Managing portfolio cyber risk - a guide to private equity cyber security

21 Nov 2023

Managing portfolio cyber risk - a guide to private equity cyber security

Published on

Bob Nicolson | Head of Consultancy

bob.nicolson@nicolsonbray.com

How should private equity firms take control of cyber security risk across their portfolios?

There are several challenges here, as different companies will have different risk profiles, and the controls required to protect them will vary considerably. 

A significant breach in just one portfolio company can jeopardise a fund’s reputation and impact its overall value. As such, it is vital to implement a fund-wide cyber security strategy in order to safeguard investments and maintain investor confidence.

This article explores a three-stage approach to private equity cyber security.

Analysing cyber risk across private equity portfolios

Effective private equity cybersecurity begins with a high-level risk analysis of the entire portfolio.  

One approach is to combine a threat analysis with an assessment that gauges valuation impact in the event of a breach occurring.

Portfolio threat analysis

The first step is identifying potential malicious threat actors and determining their motivation.

Most attacks have a strong financial, criminal or geopolitical motive. Common scenarios include:

  • Cyber criminals seeking financial gain: Primarily target entities where they can access personal and financial data, and potentially ransom that data. Originally, the focus was on retail chains, healthcare providers and financial services firms; however, more recently, the focus has spread to any industry processing personal data. The risks encompass direct data breaches and subsequent regulatory and reputational damage.
  • Sovereign state actors: State-sponsored groups seek to steal valuable intellectual property or to destabilise geopolitical rivals.  The latter has seen a significant increase since the beginning of the wars in Ukraine and Israel. 
  • Corporate espionage: Competitors may engage in cyber espionage to obtain sensitive business information or intellectual property.
  • Hacktivism driven by ideological goals: Hacktivists, motivated by moral or political objectives, typically target companies engaged in environmentally or socially sensitive operations. They use cyber-attacks to disrupt or make statements against these businesses.
  • Insider threats from employees or collaborators: These threats emerge from individuals within an organisation who may exploit their access to sensitive systems and information for personal gain or to damage the company.

By understanding threat actors and their preferred targets, private equity firms can begin to rate companies in their portfolios as more or less likely to be attacked. A simple metric of high, medium, and low can be useful here for differentiation.  

For instance, a healthcare company holding patient records would be rated as under high threat, whereas a waste disposal and recycling business might be rated as under low threat.

Valuation impact assessment

Understanding how a breach might impact a company's valuation is crucial for prioritising cyber security focus. 

Whilst direct financial losses from cyber incidents, such as clean-up costs, should be considered, they will often only impact one or two years of P&L. As such, their impact on valuation may not be significant. 

However, any impact on a company's brand, reputation, or strategic value-creation capabilities has a much greater impact on valuation. In addition, a breach that hits a company's core operations, like a payment system provider losing credit card details, can have a severe strategic impact. 

Working through the list of threat actors per company and the potential security incidents they may cause can help identify and rate these valuation impacts.  Again, a simple metric of high, medium, and low can be useful for further prioritisation.

Once valuation impact and potential threat level have been assessed, private equity firms can decide whether to take an active role in further cyber security assessments or leave this matter to senior management teams.

For instance, a PE firm may take a more hands-on approach if either impact or threat levels are high, but if not, take a hands-off approach.

Exit strategy considerations

A company's exit strategy, including the timing and positioning for sale, should also be taken into account when prioritising focus. A robust cyber security track record and strong cyber security controls can enhance a company's market value, especially if competitors have previously suffered breaches.

As cyber due diligence becomes more common, preparing a company pre-exit is becoming a more important consideration.

Evaluating cyber risks within portfolio companies

After identifying higher-risk companies and prioritising focus, the next step is to determine the levels of cyber risk within these identified companies.

At the core of this stage is a rigorous assessment of each shortlisted company.

Understanding cyber business risks

The assessment's initial focus builds on the previous stage’s identification of potential incidents and moves into a more detailed understanding of the financial, regulatory, and business strategy impacts. 

This is often done through interviews with the senior management team. At this stage, additional risks and potential incidents are also discovered.

As well as the reputational and strategic impacts, the following direct financial impacts should also be considered:

  • Forensic investigation costs: The expenses incurred in identifying and understanding the breach.
  • Clean-up costs: Expenses related to server rebuilds and system restorations.
  • Crisis management costs: Fees for engaging external incident management teams.
  • Immediate operational costs: Losses due to business interruption and system downtime.
  • Notification and communication costs: Expenses for informing customers and regulators about the breach.
  • Post-incident response costs: Additional customer care and fraud protection costs following an incident.
  • Litigation and legal costs: Legal expenses arising due to the breach.

Defining and assessing controls

After identifying core cyber business risks, the next step is to define controls that mitigate them by reducing their likelihood or impact and rigorously assess these controls.

This involves:

  • Assessing IT and security architecture: Evaluating whether current IT and IT security infrastructures are adequate to protect against the identified risks.
  • Evaluating organisational processes: Checking if organisational processes and governance structures are adequate to protect against the identified risks.
  • Output utilisation: Using the outcomes of these assessments to quantify and qualify the level of cyber business risk.

By identifying cyber business risks first and then defining and assessing controls, it is possible to carry out a highly tailored assessment specific to that particular portfolio company. 

This creates a precise understanding of the level of cyber risk and enables highly focused risk mitigation strategies.

Managing identified cyber risks

Once cyber business risks have been identified and evaluated, the next step involves deciding on the best course of action for managing risks. Not all risks warrant full mitigation; the costs might outweigh the benefits. 

Instead, a balanced approach involving risk transference, acceptance, and mitigation is most practical and cost-effective.

Risk management actions

There are three main approaches to cyber risk management:

  • Transference: This involves insuring against cyber-related financial losses. While effective for certain financial risks, it does not typically cover reputational damage.
  • Acceptance: Lower-rated risks might be accepted with partial mitigations, recognising that not all risks can or should be fully mitigated.
  • Mitigation: This involves implementing control improvements to reduce the risks' likelihood and impact.

At this stage, it's also ideal to differentiate between tactical and strategic mitigation initiatives.

Tactical actions are short-term solutions designed to address immediate, critical risks. 

For example, manual checks of staff system access could be implemented as an interim measure before more comprehensive, automated controls are rolled out. 

This is particularly relevant when a company is nearing a sale, as a cyber breach could significantly impact valuation, but there is little appetite or time to implement strategic fixes.

Implementing governance changes

Ongoing cyber security governance is pivotal to the longevity of risk mitigation strategies. 

This involves establishing a framework for ongoing cyber risk management, allowing for consistent tracking and management of identified risks and the identification of emerging threats as the business or threat landscape evolves.

Considering cyber risk accreditation

Before making significant investments in cyber security, considering a cyber risk accreditation like ISO:27001 is worthwhile. 

The accreditation process can integrate into a broader cyber security improvement program.

Private equity cyber security FAQs

How can a breach in a portfolio company impact the private equity firm?

A breach in any portfolio company can jeopardise the reputation and financial stability of the private equity firm. 

Direct financial losses, such as clean-up costs and legal fees, can impact the company's valuation. Additionally, reputational damage can affect investor confidence and risk devaluations. 

What should private equity firms consider in their exit strategy regarding cyber security? 

When planning an exit strategy, private equity firms must evaluate the company's cyber security posture. A robust cyber security track record can enhance market value and investor confidence, especially compared to competitors who may have suffered breaches. 

How should private equity firms assess and manage cyber risks in their portfolio?

Firms should start by identifying at-risk companies and prioritising attention based on potential valuation impacts. This involves a rigorous assessment of each company's IT and security architecture, organisational processes, and governance structures. 

Managing identified risks involves a mix of transference, acceptance, and mitigation strategies tailored to each company's risks.

Is cyber accreditation important for private equity firms? 

Gaining a cyber accreditation, such as ISO:27001, can add considerable value for businesses operating in industries with high demands for cyber security. Pursuing accreditation alongside other cyber security measures can be time and cost-efficient. 

Summary

Private equity cyber security goes beyond standard due diligence, requiring a deeper understanding of how interconnected cyber risks can affect a portfolio’s overall health and value.

Private equity firms must remain vigilant and adaptable, ensuring that their cyber security strategies are comprehensive, dynamic, and tailored to the unique needs of their portfolio companies. 

Here are the key takeaways:

  • Identify key cyber threats: Understand the specific threats facing your portfolio companies.

  • Create and refine a shortlist: Focus on companies most at risk and refine the list based on potential valuation impacts.

  • Assess cyber business risks: Identify and evaluate critical cyber risks at the company level, considering the entire control landscape.

  • Formulate action plans: Decide on appropriate risk management actions and create detailed plans that align with your overarching strategy.

  • Implement changes: Enact necessary governance and organisational changes to support risk management.

  • Evaluate cyber security accreditation: Determine if achieving a cyber security accreditation would bring additional value to the company.

Published on

Bob Nicolson | Head of Consultancy

bob.nicolson@nicolsonbray.com