WATCH: Should you have cybersecurity insurance?

A compliance expert explains what immediate steps you can take in the event of a security breach.


Securing data is important for any private equity firm. Mike Pappacena, partner for cybersecurity and risk at ACA Compliance Group, talks with pfm about whether PE firms should have cybersecurity insurance.

He also talks about what protocols should be in place for a data breach response plan. Pappacena spoke on the sidelines of the PERE CFO/COO forum in New York City on May 23.

Video transcript

Is it important for PE firms to take out cybersecurity insurance?

Yes, that’s a really good question. Something that all firms should consider and private equity firms as well. If there is an incident or a breach, there could be significant cost in terms of responding. Everything from forensics to legal fees to any kind of investigation that needs to happen as well as potentially bringing in a public relations firm to notify potential investors. Having cybersecurity insurance help mitigate the exposure of the firm, the financial exposure of the private equity firm. Often we recommend that firms that do take out cybersecurity insurance. Make sure that their instant response plan cross-references that insurance so that when they follow steps to respond to an incident that they are doing it in lockstep with the insurance company. Often also the insurance companies have certain restrictions or considerations on what firms they can use for forensics, what legal counsel that they can engage, what public relations can be engaged. So all that information should be considered. And that we would also recommend that any firm taking out cybersecurity insurance also investigate a rider making sure that that insurance includes protection against what we refer to as ‘business email compromise scams’, which leads to fund transfer frauds. Effectively, if someone in your private equity firm responds to a phishing email, which leads to fraudulent request for wire transfers and money is wired out, you would want to make sure that you’re covered against that type of incident.

In the event of a security breach, what steps that a PE firm should have in their data breach response plan?

So it’s really important that firms have an instant response plan, much like firms have a business continuity plan or a disaster recovery plan on how to respond to those types of incidents. You want to be able to respond to a cybersecurity incident. Key things that you need to include in the plan is how you protect forensics in case there is an incident you want to make sure that data isn’t contaminated so it’s available for proper forensics research. So that’s one key thing that you want to include in the plan. Other things you want to include in that plan is containment of the incident. You want to make sure that that incident doesn’t continue to propagate depending on the type of incidents. So have provisions on how you do contain it.

You also want to make sure that you have in your plan who to contact, engagement of outside counsel we mentioned earlier, insurance if you need to notify your insurance firm if you’re going to do that as well as provisions in there on how you would respond to notification to counterparties which would include partners, it could include portfolio companies depending on the scope of the incident. If you don’t have something devised and laid out in writing what typically will happen should there be an incident is a lot of people scramble. You want to make sure that you assemble a team that knows how to respond to these incidents. And typically what we see in private equity firms that the team would include legal and compliance. It will include technology, operations as well as someone from investor relations should investors need to be notified.