Last week we looked at the first of three key stages in addressing cyber security risk within portfolio companies. The assessment of threat levels and valuation impacts, should have produced a shortlist of high-risk companies that require further scrutiny.
Now we can begin to determine levels of risk within a company on that shortlist.
Determining a Company's Cyber Risk Levels
At this stage a rigorous, business driven cyber security assessment should be carried out at the identified companies, in order to build a detailed understanding of cyber risk and potential impacts to valuations. This should be carried out by someone with an acute understanding of the value creation drivers shared by private equity sponsors and incentivised management teams, as well as the investment timeline.
Initial focus will be on understanding the financial, regulatory and business strategy impacts that a cyber security incident could cause. These are collectively known as cyber business risks and they need to be clearly understood and articulated.
In determining direct financial impacts, consider the following:
- Forensic investigation costs
- Clean-up costs – server rebuilds etc
- Crisis management costs – e.g. engaging external incident management teams
- Immediate operational costs – i.e. loss of business due to system downtime
- Notification and communication costs – informing customers and regulators
- Post incident response costs – e.g. additional customer care / fraud protection
- Litigation & legal costs
Depends on the particular strategy being pursued. If the strategy is to create value through increasing market share, then clearly reputational impacts of a cyber breach need to be fully understood as they could substantially restrict the ability to deliver that strategy. If the strategy is to create value by reducing costs and introducing efficiencies, the direct financial impacts of a breach on those efficiencies needs to be assessed. Risks which directly conflict with the business strategy need to be prioritised and treated accordingly.
Once these key cyber business risks have been identified, controls should be defined which directly and explicitly reduce either the likelihood or the impact of these risks. The IT and IT Security architecture should then be assessed against these controls to determine if there is adequate protection against the realisation of the business risks. Relevant processes should also be assessed, as well as the organisational and governance structures, to ensure they adequately manage these risks. The output from these assessments can then be used to qualify the level of cyber business risk.
Key to this stage is that the business risk assessment should be carried out first, which then leads to the definition of the controls to be assessed. A technology or control driven review will provide a one size fits all, compliance based outcome which will do little to help the fund manager or company board in making key investment decisions. In short, to make fully informed decisions the assessment must be highly tailored to the company and the individual cyber business risks faced by the company….
For more information and a full copy of the Whitepaper on Cyber Security Risk Management for Private Equity Fund Managers “ How to Keep your Portfolio Company out of the Headlines” click here or get in touch