The cyber threat landscape is continuously evolving. Hackers are now using artificial intelligence and other automated means to surpass traditionally secure boundaries. Automated technology can deliver targeted attacks to gain access to compromise more audiences than ever before. Hackers can infiltrate systems and encrypt your data, all while remaining undetected.
Additionally, ransomware continues to spread, where data can be withheld only in exchange for digital currency or other collateral. As a Private Equity (“PE”) investor, there is an increasingly higher level of responsibility to your Limited Partners to ensure fund and portfolio company management teams have assessed the cyber threat landscape and what it means to your organization.
Understanding the cybersecurity risks to your organization and your portfolio company starts with a cyber-governance program. Organizations should perform recurring vulnerability tests, have a data management program in place, and keep abreast to the security of any business partners. Finally, have an action plan in place and ensure your employees know their responsibilities in the event of a cyber-attack. Once a breach in security has occurred, your teams must be able to immediately carry out the response plan. On the job training alone is not a viable option after the breach has already occurred. Therefore, rapid response time and proper planning are of the essence for a successful recovery.
In PE, cybersecurity is of even greater importance, as each portfolio company has different security requirements which can add complexities in responding to these requirements and leave you exposed if programs are not properly designed and executed. Reports are becoming more routine of incidents where a portfolio company is attacked with ransomware that infects both the main IT environments and the backup systems with malware which was undetectable until widespread destruction had occurred. Due to the damage sustained, the period of recovery can be very disruptive to a company’s goals. A successful cyber strategy will allow an infected company to rebuild and successfully resume operations in a timely manner.
PE funds and their portfolio companies often have various security needs and therefore they must create standards and enforce a base level of security across all portfolio companies. PE investors are typically not involved in the direct day-to-day management of the portfolio companies, which is why it is critical to establish a cyber-governance program. Having a well-defined and mature cyber-governance program will enforce a more formalized structure, making sure that each company maintains their minimum contractual, legal, fiduciary and regulatory obligations on a routine basis.
Adequate levels of cyber insurance coverage also plays an important role in a remediation plan as losses from cyber breaches may not qualify for business interruption insurance coverage. A plan of action put in place before an attack ensures you will be prepared when that moment comes. In the event of a cyber-breach, seeking guidance for your specific situation after the attack may prove to be too late.
To assist with the establishment of a base level of cyber standards, many PE funds are incorporating cyber security into the overall due diligence process. This allows for realistic assessments of the strength and effectiveness of cyber initiatives that may have been undertaken by a target management team and can lead to enhanced integration planning to ensure cyber threat weaknesses are tackled prior to or soon after the PE fund investment is made. Incorporating the proper due diligence procedures can provide the transparency needed for investors and leaders to determine if the target is aligned with overall organizational strategy and leaderships risk appetite.