In this article Lenoy Barkai, Director, Cyber Security, shares her insights into the evolving approach of cyber risk management within private equity firms. Previously an ad hoc or tick boxing exercise Lenoy explains that today, from investment strategy, through holding period and at exit, cyber risk management is growing in sophistication and prominence.
Most private equity (PE) firms today are thinking about cyber risk. This, in itself, demonstrates a meaningful evolution in the industry’s approach to risk management, where just a few years ago cyber security did not feature in many a deal team's agenda. However, how the sector monitors and mitigates cyber risk still varies significantly from firm to firm. As an example, over the last few weeks we have met with a number of private equity companies whose cyber risk management programmes range from:
We know that we should start to consider cyber security as part of our risk management processes but are yet to do anything about it.”
We use our intuition to assess cyber risk, and if we’re concerned about something, we sometimes ask our own CTO for advice.”
We have introduced some minimal acceptable standards across our portfolio.”
We have a dedicated cyber security risk assessment function using a combination of internal and external resources which continuously monitors and addresses cyber risk across our portfolio and informs our decision-making ahead of an acquisition."
We know cyber security presents a risk to our portfolio companies, but we don’t plan to treat it at the portfolio level – we’re sufficiently diversified to take on a critical hit!”
The investment management space will eventually converge towards recognised best practices, driven both by regulatory requirements and investor demands, especially as such stakeholders increase their own cyber risk awareness levels. But we are far from it yet, which means that certain firms are gaining a significant advantage by being ahead of the pack when it comes to the maturity of their cyber security risk management frameworks.
Our team has spent several years supporting the private equity sector, both in terms of pro-active risk management and responding to incidents when they occur. This exposure has given us some key insights into how approaches to managing cyber risk at the portfolio level vary across the industry. Here are some trends we’re seeing that demonstrate what “good” looks like:
Cyber due diligence is no longer an add-on or afterthought
Best-in-class firms are considering cyber risk at the pre-investment stage as its own risk category. Beyond considering a handful of cyber-related questions to an otherwise detailed IT due diligence or ESG questionnaire, these deal teams have a clear framework specifically for judging cyber risk. This means that the questions they ask, the way they gather information and how that data is analysed and assessed is focused on understanding how cyber risk could impact their investment case.
Conducting cyber due diligence at this level does not, however, require the introduction of onerous new processes that are both time consuming and potentially deterring to the seller. With careful planning these can be integrated into pre-existing information flows and schedules, but then treated as standalone focus areas rather than as appendages to a broader risk category.
Considering the strategic implications of cyber risk management
Even in instances where cyber due diligence is considered as an independent risk category, the extent to which it informs deal team decision-making varies depending on the substance of the diligence work conducted and the conclusions drawn. If the output of a diligencing exercise is too technical or does not clearly tie its conclusions to the investment case at hand, it is more likely to be relegated to a tick-boxing exercise: filed and forgotten.
In contrast, we have found cyber due diligence is most effective when it centres on the strategic implications of cyber risk management. While this approach of course includes an examination of the technical and procedural security controls in place, these are considered among other inputs to develop a strategic risk picture. Here, the key conclusions focus on how the management of cyber risk by the target is likely to impact the business itself – and therefore the investment – in the long term.
Fund-level cyber risk management
While cyber due diligence is growing in prominence, there is still significant disparity between how different PE firms manage cyber risk during the investment holding period. Many continue to take an ad-hoc approach to treating cyber risk at the holding portfolio company level in a reactive manner, as issues (or worse, incidents) arise.
Investors with mature monitoring and risk management frameworks that consider cyber risk at the portfolio level remain in the minority. Here, a combination of technical scanning, threat monitoring and risk assessment combine to create a holistic picture of where the primary cyber risks within the portfolio sit. In terms of risk assessment, this includes a review both of the governance around cyber risk management, and each asset’s resilience and readiness in the face of an incident.
By creating visibility around where the greatest cyber risks lie within the portfolio, investors who take on a more activist or partnership-driven role can then begin treating it by allocating resources in a prioritised fashion to those assets facing the highest threats, or which demonstrate the lowest levels of cyber resilience. In doing so, they significantly improve not only the risk profile of individual investments, but of their overall portfolio too.
Thinking about exit
A few repeat themes have emerged in conversations ahead of a planned exit with those PE firms who have a firm grip on cyber risk management.
Firstly, as the rigour of cyber due diligence intensifies, sellers are starting to prepare their approaches to answering nuanced questions about the cyber resilience of their assets ahead of time. Although the focus in most cases remains on the treatment of cyber risk, those who have invested in strengthening their portfolio companies’ security posture are also taking the opportunity to demonstrate cost savings and value creation. A common metric that comes up here is the insurability of the asset, and the translation of any cyber resilience work conducted into reduced insurance premiums, for example.
Secondly, where an asset has experienced an incident during the investment holding period, special attention is given to ensuring this event has as limited an impact on valuation as possible. If not public knowledge, disclosure of past incidents will typically emerge as part of the due diligence process, and it is therefore important to be armed with a compelling narrative in response. Where the root causes of the incident have been investigated and treated, even a major incident can ultimately become a good news story. Firstly, the business is now more resilient than it has ever been. Secondly, organisations that demonstrate high levels of competence and integrity in the face of a crisis can in fact improve their reputation through the course of an incident, building goodwill with staff, customers and the general public along the way. But conveying this narrative effectively requires planning and – of course – actual investment in the company’s incident response capabilities, post-incident recovery and long-term resilience.
Finally, investors are increasingly monitoring the threat of a targeted attack during the pre-sale negotiation period. Already in November 2021 the FBI issued a warning stating that cybercriminals were keeping an eye out for “significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections”. While not the purview of your typical cybercriminal group, there have been instances of threat actors specifically attacking an acquisition target knowing that their negotiating position, in the case of ransomware for example, will be stronger against a company looking to close a lucrative deal. Investors typically manage this risk by ramping up their threat intelligence, detection and response capabilities during the pre-exit and negotiation period.
Mainstreaming cyber risk management across the sector
Cyber security is indeed a vast risk management challenge: ultimately, it is a risk that affects all organisations and one which cannot be fully eliminated. However, successful investment managers are, by nature, adept risk takers, and by corollary, risk managers. They have ‘cut their teeth’ navigating complex and nuanced risks – be they economic, financial, geopolitical and, more recently, social and environmental as well. Adding cyber security to this repertoire is a natural progression and the same skills, methodologies and principles which have guided investors through previously unchartered terrain will serve them just as well in this field too. Those who accept the challenge first will position themselves as market leaders in our digital age.