5 minute read 16 Oct 2020
Woman in dark room looking at screens displaying computer code

Three reasons private equity firms should pay attention to cybersecurity

By Paul Harragan

EY-Parthenon Associate Partner, Strategy & Transactions, Ernst & Young LLP

Applying actionable intelligence to protect the defenseless perimeter. Husband, father. Security bloke. Blue team.

5 minute read 16 Oct 2020

Private equity has traditionally taken a less rigorous approach to cybersecurity than other industries—but this is starting to change.

In brief
  • PE firms, historically lax on cybersecurity diligence, are beginning to change their behaviors. 
  • This is due to an increased awareness of threats to their portfolio companies and their own operations.
  • There is an increased awareness of the application of cybersecurity to the investment thesis.

Historically, private equity (PE) firms have not regarded cybersecurity as a high priority in deals. PE funds and their general partners (GPs) have been more focused on deal performance, and the reputational risk of successful cyber attacks has generally been perceived as low.

However, the increasing importance of digital is leading PE firms to reconsider the priority of cybersecurity in deals and portfolio management due to the following factors:

  • A clear return on investment (ROI) for cybersecurity can be demonstrated throughout the deal cycle, and firms are beginning to see real value in effective diligence.
  • Prominent data breaches have shown the scale of the potential impact on the value of a compromised portfolio company.
  • Regulation, including legislation such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), is increasingly making cybersecurity a mandate.
  • The COVID-19 pandemic has caused businesses to react quickly to adapt operating models (i.e., remote ways of working), thus potentially widening the threat landscape and leaving investments exposed.

As PE executives realize these factors, they are taking more robust steps to understand information security and cyber defense risk across the portfolio. It has become clear that the traditional standard assessment approach is no longer suitable, and a new risk playbook tailored for PE is required.

PE executives are beginning to understand that if something were to happen, they would be at risk of financial, investment and brand damage.

Here are three areas where PE firms need to direct their attention:

1. Avoiding value erosion in portfolio companies

While it can be hard to consistently measure comparative cyber risks across portfolio companies, a focus on the deal thesis and ROI provides funds a more uniform approach to handling cyber risk.

The ROI behind this thesis can be improved if GPs invest in the cybersecurity of portfolio companies, by reducing the risk of a major cyber incident. This is a risk to which a hard cost can be estimated, so ROI can be demonstrated relatively clearly.

Concrete benefits of cybersecurity investment that can impact ROI also include:

  • Addressing historical value erosion, such as unresolved cyberattacks in a target company’s past.
  • Avoiding future value erosion in the form of penalties that could occur if action is not taken to prevent future security incidents, such as data breaches.
  • Preventing deals from collapsing during due diligence. Effective cybersecurity diligence provides actionable intelligence and identifies weaknesses in the perimeter position. This creates an understanding of the portfolio asset’s risk profile so unplanned investments and expensive remediation programs throughout the hold period can be avoided.

Moreover, injecting capital into a business de facto requires consideration of cyber risk. The purpose of a PE investment is to change or evolve the way the business operates, which necessarily changes the threat landscape. In turn, an expanded threat landscape means that cybersecurity needs to be readdressed and threat modeled to understand the future risk position.

PE firms must be mindful that cyber threats to their portfolio companies are multifaceted and that many attacks are sector-specific. The nature and scope of threats facing a manufacturer may be very different from those facing an online retailer.

2. Avoiding direct attacks on the PE firm

PE firms are a prime target for increasingly sophisticated and bold cyber attacks because they have large quantities of capital at their disposal and regular involvement with third parties. Malicious adversaries have ample opportunities for attacks, such as targeted phishing, spoofing and digital impersonation, where large amounts of money could be siphoned during the course of a complex deal.

Alas, security fundamentals adapted to the business complexity and deal intensity are often seen as a blocker rather than an enabler in a deal context.

The volume and frequency of transactions themselves also provide an opportunity for attackers to steal money in a way that might go overlooked (i.e., fraud within the funds-flow process) or undetected for some time. In fact, PE firms might be doubly vulnerable, because when they do focus on managing cybersecurity and other operational issues, this focus tends to be within their portfolio companies, rather than within their own four walls.

3. Managing complications arising from COVID-19

Day-to-day operations for PE firms and their portfolio companies across every sector have been roiled by remote working practices – many of which may be here to stay. As in other sectors, remote work transforms cyber risk profiles.

IT assets such as laptops and smartphones are being used more frequently outside the office, where they can be lost or more easily accessed by malicious adversaries. A key risk arises from employees managing confidential intellectual property in environments such as their home or local café, where internet security is less stringent.

Security awareness is now becoming an important factor in security strategies as corporate employees are proving to be the easier target to breach rather than infrastructures. As such, risks to consider include:

  • Phishing scams. In the age of COVID-19, these can often be in the form of fake public health emails containing malicious links.
  • Attacks on high-level executives, who may have access to valuable assets and data, often with administrative IT clearance.
  • Exploitation of home working environments, including unsecured networks, devices and applications in the hands of untrained individuals or employees’ children.

GPs should think seriously about how changes to operations and working locations prompted by the pandemic have affected the cybersecurity of each of their portfolio companies.

Assessing PE’s cybersecurity risk

To assess the risk, consider using a cybersecurity assessment framework that brings together a traditional risk-based cybersecurity assessment, a deal-focused cyber transaction assessment, and a cybersecurity due diligence review. This type of framework can help you understand and address these concerns throughout the M&A deal life cycle. Consider three lenses: investment thesis, business operations, and cyber risk and vulnerabilities – the outputs of which would be assessed against each security domain to identify the intrinsic risk for each portfolio company. 

Summary

While the nature and scale of cyber risk varies by sector, these ever-present and evolving risks pose a threat to all businesses to some degree. PE firms are no exception, as they themselves are beginning to realize. They must be mindful of the cybersecurity of both their portfolio companies and their internal operations. Understanding both the nature of cyber threats and the opportunity to get in front of them is critical to both preserving and creating value.

About this article

By Paul Harragan

EY-Parthenon Associate Partner, Strategy & Transactions, Ernst & Young LLP

Applying actionable intelligence to protect the defenseless perimeter. Husband, father. Security bloke. Blue team.