What rising cyber-attacks mean for private equity

Nearly one in 10 LPs has been hit with cyber-attacks in the last five years, and the next five only promises to hold more in store for them.

In February last year, venture capital giant Sequoia Capital was forced to apologize to investors when their personal and financial information was accessed by a third party after an employee email was phished. The 2020 cyberattack on Thoma Bravo and Silver Lake-backed software company SolarWinds triggered a much larger supply chain incident affecting thousands of organizations including the US government.

Investors are bearing the brunt of cyberattacks too. Cybersecurity breaches on LPs have risen significantly, a December 2021 report from Coller Capital found. Nearly one in 10 LPs have suffered an attack in the past five years – almost double the proportion since 2017. Fear of a cyberattack is also becoming more real, with around two-thirds of LPs expecting one on their own organization in the next five years. Almost three-quarters also said they are likely to require cybersecurity risk assessments of their GPs’ management companies within the next few years.

In a timely move, KKR has added a global head of cyber for its portfolio companies as part of its long-term strategy to fortify its resilience to cyber-threats. The PE heavyweight is boosting cybersecurity efforts in the firm and its portfolio companies to “stay ahead of the game,” co-head of European private equity Mattia Caprioli says, noting cybersecurity is one of the biggest risks the industry faces.

“Everyone is thinking about security now,” says the head of Europe PE at a global investment firm. “That’s one of the big impacts from the [Ukraine] war – a focus on sovereign security, energy security and cyber.”

Cybersecurity is also drawing increasing attention from the US Securities and Exchange Commission. It proposed rules for investment firms and advisers in February that outline cybersecurity policies and procedures including on risk assessment, information protection, and response and recovery.

A $10.5trn concern

Cyberattacks for LPs and GPs could range from stolen data to attackers demanding ransom, and a loss of innovation and investment. Attacks on critical infrastructure firm Colonial Pipeline and meat producer and supplier JBS are scary examples of the millions of dollars at stake in ransomware attacks.

PE firms have not historically regarded cybersecurity evaluation as a high priority in deals, focusing instead on deal performance, an EY report says. That has risen up the agenda as the quick transition to remote work amid covid escalated information vulnerabilities and left firms more exposed. In fact, cyber-crime is expected to cost businesses $10.5 trillion globally annually by 2025, Cybersecurity Ventures notes.

Firms have been betting big on cybersecurity deals – some $22.2 billion of cybersecurity buyouts were recorded in the first two quarters of last year alone, a 60 percent increase on the full-year figure in 2020, PitchBook data shows. Thoma Bravo, Bain Capital, KKR and Crosspoint Capital are among the sector’s busiest buyers.

As state-backed hacking gets more opportunistic and organized, firms must take action and have a playbook they can run – for when the inevitable happens.