The discussion about cyberattacks used to center on if they would happen; now we talk about when and how often. Attackers are increasingly sophisticated, well-funded and nimble; as a result they are breaching networks and data around the world. Even if a firm feels confident in its controls, its portfolio of companies may be at risk.
Many recent examples exist of third-party breaches. These can have significant financial consequences. On average, data breaches cost companies more than $7 million last year, according to the Ponemon Institute, an IT security think-tank. The breach suffered by Target could cost the company $1 billion in total, it was reported at the time, which could have a significant impact on the portfolio company and the investment.
Private equity organizations have a unique circumstance. They need to be concerned not only with their own information security, but also that of the companies they invest in and perhaps even of those companies’ third parties. Keeping track of how information security might affect their investment is no small feat – there is no universal way to determine if a company is susceptible to a breach.
Instead, private equity organizations must gather data to create a holistic picture of current risks as well as managements’ plans to address those risks. Performing cyber-risk monitoring on the investment portfolio is important both to helping a private equity firm make decisions about its initial investment in a company and throughout the life cycle of the relationship to protect the investment. Here are six techniques that private equity organizations should use to gauge cybersecurity risks:
Rank your risks
Not all portfolio investments are created equal, so determine inherent risk. While all companies within a portfolio are important, placing companies into tiers may be appropriate to help determine the type and depth of assessment required. Strong and consistent criteria should be applied across the portfolio to determine which companies carry the most risk of cyber loss.
In order to tier organizations, consider the nature of the company’s operations, the data it holds and internet exposure. Tier-one companies – those that carry the most risk – are ideal targets for detailed information security assessments. As part of this process, private equity firms must consider whether the portfolio company relies on any vendors as part of its critical operations, as that could significantly increase its risk profile. Lower-tier companies cannot be entirely ignored either, so a less-detailed assessment may be appropriate when resources are limited.
Campaign with companies
The private equity firm’s organizational leadership must buy into information security. A strong information security posture (or the ability to reasonably protect sensitive assets) begins with the tone at the top. Private equity organizations must understand their portfolio companies’ leaderships’ position on information security. Does leadership support the application of strong controls throughout the organization? Is leadership aware of the top risks and threats to the organization, where security gaps might exist, and which third parties might expose additional risk?
Private equity firms must stress the importance of information security to their portfolio companies, which should conduct formal risk assessments involving various areas within the business to address and quantify the inherent risk the company is exposed to. Depending on the company’s nature and any regulatory oversight bodies, the company should apply a strong control framework to mitigate risk and report frequently on the execution and results of these controls.
Perform independent assessments. While a portfolio company might have the best intentions to protect its data, independent cybersecurity assessments are crucial to assessing overall information security posture. Cybersecurity assessments begin with understanding the principal data elements, where they are stored, how they are transferred and ultimately how they are protected. This would include whether third parties are critical to the process, can obtain sensitive data or access the network in any way as they may require an assessment as well.
Assessing any company’s controls across specific domains (eg, data protection, network and logical security) will help identify the probability and impact of a security breach. Security domains should be assessed via either a questionnaire and evidence-based approach or a detailed assessment. Aligning risk rankings to individual control deficiencies highlights the significance of any control gap. The totality of these issues would represent the company’s overall exposure to a malicious third party attempting to obtain its sensitive data.
Use security ratings for continuous monitoring. While independent assessments provide insight into a company’s security posture, it’s unrealistic to perform assessments on all portfolio companies on a routine basis. Third-party security ratings companies have different approaches, but can provide a near-real-time picture and continuous monitoring. PE organizations can use these ratings to monitor their portfolios’ risk exposure and that of any critical third parties. Should a company receive a poor initial rating, this will allow the PE company to determine if it is taking action to improve security. While not as in depth as an independent assessment, security ratings offer an easy alternative to stay informed about a company’s security posture.
Communicate and remediate. Assessments and security ratings monitoring are great tools to understand a company’s risk exposure, but they can be rendered useless if appropriate action is not taken. Ratings must be summarized and communicated to portfolio company leadership, who must take ownership of the gaps and provide an action plan for addressing them. These responses illustrate the company’s security mindset. Strong and swift action to remediate issues would demonstrate a commitment to security, while accepting the risk of the control gaps would indicate the company could remain vulnerable to attacks.
Applying consistent security domains and risk rankings to a population of companies would provide significant value in the overall evaluation process.
Completing assessments and identifying risks does not end the security life cycle; information security is an ongoing battle. The most advanced technical controls still might not be enough to protect a company from an unaware employee (a hacker’s ideal target).
Another control to help improve security is information security awareness training for all staff, especially C-level employees who are desirable targets. In addition to offering basic information security awareness training to teach about phishing and social engineering, companies should hire a third party to test security measures at portfolio companies to determine how vulnerable an employee population is to attacks. Will employees provide their passwords over the phone to someone claiming to be from the help desk? Will a senior-level employee open an attachment that appears to have come from a colleague? Results of these simple tests will add another data point to a company’s risk profile. Simple, focused and continuous training will help educate the employee population on common attacks and the appropriate ways to handle these situations. The greater an employee’s awareness of these types of attacks and best practices they should follow, the safer a company can be.
Risk vs reward
Hackers are not going anywhere. A strong cybersecurity assessment approach to identify, communicate and remediate information security risks is more important than ever to help prevent a breach that could affect the confidentiality, integrity and availability of sensitive data. The costs of conducting a cybersecurity assessment and implementing a strong information security monitoring program would be minimal compared to the cost of dealing with a breach – let alone the reputational damages that could follow. PE companies should ensure they are aware of their portfolio companies’ information security posture on an ongoing basis and are monitoring improvement efforts. Focusing on information security after a breach is too late.
Jill Czerwinski and Brad Gilliat are with Crowe Horwath, and William Watts is a principal with the firm