Sponsors are employing portfolio-wide programs for cybersecurity in part due to rising scrutiny from a myriad of stakeholders, panelists said this week at affiliate title Private Equity International’s Operating Partners Forum in New York. These holistic initiatives are necessary due to interest ranging from LPs to prospective customers.
The event was on background, so speakers’ identities can’t be revealed.
A speaker with a well-known GP said that growing publicity of costly cyber-incidents in recent years spurred businesses to give more consideration to security.
“The people who were not asking those questions started asking those,” he said.
The speaker also cited changes in technology among businesses as a driver, such as the proliferation of cloud-based software and apps.
And failing to make the case that a company has a compelling program can be a competitive disadvantage – even for businesses backed by a mega-sized sponsor. Another panelist, who heads portfolio cybersecurity for one such GP, said his firm’s companies lost out on customer relationships to competitors because their programs weren’t viewed as favorably.
“Companies are being inspected more thoroughly and if you don’t have the security stuff in place to close that deal, there could be business at risk,” he said.
Stakeholder scrutiny drives the firm’s thinking on cybersecurity in a forward-looking way, he said, but internal considerations got the ball rolling.
“Our team recognizes that it’s important inside the firm, and that led to natural questions about what are we doing in the portfolio, how are our companies doing,” he said.
Programs begat connections
One benefit of portfolio-wide initiatives that speakers touted is that they foster knowledge and experience sharing across portfolio companies.
A third GP panelist said his firm’s program has acted as a way for CIOs at portfolio companies to network, enabling them to ask each other questions about practices.
“I think that was part of our secret sauce,” he said, noting that networking was considered by the firm when the program was being established.
Information sharing even benefits GPs, which the second panelist noted when discussing his firm’s program.
“It’s turned into a flywheel, actually, because as we’ve learned more from the portfolio, we’re able to protect the firm better,” he said.
Panelists shared how they engage with their companies’ cybersecurity executives as part of their programs.
Conducting assessments with portfolio CIOs and creating a post-assessment roadmap that ensures companies make necessary improvements over certain timeframes were among suggestions, as well as ensuring minimum best practices are in place, such as ensuring companies carry cybersecurity insurance.
Firms should also ask portfolio companies about their specific accomplishments in improving their cybersecurity, panelists suggested.
And, they said, it’s important to keep in mind that different portfolio companies have different cybersecurity needs, meaning firms need to be ready to be flexible when implementing portfolio-wide systems. Even aspects of a system that may seem to represent a “minimum” at one portfolio company may not apply to another, the fourth speaker said.
“The minimums may not be a particular company’s minimums,” he said.