Part III - Cyber Security Risk Management for PE Firms

20 May 2020

Part III - Cyber Security Risk Management for Private Equity Firms

business newspaper

Part III - Cyber Security Risk Management for Private Equity Firms

In the first two parts of this series we looked at determining companies at risk within a portfolio and then assessing the cyber risk within a particular company. Today we will look at how to manage those risks and give you our key “takeaways” on keeping your portfolio out of the headlines.

Managing cyber risks within a portfolio company

Once cyber business risks have been identified and qualified, decisions will need to be made on how to manage these risks.  It may not be necessary to mitigate all risks, and indeed the costs of doing so could well outweigh the risk reduction benefits.  Risk acceptance or transference via insurance should also be considered and a cyber security improvement programme initiated if required.

Risk management actions

  • Transference - Insure against cyber related financial losses.  Not suitable for reputational risks
  • Acceptance -  Accept lower rated risks, and put in place partial mitigations
  • Mitigation - Implement control improvements to reduce both the likelihood and impact of risks

It may prove useful at this point to determine tactical and strategic mitigation initiatives.  Tactical actions may be required if critical risks are identified during the assessment which require mitigation almost immediately.  An example of a tactical recommendation could be a manual check of staff access to a system to be carried out on a monthly basis, prior to the strategic automated check being rolled out.  Tactical solutions could also be the preferred approach if a company is close to being sold.  A cyber breach close to exit could have a significant impact on company valuation, and tactical solutions may be the best approach to preventing this.

Care should be taken at this point to ensure that mitigation initiatives align with the broader resourcing and technology strategy of the company. For instance, if organisational change is required, including a headcount increase, outsourcing options should be investigated if the company is pursuing an outsourcing strategy.

Similarly, if there is a need for technical investment, this should be made in line with any procurement efficiencies that are being followed. E.g. single vendor or multi-vendor strategy.

Whilst these decisions are being made and mitigation initiatives implemented, governance changes should also be introduced.  Most importantly a process and framework for ongoing cyber risk management should be introduced, enabling the identified cyber business risks to be tracked and managed, and emerging cyber risks identified as either the threat landscape or business changes.

Ultimately the output from this should provide the fund manager and management team with full visibility of cyber business risk within the company, and so the capability to manage that risk.

One final note.  At this key stage, and prior to significant cyber security investment, it would be sensible to determine if a cyber risk accreditation, such as ISO:27001, should be pursued.  This could create significant extra value in certain industries whilst being cost effective to implement if rolled into a cyber security improvement programme.  If this is to be pursued, the earlier this decision is taken the better.

Key takeaways:

  • Determine the key cyber threats to your portfolio companies
  • Create a shortlist of companies most under threat
  • Refine your shortlist further based on potential impacts to company valuation
  • At company level, determine key cyber business risks
  • Evaluate these risks by assessing the control landscape – people process and technology
  • Decide which risks require action, and create action plans which match your full potential plan
  • Implement governance and organisational changes as appropriate
  • Determine if a cyber security accreditation would add value to the company
Bon Nicoslon

Published on

Bob Nicolson | Head of Consultancy