Businesses are facing continual pressure to improve third-party assurance and risk management from regulators, auditors, risk and compliance, and even customers and investors. Private equity firms are now starting to face the same pressure in how they manage the risks across the portfolio of companies they have invested in.
For those firms with large portfolios, the challenges now go far beyond unpredictable business cycles and volatile markets. Strategic, operational and external risks within each investment can not only damage that investment, but also lead to reputational damage that weakens the wider investment portfolio in the long term, depending on its source. Given that private equity houses invest to help accelerate growth or to improve underperforming businesses, these damages can have a significant impact on their return on investment.
PE firms need to be able to see, consolidate and ultimately manage the third-party risks across their portfolios. This is often an under-resourced area in terms of technology and expertise, and assumed to be happening within the invested business.
Working with several private equity houses in recent years, we have seen some really embrace the emerging threat and it is often standard practice for some to carry out cybersecurity due diligence, along with their other work pre-deal. These houses will also strive to ‘fix the plumbing’ as they look to ensure that the growth of the invested company is not jeopardized by a cyber-attack. Not only can this affect the reputation of the portfolio company, but it can also have an operational impact through downtime or C-level fraud where payments are made to cyber criminals in error. In the UK, the portfolio company can also face a hefty fine from the Information Commissioner’s Office if they are found to have not taken cybersecurity seriously and were subsequently attacked.
Many PE houses now include cybersecurity as an individual measure when assessing the key performance indicators across their portfolios. They carry out comprehensive reviews across all of their investments and then help set remediation programs for their portfolio companies, increasing their level of cyber-maturity.
Although not a PE company, Marriott’s acquisition of Starwood Hotels Group shows some of the potential risks of not conducting sufficient due diligence. The ICO said its investigation revealed that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” It is very possible that some PE companies will get fingers burned if they do not take cybersecurity and third-party risk seriously and add them to their investment criteria assessments.
How to manage cybersecurity risks across your portfolio
In order to get visibility of the cybersecurity risks in your PE portfolio, we recommend taking the following simple approach:
1. Cyber due diligence
PE firms spend thousands of pounds on financial, commercial, IT, operational and other due diligence, and many are now starting to carry out pre-deal cyber due diligence assessments. These are essentially maturity assessments of a potential investment’s current level of cybersecurity and the likely workload (and cost) to improve it to an acceptable level. This gives the investment house an immediate view of the cybersecurity risks it is taking on.
2. Triage your portfolio for cybersecurity risks
If starting from scratch, you should carry out a high-level review to capture the risks from two perspectives. Inherent risks are within the investment itself or an associated third party, and exposure risks are the risks posed to the PE house by those inherent risks.
For example, an organization that represents a small-scale investment for a given PE house has a risk of vulnerabilities being exploited as a result of ineffective patching. While assessed as a critical inherent risk for that organization, it nonetheless presents a low exposure risk to the PE house because of the level of investment. On the other hand, a company which represents a large investment for the PE house, but has a relatively mature cybersecurity posture, would be a greater risk because of the larger amount invested.
The triage should be split into ‘high,’ ‘medium’ and ‘low’ risks, and in our experience that typically splits out as roughly 20 percent high risk, 30 percent medium risk and 50 percent low risk.
3. Risk assurance and remediation
Once the triage is complete, carry out a maturity assessment to gauge the level of exposure in each company – these are similar to the pre-deal cyber due diligence reports. Start with the high-risk investments and then move down to lower risk levels. The level of assurance should be more comprehensive for the high-risk investments and companies should be assured against a recognized cybersecurity standard. Cyber Essentials or the Information Assurance Standard for Medium Enterprises (IASME) are good ones to start with, as ISO 27001 or similar protocols may be too burdensome for many companies who have little in the way of cybersecurity controls (although this may be appropriate for more mature investments). We would recommend some technical testing in the form of penetration testing (‘ethical hacking’) for high-risk suppliers.
Typical assurance on high-risk suppliers could look like:
- Detailed onsite visits and full document and cybersecurity controls review
- Benchmark against appropriate standards such as Cyber Essentials or IASME (or ISO 27001, for example)
- Internal and external vulnerability scans, including penetration tests of IT infrastructure and applications
The outputs would be:
- Tailored remediation report and implementation plans on how to address both technical and non-technical vulnerabilities and non-conformances
- Provision of onsite support for the implementation of recommendations
4. Getting the board onside
One of the challenges faced by PE firms is getting the board of portfolio companies on board. By setting their stall out early, in carrying out cyber due diligence work, PE houses set expectations for companies brought into their portfolios that cybersecurity is being taken seriously. With the board’s support, this can significantly lower risks.
5. Periodic reviews
The best-in-class PE houses, who have good visibility of their portfolio companies’ levels of cyber maturity, have a KPI in their investment reports that outlines each investment’s level of cyber maturity. High-level annual reviews should be undertaken, which, although not as comprehensive as the initial reviews outlined above, should show whether the portfolio company is undertaking work to improve or maintain its level of cyber maturity. A more comprehensive review should be considered at the mid-investment term and 12–18 months before disposal.
We have seen that some reputable PE houses have tracked cybersecurity risks across their portfolio for several years now, but this remains the exception rather than the norm. Some houses have a long way to go before their investment committees can be assured that they have a comprehensive view of the risks across their portfolio. The good news is that, with the right support, this can be put in place relatively quickly, ensuring greater visibility of risks and enabling proactive remediation plans to be put in place to lower them. This will ensure sound investments remain strong and do not expose investors or the reputation of the PE house to undue risks.