In the first two parts of this series we looked at determining companies at risk within a portfolio and then assessing the cyber risk within a particular company. Today we will look at how to manage those risks and give you our key “takeaways” on keeping your portfolio out of the headlines.
Managing cyber risks within a portfolio company
Once cyber business risks have been identified and qualified, decisions will need to be made on how to manage these risks. It may not be necessary to mitigate all risks, and indeed the costs of doing so could well outweigh the risk reduction benefits. Risk acceptance or transference via insurance should also be considered and a cyber security improvement programme initiated if required.
Risk Management Actions
Transference - Insure against cyber related financial losses. Not suitable for reputational risks
Acceptance - Accept lower rated risks, and put in place partial mitigations
Mitigation - Implement control improvements to reduce both the likelihood and impact of risks
It may prove useful at this point to determine tactical and strategic mitigation initiatives. Tactical actions may be required if critical risks are identified during the assessment which require mitigation almost immediately. An example of a tactical recommendation could be a manual check of staff access to a system to be carried out on a monthly basis, prior to the strategic automated check being rolled out. Tactical solutions could also be the preferred approach if a company is close to being sold. A cyber breach close to exit could have a significant impact on company valuation, and tactical solutions may be the best approach to preventing this.
Care should be taken at this point to ensure that mitigation initiatives align with the broader resourcing and technology strategy of the company. For instance, if organisational change is required, including a headcount increase, outsourcing options should be investigated if the company is pursuing an outsourcing strategy.
Similarly, if there is a need for technical investment, this should be made in line with any procurement efficiencies that are being followed. E.g. single vendor or multi-vendor strategy.
Whilst these decisions are being made and mitigation initiatives implemented, governance changes should also be introduced. Most importantly a process and framework for ongoing cyber risk management should be introduced, enabling the identified cyber business risks to be tracked and managed, and emerging cyber risks identified as either the threat landscape or business changes.
Ultimately the output from this should provide the fund manager and management team with full visibility of cyber business risk within the company, and so the capability to manage that risk.
One final note. At this key stage, and prior to significant cyber security investment, it would be sensible to determine if a cyber risk accreditation, such as ISO:27001, should be pursued. This could create significant extra value in certain industries whilst being cost effective to implement if rolled into a cyber security improvement programme. If this is to be pursued, the earlier this decision is taken the better.
Determine the key cyber threats to your portfolio companies
Create a shortlist of companies most under threat
Refine your shortlist further based on potential impacts to company valuation
At company level, determine key cyber business risks
Evaluate these risks by assessing the control landscape – people process and technology
Decide which risks require action, and create action plans which match your full potential plan
Implement governance and organisational changes as appropriate
Determine if a cyber security accreditation would add value to the company
For more information and a full copy of the Whitepaper on Cyber Security Risk Management for Private Equity Fund Managers “ How to Keep your Portfolio Company out of the Headlines” click here or get in touch