Target companies

  • Holders of large amounts of personal data, ranging from username / password pairs to financial information and addresses – e.g. retail, health, financial services
  • Businesses that operate transactional systems – e.g. payment systems processors, clearing houses, retail
  • Businesses that invest heavily in research and development – e.g. pharmaceutical, aerospace, defence etc.
  • Businesses that could be considered part of the Critical National Infrastructure, or companies that have a supporting role – e.g. utilities, the utilities supply chain, parts of the financial system
  • Businesses that engage in activities that impact areas of popular activism – e.g. business that impact the environment in a manner that could be considered harmful
  • Businesses that have undergone, or are about to undergo, significant staffing or operational change which could result in disgruntled employees

Valuation impacts

To further refine your shortlist you now need to determine whether a breach would impact valuation.  Here there are two key considerations.  Will the direct financial losses – clean-up costs, notification costs, regulatory fines and litigation costs – have a significant impact on P&L?  And would a cyber breach, and respective impact on brand and reputation, inhibit the ability to deliver on value creation strategies?

These factors should also be considered:

  • The average cost of a data breach in 2018 in the UK was $3.68m, in France $4.27m and Germany $4.67m.  Would a one-off loss of this size impact company valuation?
  • Companies that suffer an initial breach are statistically more likely to suffer a second breach. What impact would a second breach have on company valuation?
  • Would a cyber breach be likely to impact the core operations of a company?  For instance, a loss of credit card details at a company which provides online payment solutions.  Breaches impacting core business operations are likely to have a very large strategic impact, and so impact asset value profoundly.
  • What is the exit strategy for this company, and does the prospective market value proven cyber security investment?
  • Has a competitor recently suffered a cyber security breach, therefore creating an opportunity for enhancing market share and creating value by investing in cyber security?

Having assessed threat levels and valuation impacts, managers should have a shortlist of high-risk companies that require further scrutiny…

Bon Nicoslon

Published on

Bob Nicolson | Head of Consultancy